Le.pl Failing During Verification


#1

I am using the le script command in windows powershell to issue ssl certificates. Here is the command I am entering:

le --key account_key.key --csr domain_csr.csr --csr-key domain_key.key --crt domain_crt.crt --domains 
"mywebsite.com" --path C:/inetpub/wwwroot/mywebsite/.well-known/acme-challenge --generate-missing --export-pfx "password"

The script successfully places the verification files in the correct directory but fails with verification.

Domain verification results for 'mywebsite.com': error. Invalid response from http://mywebsite.com/.well-known/acme-challenge/DtIyGDuBkjuc8P3jHUHN9stmi7tksRnq1BGQXYIJcSg: "<!DOCTYPE HTML PUBLIC
"-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
"HTML><HEAD><TITLE>Not Found</TITLE>

When I try to access the link mywebsite.com/.well-known/acme-challenge/DtIyGDuBkjuc8P3jHUHN9stmi7tksRnq1BGQXYIJcSg I receive a 404 error stating the requested resource was not found.

I am using IIS and I added a MIME type with file name extension as “.” and MIME type as “text/plain” omitting double quotes. When I use ZeroSSL’s free ssl certificate wizard tool, it works successfully.

I am stumped as to why it’s failing here but works successfully through the tool.


#2

Hi @mrcss,

If the --path option in that script is similar to the -w option in Certbot, then it doesn’t want you to add .well-known/acme-challenge at the end because it will add that for itself. In that case, it would expect you to supply just --path C:/inetpub/wwwroot/mywebsite without the .well-known/acme-challenge part. The idea is that the option specifies the web root directory, rather than specifying the ACME challenge directory.


#3

The --path option specifies the absolute path to save the challenge files to. If I remove the /.well-known/acme-challenge then the files will be saved in the webroot directory. I appreciate the input though.


#4

OK, you said it worked with ZeroSSL—with ZeroSSL, did you also place a challenge file in C:/inetpub/wwwroot/mywebsite/.well-known/acme-challenge and then were you able to access that challenge file in a web browser?


#5

Yes, the tool on ZeroSSL generates the challenge files which I downloaded and placed into the directory. I then was able to access it through a web browser. The tool generates a CSR of 4096 encoded bits and an account key for LE of 2048 encoded bits. Then the challenge files are generated which are used to prove ownership of the domain. Then the domain certificate and domain key are generated which are used to issue the SSL certificate.


#6

When you try to use the script, are you able to see the script-created files present in the same directory?

Do you have an IPv6 AAAA record for your host?


#7

Yes, I see the files created and I am able to open them and view the contents. Unfortunately, I am not sure if I have that record. This is the first time I am touching this server I am working on.


#8

Hi @mrcss,

There is no need to hide your domain, you posted it in another thread :wink:

As you are not using the --unlink parameter in your command, the challenge file should be there, do you have any file in C:/inetpub/wwwroot/mywebsite/.well-known/acme-challenge/?.

And, could you please create a test file so we can try to reach it?.

echo "test file" > "C:/inetpub/wwwroot/mywebsite/.well-known/acme-challenge/test"

Cheers,
sahsanu


#9

Forgot I mentioned the domain before :sweat_smile:

Yes, I can see the files in the acme-challenge directory.

There is also a test file already there. Domain is mollyandbanditpetparty.com/.well-known/acme-challenge/test.txt

I was able to access it yesterday, but when I just tried I received the same 404 error as the challenge files.
My directory permissions should not be preventing access to the test file.


#10

Remember to create the file without extension :wink:

Anyway, you should review your Web Server config because I can’t reach that file too:

$ curl -ikL http://mollyandbanditpetparty.com/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 16 May 2018 17:35:23 GMT
Connection: close
Content-Length: 315

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>

#11

@mrcss, also, keep in mind this:

That is the server answering in port 80, I don’t know whether it acts as a proxy for IIS or the web server you are using so take a look to that because maybe you should disable that service, configure it, whathever, I don’t use Windows Web Servers…


#12

Will do. I appreciate the input from both @sahsanu and @schoen.


#13

I changed the IP address of the website and that resolved the issue. I am unsure what happened but something with the IP address that the website was binded to. I am now able to verify successfully. I appreciate the help from both.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.