Having trouble creating SAN Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: molienergy.com

I ran this command: option m then option 4 put then put in molienergy.com, dc1.molienergy.com, dc2.molienergy.com then selected dc1.molienergy.com as the main common nameand selected self-host verification. Ran with no installation steps

It produced this output:
[INFO] Authorize identifier: molienergy.com
[INFO] Authorizing molienergy.com using http-01 validation (SelfHosting)
[INFO] Answer should now be browsable at http://molienergy.com/.well-known/acm
-challenge/LvSJ1cwyuGmjV9Nb_ZXVT5ZUOBOgto9Qq4yCUDy_RL0
[EROR] Authorization result: invalid
[INFO] Authorize identifier: molidc5.molienergy.com
[INFO] Authorizing molidc5.molienergy.com using http-01 validation (SelfHostin
)
[INFO] Answer should now be browsable at http://molidc5.molienergy.com/.well-k
own/acme-challenge/1ZAcu3Y2yu0gH1427Q_3IEGpcOu73XZfe_WkKcj6Pt0
[EROR] Authorization result: invalid
[INFO] Authorize identifier: molidc7.molienergy.com
[INFO] Authorizing molidc7.molienergy.com using http-01 validation (SelfHostin
)
[INFO] Answer should now be browsable at http://molidc7.molienergy.com/.well-k
own/acme-challenge/HHTuFZfnzOrWq2IACR9EedTlM-NWvAvTC3tGf04jADc
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:unauthorized
[EROR] [detail] The key authorization file from the server did not match this
hallenge [LvSJ1cwyuGmjV9Nb_ZXVT5ZUOBOgto9Qq4yCUDy_RL0.aOwSUkiwENqAJTIUSHIhg47nk
dEj4UxqJcW0sodh20] !=
[EROR] [status] 403
[EROR] Create certificate failed

My web server is (include version): IIS

The operating system my web server runs on is (include version): server 2012 R2

I am attempting this to use the cert for our Meraki MX device which requires a SAN cert as outlined here: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integration

Hi @jordend

if you use http-01 validation, the client creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But checking your domain there is an error:

• http://molienergy.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
216.13.106.119
	200
	
	0.213
	
Visible Content:

• http://www.molienergy.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
216.13.106.119
	200
	
	0.213
	
Visible Content:

The file does not exist, but your server sends a http status 200, not the expected http status 404.

IIS requires to allow files without extension.

So you should have a definition like

<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

Then find your Webroot, create there the two subdirectories

yourWebRoot/.well-known/acme-challenge

there a file (file name 1234), then try to load this file with your browser.

http://molienergy.com/.well-known/acme-challenge/1234

That should work.

I actually did create those two directories once I went to that webpage in the results and noticed that directory didn’t exist. Still get the same error.
I should add that our IIS server is not public, So you won’t be able to browse to it anyways to view the error proper.

Then you can’t create a certificate using http-01 validation.

Letsencrypt must be able to check that file.

Perhaps use dns-01 validation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.