I have web site with TMG as a proxy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: data.hptn.org

I ran this command: wacs.exe as administrator

It produced this output: Target generated using plugin IIS: data.hptn.org
Authorize identifier: data.hptn.org
Authorizing data.hptn.org using http-01 validation (SelfHosting)
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from https://data.hptn.org/.well-known/acme-challe
nge/Icq_P4hSnNKoe07yUOzfTOp6YcBRhV_Ze2PStWqWngg []: “\r\n<html xmlns=\“http””,
“status”: 403
Authorization result: invalid

My web server is (include version): IIS version8.5

The operating system my web server runs on is (include version): windows server 2012 R2

My hosting provider, if applicable, is: host internally with TMG up front

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
A simple Windows ACMEv2 client (WACS)
Software version (RELEASE, PLUGGABLE)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 8.5
Running with administrator credentials
Scheduled task not configured yet
Please report issues at https://github.com/win-acme/win-acme

Welcome to the forum, @TatianaL! It looks like you are using win-acme, also known as WACS.

@WouterTinus, since you wrote win-acme, would you mind taking a look at @TatianaL’s problem? Thanks!

Hi @TatianaL, I’m not sure what you mean by TMG that is “in front” of your IIS, but for the default validation method (SelfHosting) to work, requests to port 80 must land on the same server that you are running win-acme on. If that is not the case you have to pick “advanced” mode from the main menu and choose another validation method when asked.

1 Like

Thank you. The TMG is indeed Microsoft Forefront Threat Management Gateway. The web server is not open to the internet and web application runs though this proxy. What another another validation method ?

Hi @TatianaL

I wrote an article a while ago https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke/

This talks about how to set up the .well-known path of an IIS application

This part of your server should not return 403 codes as it’s used for public verification (other things apart from Let’s Encrypt)

If you are not comfortable doing this then have a look at the DNS challenge

I find that most admins may not have access to the DNS records so updating your IIS Web Server to let the .well-know path publicly available may be the best option

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.