Invalid ACME response

Hi all,

I have a problem with generating certificate for my domain mail.autotomask.cz (autodiscover.autotomask.cz) using Certificate Manager 4.1.6.0.

Testing on Win2K19/Exchange2K19 fails with this log:

2020-01-29 08:36:33.106 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:36:43.793 +01:00 [INF] All Tests Completed OK
2020-01-29 08:37:25.984 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:37:32.115 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:37:37.562 +01:00 [INF] All Tests Completed OK
2020-01-29 08:37:45.611 +01:00 [INF] Certify/4.1.6.0 (Windows; Microsoft Windows NT 6.2.9200.0)
2020-01-29 08:37:45.642 +01:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2020-01-29 08:37:45.657 +01:00 [INF] Registering Domain Identifiers
2020-01-29 08:37:45.871 +01:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2020-01-29 08:37:48.855 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/65695277/2170480070
2020-01-29 08:37:49.217 +01:00 [INF] Fetching Authorizations.
2020-01-29 08:37:51.013 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850387/KyVj1w
2020-01-29 08:37:51.728 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850387/q7ZCfQ
2020-01-29 08:37:53.152 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850388/RTuqUA
2020-01-29 08:37:53.882 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/2529850388/6Skiyg
2020-01-29 08:37:55.307 +01:00 [INF] Http Challenge Server process available.
2020-01-29 08:37:55.307 +01:00 [INF] Attempting Domain Validation: mail.autotomask.cz
2020-01-29 08:37:55.308 +01:00 [INF] Registering and Validating mail.autotomask.cz
2020-01-29 08:37:55.308 +01:00 [INF] Performing automated challenge responses (mail.autotomask.cz)
2020-01-29 08:37:55.310 +01:00 [INF] Preparing challenge response for Let’s Encrypt server to check at: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk with content bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk.3EHqgVtBUHQgPJBl9tS0tS2qoD_WiqSSv9YIy8SeeAk
2020-01-29 08:37:55.310 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-01-29 08:37:55.336 +01:00 [INF] Using website path C:\inetpub\wwwroot
2020-01-29 08:37:55.367 +01:00 [INF] Checking URL is accessible: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [proxyAPI: True, timeout: 5000ms]
2020-01-29 08:37:56.389 +01:00 [INF] (proxy api) URL is not accessible. Result: [401] Resource not accessible, Timeout or Redirected
2020-01-29 08:37:56.389 +01:00 [INF] Checking URL is accessible: http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [proxyAPI: False, timeout: 5000ms]
2020-01-29 08:37:56.577 +01:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2020-01-29 08:37:56.578 +01:00 [INF] Requesting Validation from Let’s Encrypt: mail.autotomask.cz
2020-01-29 08:37:56.582 +01:00 [INF] Http Challenge Server process available.
2020-01-29 08:37:56.582 +01:00 [INF] Attempting Domain Validation: autodiscover.autotomask.cz
2020-01-29 08:37:56.582 +01:00 [INF] Registering and Validating autodiscover.autotomask.cz
2020-01-29 08:37:56.583 +01:00 [INF] Performing automated challenge responses (autodiscover.autotomask.cz)
2020-01-29 08:37:56.583 +01:00 [INF] Preparing challenge response for Let’s Encrypt server to check at: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 with content Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0.3EHqgVtBUHQgPJBl9tS0tS2qoD_WiqSSv9YIy8SeeAk
2020-01-29 08:37:56.583 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-01-29 08:37:56.611 +01:00 [INF] Using website path C:\inetpub\wwwroot
2020-01-29 08:37:56.612 +01:00 [INF] Checking URL is accessible: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 [proxyAPI: True, timeout: 5000ms]
2020-01-29 08:37:58.509 +01:00 [INF] (proxy api) URL is not accessible. Result: [401] Resource not accessible, Timeout or Redirected
2020-01-29 08:37:58.509 +01:00 [INF] Checking URL is accessible: http://autodiscover.autotomask.cz/.well-known/acme-challenge/Yb0QkVp9EYBs-0BqKdB7hk9mb47P4jreviD5Tucext0 [proxyAPI: False, timeout: 5000ms]
2020-01-29 08:37:58.512 +01:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2020-01-29 08:37:58.512 +01:00 [INF] Requesting Validation from Let’s Encrypt: autodiscover.autotomask.cz
2020-01-29 08:37:58.530 +01:00 [INF] Attempting Challenge Response Validation for Domain: mail.autotomask.cz
2020-01-29 08:37:58.530 +01:00 [INF] Registering and Validating mail.autotomask.cz
2020-01-29 08:37:58.531 +01:00 [INF] Checking automated challenge response for Domain: mail.autotomask.cz
2020-01-29 08:38:00.309 +01:00 [INF] Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:38:02.770 +01:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:38:02.770 +01:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk [46.23.53.15]: 401
2020-01-29 08:39:26.711 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)
2020-01-29 08:40:31.575 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)

I checked webconfig settings on %inetpub%\wwwroot.well-known\acme-challenge and seems to be right. (according https://docs.certifytheweb.com/docs/http-validation.html).

Thanks for advices.

I would guess that it’s because you have digest authentication setup on the mail and autodiscover subdomains, preventing access to the challenge resource:

$ curl -i http://mail.autotomask.cz/.well-known/acme-challenge/bP1j6PS8HlM9hvLEipIbO4Wf4bWOoQEgcVWkC-nlzmk
HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="+Upgraded+v184c2d8b7ad5c0b87dde33c1cd020603936ea344e81d6d5017c4fe197ab1ce6f1c776c8b612deadfb400164a71b4c4f457d27a901284ce1ce",charset=utf-8,realm="Digest"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Wed, 29 Jan 2020 08:51:32 GMT
Content-Length: 0

Not sure if there’s a way in IIS to exclude a specific request path from authentication, but that’s what my first thought would be.

Hi _az,

thanks for quick reply. You are probably right, but I am not sure where should I allow/exclude this path from authentication. I tried to edit web.config file in wwwroot directory, but it didn’t help me.

Can anyone help with excluding path for authentification in IIS or with editing web.config in wwwroot?
Any advice is appreciated …

Thanks.