Invalid response 404, 403 with win-acme and IIS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://matomopoc.serviceconnect.defence.gov.au/

I ran this command: C:\Win-ACME>wacs.exe

Please choose from the menu: r

It produced this output:

Plugin IIS generated source matomopoc.serviceconnect.defence.gov.au with 1 identifiers
Plugin Single created 1 order
[HTTP] Request completed with status BadRequest
Error getting renewal information from server
Renewing [IIS] Default Web Site, (any host)
Cached order has status invalid, discarding
[matomopoc.serviceconnect.defence.gov.au] Authorizing...
[matomopoc.serviceconnect.defence.gov.au] Authorizing using http-01 validation (SelfHosting)
[matomopoc.serviceconnect.defence.gov.au] Authorization result: invalid
[matomopoc.serviceconnect.defence.gov.au] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"2620:1ec:bdf::38: Invalid response from https://matomopoc.serviceconnect.defence.gov.au/.well-known/acme-challenge/F87ZNXM_4KQq34068kdSRSvPXN_lEEOL5c-wczgfu24: 404","status":403,"instance":null}
[matomopoc.serviceconnect.defence.gov.au] Deactivating pending authorization
Renewal for [IIS] Default Web Site, (any host) failed, will retry on next run
Validation failed
No certificate generated

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2022 DC

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

No proxy in place. Made sure local firewall is disabled. Website is using Win-Acme on the backend via Application Gateway in Azure. Tried setting ValidateServerCertificate to false in settings.json file.

Addresses: 2620:1ec:bdf::41
           13.107.246.41
Aliases:   matomopoc.serviceconnect.defence.gov.au

I find that both IPs are serving the same content; So, that's a good thing.

But, the ACME challenge request failure is in HTTPS:

That tells me that HTTP is redirecting the ACME challenge requests.
Seems like a missed opportunity...
I've never used WACS, so, I can't say if that is expected.
I have had only success while using CertifyTheWeb with all my Windows systems.

3 Likes

Thanks. CertifytheWeb renewed the certificate but we need the PFX file from it.
In MMC, when I try to export the certificate the PFX option is greyed out.

1 Like

Hi @FM2023 I'm the developer of Certify The Web. To export the PFX add an Export Certificate deployment task under Tasks, then save and run the task (you don't need to re-request the cert to run the task). Subsequent renewals will automatically run the task.

The task can be configured to export to the local machine file system or a remote windows share, or via SSH (sftp).

Depending on what you need to export the PFX for you might also want to use something like the Deploy to Azure Keyvault (for instance if you wanted to use the same cert on an azure service).

4 Likes

Splendid! Issue is fixed.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.