Http challenge cannot be completed

Hi all !

I'm having trouble with installing a certificate on my server at home.

My domain: http://kratosinferno.fr

This domain is registered with LWS, and is redirected to a no-ip to reach a pc that acts as a server at my home.
The PC is running Windows 10 pro with IIS (v10).

My setup is as follows:
Orange internet box with ports 80 and 443 redirected to my Asus router, then to my server PC.
The IIS server is accessible from the outside, I have webservices that respond very well to mobile applications that I develop, so far so good.

Wanting to switch to https I initially used "Certify the web" directly on my no-ip and the whole process was OK. On the other hand, the passage in https was not done.

I understood that I needed a real domain name, that's why I took one from LWS and redirected it to my no-ip.

I deleted my certificate in "Certify the web" to recreate one with the new domain name.

Since then, the configuration test fails with the message "Could not verify URL is accessible: http://kratosinferno.fr/.well-known/acme-challenge/configcheck" although the "configcheck" file is created correctly.

I confess to being lost, do you have an idea please?

Thanks a lot

1 Like

Welcome to the community @Kratos

When I try that acme challenge URL I get a 404 Not Found from an nginx server. If your "configtest" file exists I should be getting its contents and not a 404.

Requests for your home page get redirected by nginx to IIS with a 200 OK.

Do you know why I am seeing nginx?

(home page)
curl -I kratosinferno.fr
HTTP/1.1 301 Moved Permanently
Server: nginx
Location: http://kratosinferno.ddns.net/

curl -I http://kratosinferno.ddns.net
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0

(ACME challenge test response from nginx)
curl -I kratosinferno.fr/.well-known/acme-challenge/configcheck
HTTP/1.1 404 Not Found
Server: nginx
2 Likes

FYI:

Name:      kratosinferno.fr
Addresses: 2a00:7ee0:1:0:3:39:0:ff9
           91.216.107.49

Name:    kratosinferno.ddns.net
Address: 90.52.5.244
3 Likes

Hello Mike and rg305,

Thank you for your answers.

I don't know anything about nginx.
I guess it comes from LWS that provide my domain name, no ?

I confirm that my configcheck file is created :

But maybe the right solution would be to succeed in getting the https on my no-ip if possible?
It would simplify the system.

Your DNS for kratosinferno.fr is pointing to two IP addresses as shown by rg305 post just before. One is for IPv4 and one for IPv6

A request to http://kratosinferno.fr/... will go to one of those IP addresses and we must find the challenge check file there. We are not seeing that. Do you recognize either of the IP addresses for that domain?

And, yes, if you don't know what the nginx is or these IP addresses you might be better off just working with your ddns domain directly.

3 Likes

Supplemental information from my IPv4 only location

$ curl -Ii http://kratosinferno.fr/.well-known/acme-challenge/configcheck
HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 05 Feb 2023 20:13:15 GMT
Content-Type: text/html
Connection: keep-alive
Accept-Ranges: bytes

$ nmap kratosinferno.fr
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-05 20:14 UTC
Nmap scan report for kratosinferno.fr (91.216.107.49)
Host is up (0.17s latency).
Other addresses for kratosinferno.fr (not scanned): 2a00:7ee0:1:0:3:39:0:ff9
Not shown: 937 filtered ports, 59 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
1 Like

2a00:7ee0:1:0:3:39:0:ff9
91.216.107.49
Are the IP address provided by LWS for my domain.

90.52.5.244 is my IP at home

I disabled IP v6 to see if that improves the situation.
But if it doesn't work, I understand that I can use directly my ddns.

OK. They must be running some sort of redirection service for you. And, that their service is powered by nginx. Although, it is odd that they would reject the /acme-challenge URL with a 404 error and not simply redirect it.

You might want to ask LWS why they issue the 404 instead of redirecting

Still, if later you want to be using HTTPS to access kratosinferno.fr you will need that nginx service to have a valid cert for that domain. If you can't control it I don't think this is workable solution.

3 Likes

I got some options to manage the redirection from LWS :

I tried the 3 first options, nothing changed.

Generally these kinds of redirection services don't work with HTTPS very well

It is not unique to Let's Encrypt. For example, the redirect you show sends all requests to HTTP. But, it can't handle a request for HTTPS://kratosinferno.fr without its own cert for that name.

And, as noted, I do not understand how it can issue a 404 (see my post #2). Maybe another volunteer will see something I don't but I really don't think that can work. Sometimes these services allow you update the DNS directly rather than using a redirect service. That might work. But, LWS knows their system better than we do.

3 Likes

You could try creating a "www" entry in the .fr domain.
Then you can CNAME that to the .ddns.net domain.

3 Likes

Yes there is something about the DNS zone, but I don't understand anything... pfff :frowning:

At the moment, there is this :

Must I replace it ?

Try removing the redirection at the .fr domain.

2 Likes

Yes, change the "@" to "kratosinferno.ddns.net."

4 Likes

OK it's done.

For now, it still doesn't work.

But guys, if you tell me that I can have https on my ddns, I will try it again and stop paying for a useless domain :slight_smile:

I think it should work.

In fact, I see you got a cert for that name (link here) so that means it can work. You just have to ensure your web server is configured properly. And, Certify usually does great for IIS so please explain what went wrong

3 Likes

yes I managed to have the certificate on the ddns.
The problem is that the https did not appear on my url kratosinferno.ddns.net

Can you describe that in more detail? Like, did you use a browser to try that URL and what was the message? Or, was there some other issue?

3 Likes

Oh, I see you have port 443 blocked probably by a firewall. Have you checked your router and any port forwarding?

3 Likes