IP identified as spam bot due to multiple attemps

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cardtheyardtoronto.azure-dev.bookingonline.co.uk

I ran this command: wacs IIS setup for single site on windows machine

It produced this output:
[VERB] Verbose mode logging enabled
[VERB] ExePath: G:_Applications\LetsEncryptV2\wacs.exe
[VERB] ResourcePath: G:_Applications\LetsEncryptV2
[VERB] PluginPath: G:_Applications\LetsEncryptV2
[VERB] Looking for settings.json in G:_Applications\LetsEncryptV2
[DBUG] Config folder: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates
[VERB] Arguments: --verbose --target iis --siteid 27 --installation iis --installationsiteid 27
[WARN] Found 3 files older than 120 days in cache path 'C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates'
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails True

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.13.978 (RELEASE, PLUGGABLE, 64-bit)
[INFO] ACME server https://acme-v02.api.letsencrypt.org/
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Connection OK!
[INFO] IIS version 10.0
[INFO] Running with administrator credentials
[INFO] Scheduled task looks healthy
[INFO] Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
[VERB] Test for international support: 語言 язык لغة
[INFO] Running in mode: Unattended
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[DBUG] Scanning IIS sites
[DBUG] Scanning IIS site bindings for hosts
[VERB] 28 named bindings found in IIS
[DBUG] Filtering by site(s) [27]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS site bindings for hosts
[VERB] 28 named bindings found in IIS
[DBUG] Filtering by site(s) [27]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[INFO] Target generated using plugin IIS: cardtheyardtoronto.azure-dev.bookingonline.co.uk

[DBUG] Scanning IIS site bindings for hosts
[VERB] 28 named bindings found in IIS
[DBUG] Filtering by site(s) [27]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] card-the-yard-toronto.staging, (any host)
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["cardtheyardtoronto.azure-dev.bookingonline.co.uk"]
[VERB] Loading ACME account signer...
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[VERB] Loading ACME account
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] ACME client initialized
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/106659923/98303827996 created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/120327208566
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Authorizing...
[VERB] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Initial authorization status: pending
[VERB] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Initial challenge status: pending
[INFO] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Authorizing using http-01 validation (FileSystem)
[VERB] Writing file to g:\root\websites\bcn.card-the-yard-toronto.staging.well-known\acme-challenge\45oi8qV6FYB0piD5bPXKjVz3PbNGob2IUJgl8ERQ-4M
[DBUG] Writing web.config
[VERB] Writing file to g:\root\websites\bcn.card-the-yard-toronto.staging.well-known\acme-challenge\web.config
[INFO] Answer should now be browsable at http://cardtheyardtoronto.azure-dev.bookingonline.co.uk/.well-known/acme-challenge/45oi8qV6FYB0piD5bPXKjVz3PbNGob2IUJgl8ERQ-4M
[DBUG] Send GET request to http://cardtheyardtoronto.azure-dev.bookingonline.co.uk/.well-known/acme-challenge/45oi8qV6FYB0piD5bPXKjVz3PbNGob2IUJgl8ERQ-4M
[VERB] Request completed with status OK
[INFO] Preliminary validation looks good, but the ACME server will be more thorough
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/120327208566/dX9hRg
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/120327208566/dX9hRg
[VERB] Request completed with status OK
[EROR] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Authorization result: invalid
[EROR] [cardtheyardtoronto.azure-dev.bookingonline.co.uk] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "During secondary validation: The key authorization file from the server did not match this challenge "45oi8qV6FYB0piD5bPXKjVz3PbNGob2IUJgl8ERQ-4M.1lYT6rXVok9WFnzoim8bytEQjKwkKJHNB6YIFuc3LGQ" != "Access Denied\r\nSorry, your IP has been identified as belonging to a spam bot or another annoying crawler"",
"status": 403
}
[VERB] Starting post-validation cleanup
[DBUG] Deleting files
[VERB] Deleting file g:\root\websites\bcn.card-the-yard-toronto.staging.well-known\acme-challenge\45oi8qV6FYB0piD5bPXKjVz3PbNGob2IUJgl8ERQ-4M
[DBUG] Deleting files
[VERB] Deleting file g:\root\websites\bcn.card-the-yard-toronto.staging.well-known\acme-challenge\web.config
[DBUG] Deleting empty folders
[VERB] Deleting folder g:\root\websites\bcn.card-the-yard-toronto.staging.well-known\acme-challenge
[VERB] Deleting folder g:\root\websites\bcn.card-the-yard-toronto.staging.well-known
[VERB] Post-validation cleanup was succesful
[EROR] Create certificate failed: [cardtheyardtoronto.azure-dev.bookingonline.co.uk] Validation failed
[VERB] Exiting with status code -1

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Azure VM

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
A simple Windows ACMEv2 client (WACS)
Software version 2.1.13.978 (RELEASE, PLUGGABLE, 64-bit)
ACME server https://acme-v02.api.letsencrypt.org/
IIS version 10.0
Running with administrator credentials
Scheduled task looks healthy

Note that the message "Access Denied\r\nSorry, your IP has been identified as belonging to a spam bot or another annoying crawler" is a reply from your webserver when the Let's Encrypt validation server requested the token.

So to be clear (not sure if you realise): it's not the Let's Encrypt validation server marking your IP address as a spam bot.

6 Likes

Thanks a lot. Turning around to look in other direction now.

4 Likes

Also note that Let's Encrypt uses multiple vantage points from around the globe with purposely undisclosed IP addresses which may change at any time. Currently, I believe all secondary validations are from AWS datacenters.

That said, it shouldn't be a security risk if you'd grant global access to the /.well-known/acme-challenge/ path, as that path should not contain anything but the occasionally ACME challenge token.

4 Likes