Help with renewing cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
Futurenetworking.com but i'm only trying to renew certs for support.futurenetworking.com as it is the only thing hosted on-prem

I ran this command:
"Request Certificate" in Certify SSL/TLS Certificat Management [Community Edition]

It produced this output:
Last part of the log:

2021-07-01 09:06:00.587 -07:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2021-07-01 09:06:00.587 -07:00 [INF] Requesting Validation: support.futurenetworking.com
2021-07-01 09:06:00.591 -07:00 [INF] Attempting Challenge Response Validation for Domain: support.futurenetworking.com
2021-07-01 09:06:00.591 -07:00 [INF] Registering and Validating support.futurenetworking.com
2021-07-01 09:06:00.591 -07:00 [INF] Checking automated challenge response for Domain: support.futurenetworking.com
2021-07-01 09:06:00.770 -07:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2021-07-01 09:06:02.405 -07:00 [WRN] Challenge response validation still pending. Re-checking [9]..
2021-07-01 09:06:04.541 -07:00 [WRN] Challenge response validation still pending. Re-checking [8]..
2021-07-01 09:06:07.168 -07:00 [WRN] Challenge response validation still pending. Re-checking [7]..
2021-07-01 09:06:10.319 -07:00 [WRN] Challenge response validation still pending. Re-checking [6]..
2021-07-01 09:06:13.945 -07:00 [INF] Fetching http://support.futurenetworking.com/.well-known/acme-challenge/NaGaM-a1sLQWN169TT10RzMMNkQffWZlaxc6CSMIW48: Timeout during connect (likely firewall problem)
2021-07-01 09:06:14.824 -07:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://support.futurenetworking.com/.well-known/acme-challenge/NaGaM-a1sLQWN169TT10RzMMNkQffWZlaxc6CSMIW48: Timeout during connect (likely firewall problem)
2021-07-01 09:06:14.824 -07:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://support.futurenetworking.com/.well-known/acme-challenge/NaGaM-a1sLQWN169TT10RzMMNkQffWZlaxc6CSMIW48: Timeout during connect (likely firewall problem)
2021-07-01 09:06:14.824 -07:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://support.futurenetworking.com/.well-known/acme-challenge/NaGaM-a1sLQWN169TT10RzMMNkQffWZlaxc6CSMIW48: Timeout during connect (likely firewall problem)

My web server is (include version):
IIS 8.5.9600.16384

The operating system my web server runs on is (include version):
Windows Server 2012 R2 v 6.2 build 9200

My hosting provider, if applicable, is:
Domain: Network Solutions
DNS: cloudflare

I can login to a root shell on my machine (yes or no, or I don't know):
na - windows server VM

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
na

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not using certbot

1 Like

Also i checked the firewall logs, no drops/blocks/denies on the firewall side. Packet capture shows traffic going through.

1 Like

I also get a timeout from my laptop on port 80:

$ curl -i -m10 support.futurenetworking.com
curl: (28) Connection timed out after 10001 milliseconds

Keep in mind that the HTTP challenge can only get started over port 80.

Only having port 443 open is not sufficient for it to succeed. See also: Best Practice - Keep Port 80 Open - Let's Encrypt.

3 Likes

Note also that you should see a failure in the preceding line of log (just before your edit) saying that the check via the proxy API failed (this uses the certifytheweb.com API to check your website is accessible on port 80).

This only passes the next step because it's accessible from the local machine. So as @_az says, you just need to make sure your firewall is open on port 80 (windows firewall and any VM hosting network settings that may be relevant such as cloud networking rules).

As you're using Cloudflare for your DNS you can also quite easily use DNS validation instead of http (see the Authorization tab, change form http-01 to dns-01, then choose Cloudflare, you will need API credentials - see Cloudflare DNS | Certify The Web Docs for more info). That way you don't need any firewall changes.

You can also get general help specific to Certify via https://community.certifytheweb.com/

2 Likes

This method worked perfectly! Thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.