Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Windows server 2022 Standard (20348.1487)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.23.1315.x64.pluggable
I have installed a new server and is trying to create and install a new certificate, but it keeps failing. I have used the same procedures on other servers (not Widows server 2022) without any issues.
OK.
Can you create the expected challenge path and place a test text file there?
[so that we can see if it can be reached from the Internet]
[please ensure not to use any file extension in the test file - (NOT .htm*)]
Like: http://astra.scada-international.com/.well-known/acme-challenge/Test_File-1234
You are showing a size of 0KB for the file Test_File-1234, might the file need a small amount of text content to be served? I have no clue what Microsoft-IIS/10.0 will do if the file size is 0.
Supplemental information
$ curl -Ii http://astra.scada-international.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Mon, 13 Feb 2023 15:29:16 GMT
$ nmap astra.scada-international.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-13 15:30 UTC
Nmap scan report for astra.scada-international.com (77.233.231.67)
Host is up (0.18s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds
You are almost certainly affected by a Palo Alto Networks brand firewall. When trying to access your domain with a User-Agent string like the Let's Encrypt servers it fails. But, other requests succeed. This is a well-known problem.
Have your network admins change the Application Rule for "ACME protocol".
Show them these two curl requests (especially the -A setting). Both should return a 404 once they fix the setting
curl -I astra.scada-international.com/.well-known/acme-challenge/TestMike123
HTTP/1.1 404 Not Found
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
curl -I astra.scada-international.com/.well-known/acme-challenge/TestMike123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer
Using win-acme in self-hosting mode means IIS will effectively be skipped and will not really be involved in the challenge request (win-acme will temporarily use it's own http listener in front of IIS), which in turn means you don't have to configure mime-type, extensionless files etc unless you can't get the self-hosting method to work. I'd be surprised if win-acme can't also auto-configure that as fallback (like we do for Certify The Web) because it wasn't originally self-hosting.
It's possible you are either affected by the Palo Alto thing @MikeMcQ mentioned or you have some other blocking software (malware protection, firewall etc), or win-acme simply got stuck somehow and a reboot might fix it. Connection reset is very different to a 404 etc and it seems like you are seeing both depending on the timing. I vote reboot.
I see a test with Let's Debug results in connection reset as well, make sure you're not using geographic filtering at the firewall as Let's Encrypts http validation could come from more or less any country.
The ACME Protocol is used for obtaining SSL/TLS certificates from a certificate authority (Let's Encrypt in this case), and LE uses the HTTP or HTTPS protocol. If your Palo Alto Networks firewall is blocking the ACME Protocol, it may be due to a misconfiguration or a security policy that restricts outboundinbound traffic. You may need to configure your firewall to allow traffic on the ports used by the ACME Protocol (port 80 for HTTP and port 443 for HTTPS), or create an exception in your security policy to allow the necessary traffic.
C:\Users\Bruce>ver
Microsoft Windows [Version 10.0.19045.2546]
C:\Users\Bruce>curl --help
Usage: curl [options...] <url>
-d, --data <data> HTTP POST data
-f, --fail Fail fast with no output on HTTP errors
-h, --help <category> Get help for commands
-i, --include Include protocol response headers in the output
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to a file named as the remote file
-s, --silent Silent mode
-T, --upload-file <file> Transfer local FILE to destination
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
This is not the full help, this menu is stripped into categories.
Use "--help category" to get an overview of all categories.
For all options use the manual or "--help all".
