Invalid ACME response

Hi all,

I have a problem with generating certificate for my domain mail.autotomask.cz (autodiscover.autotomask.cz) using Certificate Manager 4.1.6.0.

Testing on Win2K19/Exchange2K19 fails with this log:

2020-01-29 08:36:33.106 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:36:43.793 +01:00 [INF] All Tests Completed OK
2020-01-29 08:37:25.984 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:37:32.115 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:37:37.562 +01:00 [INF] All Tests Completed OK
2020-01-29 08:37:45.611 +01:00 [INF] Certify/4.1.6.0 (Windows; Microsoft Windows NT 6.2.9200.0)
2020-01-29 08:37:45.642 +01:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2020-01-29 08:37:45.657 +01:00 [INF] Registering Domain Identifiers
2020-01-29 08:37:45.871 +01:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2020-01-29 08:37:48.855 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/65695277/2170480070
2020-01-29 08:37:49.217 +01:00 [INF] Fetching Authorizations.
2020-01-29 08:37:51.013 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850387/KyVj1w
2020-01-29 08:37:51.728 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850387/q7ZCfQ
2020-01-29 08:37:53.152 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850388/RTuqUA
2020-01-29 08:37:53.882 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850388/6Skiyg
2020-01-29 08:37:55.307 +01:00 [INF] Http Challenge Server process available.
2020-01-29 08:37:55.307 +01:00 [INF] Attempting Domain Validation: mail.autotomask.cz
2020-01-29 08:37:55.308 +01:00 [INF] Registering and Validating mail.autotomask.cz
2020-01-29 08:37:55.308 +01:00 [INF] Performing automated challenge responses (mail.autotomask.cz)
2020-01-29 08:37:55.310 +01:00 [INF] Preparing challenge response for Let’s Encrypt server to check at: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk with content bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk.3EHqgVtBUHQgPJBl9tS0tS2qoD_WiqSSv9YIy8SeeAk
2020-01-29 08:37:55.310 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-01-29 08:37:55.336 +01:00 [INF] Using website path C:\inetpub\wwwroot
2020-01-29 08:37:55.367 +01:00 [INF] Checking URL is accessible: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [proxyAPI: True, timeout: 5000ms]
2020-01-29 08:37:56.389 +01:00 [INF] (proxy api) URL is not accessible. Result: [401] Resource not accessible, Timeout or Redirected
2020-01-29 08:37:56.389 +01:00 [INF] Checking URL is accessible: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [proxyAPI: False, timeout: 5000ms]
2020-01-29 08:37:56.577 +01:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2020-01-29 08:37:56.578 +01:00 [INF] Requesting Validation from Let’s Encrypt: mail.autotomask.cz
2020-01-29 08:37:56.582 +01:00 [INF] Http Challenge Server process available.
2020-01-29 08:37:56.582 +01:00 [INF] Attempting Domain Validation: autodiscover.autotomask.cz
2020-01-29 08:37:56.582 +01:00 [INF] Registering and Validating autodiscover.autotomask.cz
2020-01-29 08:37:56.583 +01:00 [INF] Performing automated challenge responses (autodiscover.autotomask.cz)
2020-01-29 08:37:56.583 +01:00 [INF] Preparing challenge response for Let’s Encrypt server to check at: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 with content Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0.3EHqgVtBUHQgPJBl9tS0tS2qoD_WiqSSv9YIy8SeeAk
2020-01-29 08:37:56.583 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-01-29 08:37:56.611 +01:00 [INF] Using website path C:\inetpub\wwwroot
2020-01-29 08:37:56.612 +01:00 [INF] Checking URL is accessible: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 [proxyAPI: True, timeout: 5000ms]
2020-01-29 08:37:58.509 +01:00 [INF] (proxy api) URL is not accessible. Result: [401] Resource not accessible, Timeout or Redirected
2020-01-29 08:37:58.509 +01:00 [INF] Checking URL is accessible: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 [proxyAPI: False, timeout: 5000ms]
2020-01-29 08:37:58.512 +01:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2020-01-29 08:37:58.512 +01:00 [INF] Requesting Validation from Let’s Encrypt: autodiscover.autotomask.cz
2020-01-29 08:37:58.530 +01:00 [INF] Attempting Challenge Response Validation for Domain: mail.autotomask.cz
2020-01-29 08:37:58.530 +01:00 [INF] Registering and Validating mail.autotomask.cz
2020-01-29 08:37:58.531 +01:00 [INF] Checking automated challenge response for Domain: mail.autotomask.cz
2020-01-29 08:38:00.309 +01:00 [INF] Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:38:02.770 +01:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:38:02.770 +01:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:39:26.711 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:40:31.575 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)

I checked webconfig settings on %inetpub%\wwwroot.well-known\acme-challenge and seems to be right. (according https://docs.certifytheweb.com/docs/http-validation.html).

Thanks for advices.

1 Like

I would guess that it’s because you have digest authentication setup on the mail and autodiscover subdomains, preventing access to the challenge resource:

$ curl -i http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v184c2d8b7ad5c0b87dde33c1cd020603936ea344e81d6d5017c4fe197ab1ce6f1c776c8b612deadfb400164a71b4c4f457d27a901284ce1ce",charset=utf-8,realm="Digest"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Wed, 29 Jan 2020 08:51:32 GMT
Content-Length: 0

Not sure if there’s a way in IIS to exclude a specific request path from authentication, but that’s what my first thought would be.

1 Like

Hi _az,

thanks for quick reply. You are probably right, but I am not sure where should I allow/exclude this path from authentication. I tried to edit web.config file in wwwroot directory, but it didn’t help me.

1 Like

Can anyone help with excluding path for authentification in IIS or with editing web.config in wwwroot?
Any advice is appreciated …

Thanks.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.