Help Understanding Firewall Problem/Domain Check

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: members.wellbridge.com

I ran this command: win-acme.v1.9.11.2\letsencrypt.exe

It produced this output:
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:connection
[EROR] [detail] Fetching http://members.wellbridge.com/.well-known/acme-challen
ge/hKticvR_00NNFgIzqeV8upXeM46hOqcMU215a4w3e7k: Timeout during connect (likely f
irewall problem)
[EROR] [status] 400
[EROR] Create certificate failed

My web server is (include version): Windows 2008 R2 SP1

The operating system my web server runs on is (include version): Windows 2008 R2 SP1

My hosting provider, if applicable, is: AT&T

I can login to a root shell on my machine (yes or no, or I don’t know): cmd?

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Please note, most of the IT team has been furloughed so this is not my normal area.

  • We have one Windows 2008 R2 server that is hosting 3 websites.
  • It has two IP addresses
  • All 3 website Let’s Encrypt certificates expired last night on 8/20 - the auto schedule never worked
  • I ran the letsencrypt executable and selected to: Renew all
  • The website that has an IIS Binding to IP #1 was successful
  • The websites that are assigned to IP #2 failed with the above Timeout/Firewall problem

I have tried changing the ip from IP#2 to IP#1, changed the DNS, but it still fails

I went and ran this domain check (based on other threads I found here) but I don’t know what it is telling me? Is this really a firewall problem with AT&T?

3 Likes

Hi @arkhos

that’s

not a firewall problem, first, that’s a wrong configuration:

Domainname Http-Status redirect Sec. G
• http://members.wellbridge.com/
12.109.238.83 -14 10.033 T
Timeout - The operation has timed out
• https://members.wellbridge.com/
12.109.238.83 -4 0.590 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send.
• http://members.wellbridge.com:443/
12.109.238.83 -3 0.586 A
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive.
Visible Content:
• http://members.wellbridge.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
12.109.238.83 -14 10.033 T
Timeout - The operation has timed out

Port 80 doesn’t answer.

But port 443 - upps, port 443 is a http port, not a https port.

Looks like a wrong port porwarding port 443 extern -> port 80 intern.

Port 80 extern -> port 80 intern is required, then the http check shouldn’t have a timeout, instead a correct answer.

PS:

But port 443 - upps, port 443 is a http port, not a https port.

That’s a little bit wrong. There is a -3 instead of a correct http answer.

But there is an answer.

So it’s a little bit unclear what answers.

PPS: May be a firewall on port 443, that allows a first connection, then the connection is terminated. But a working port 80 is required if you want to create a certificate via http validation.

3 Likes

Thank you for the quick reply @JuergenAuer

So the port 80 on my windows server is not answering for IP#2, is that correct?

How do I configure that? And is there a way to check it?

3 Likes

I just went into the Windows Firewall and set an Inbound rule for port 80, did another domain check and it is still failing?

Instructions I followed, but entered port 80: https://dbatricksworld.com/how-to-open-firewall-ports-on-windows-server-2008-r2/

Domain report:

3 Likes

There is something that blocks or interrupts the connection.

You have to find and remove it.

Or switch to dns validation if port 80 doesn’t work.

3 Likes

Ah - now there is a new check.

Now port 80 answers, that looks good.

1 Like

I had someone change the port forwarding on the host network side. Port 80 was locked down.

I reran the letsencrypt.exe and got some success and errors. I went into IIS and added a Port 443 https and in the certificate drop-down was one for 8/21 so I selected it?

Not sure if these errors mean anything? If I need to clean something up or redo it?

[INFO] Authorization result: valid
[INFO] Requesting certificate members.wellbridge.com 2020/8/21 13:04:29 PM
[INFO] Saving certificate to C:\ProgramData\letsencrypt-win-simple\httpsacme-v0
1.api.letsencrypt.org
[INFO] Installing certificate in the certificate store
[INFO] Adding certificate members.wellbridge.com 2020/8/21 13:04:29 PM to store
My
[INFO] Installing with IIS…
[INFO] Adding new https binding members.wellbridge.com:443
[INFO] Committing 1 https binding changes to IIS
[EROR] Error installing
System.IO.FileLoadException: Filename: \?\C:\Windows\system32\inetsrv\config\ap
plicationHost.config
Error: Cannot commit configuration changes because the file has changed on disk

at Microsoft.Web.Administration.Interop.IAppHostWritableAdminManager.CommitCh
anges()
at Microsoft.Web.Administration.ConfigurationManager.CommitChanges()
at Microsoft.Web.Administration.ServerManager.CommitChanges()
at PKISharp.WACS.Clients.IISClient.Commit()
at PKISharp.WACS.Clients.IISClient.AddOrUpdateBindings(Target target, SSLFlag
s flags, CertificateInfo newCertificate, CertificateInfo oldCertificate)
[EROR] Unable to install certificate
System.IO.FileLoadException: Filename: \?\C:\Windows\system32\inetsrv\config\ap
plicationHost.config
Error: Cannot commit configuration changes because the file has changed on disk

at Microsoft.Web.Administration.Interop.IAppHostWritableAdminManager.CommitCh
anges()
at Microsoft.Web.Administration.ConfigurationManager.CommitChanges()
at Microsoft.Web.Administration.ServerManager.CommitChanges()
at PKISharp.WACS.Clients.IISClient.Commit()
at PKISharp.WACS.Clients.IISClient.AddOrUpdateBindings(Target target, SSLFlag
s flags, CertificateInfo newCertificate, CertificateInfo oldCertificate)
at PKISharp.WACS.Plugins.InstallationPlugins.IISWebInstaller.PKISharp.WACS.Pl
ugins.Interfaces.IInstallationPlugin.Install(CertificateInfo newCertificate, Cer
tificateInfo oldCertificate)
at PKISharp.WACS.Program.OnRenewSuccess(ILifetimeScope renewalScope, Schedule
dRenewal renewal)
[INFO] Uninstalling certificate from the certificate store
[INFO] Removing certificate members.wellbridge.com 2020/5/22 3:39:11 PM from st
ore My
[EROR] Create certificate failed

1 Like

I don’t understand that error.

But there is a new check, now with a new Letsencrypt certificate:

CN=members.wellbridge.com
	21.08.2020
	19.11.2020
expires in 90 days	members.wellbridge.com - 1 entry

The Grade O - you can’t fix, that’ Windows 2008, that’s too old.

But now you have a working certificate :+1:

1 Like