Letsencrypt for IIS web server install

amarnath · December 9, 2019, 10:27am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mpgps.co

I ran this command: wac.exe in powershell

It produced this output: Preliminary validation for 97.74.103.4 failed: no TXT records found

My web server is (include version):IIS version 10.0.18362.1(Windows 10 Pro)

The operating system my web server runs on is (include version):Windows 10 pro

My hosting provider, if applicable, is: local dns server using bind

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

JuergenAuer · December 9, 2019, 1:36pm

Hi @amarnath

looks like you use dns validation. So you have to create a TXT entry. But checking your domain - https://check-your-website.server-daten.de/?q=mpgps.co#txt

There is no TXT entry.

12. TXT - Entries

Domainname	Status	∑ Queries
mpgps.co	ok	1
www.mpgps.co		1
_acme-challenge.mpgps.co	Name Error - The domain name does not exist	1
_acme-challenge.www.mpgps.co	Name Error - The domain name does not exist	1
_acme-challenge.mpgps.co.mpgps.co	Name Error - The domain name does not exist	1
_acme-challenge.www.mpgps.co.mpgps.co	Name Error - The domain name does not exist	1
_acme-challenge.www.mpgps.co.www.mpgps.co	Name Error - The domain name does not exist	1

A certificate with mpgpx.co requires a TXT entry with _acme-challenge.mpgps.co.

amarnath · December 10, 2019, 3:40am

my question is

how can i make a txt entry and where to make txt entry ,how to debug in bind9 dns server(local server) using ubuntu 18.04 server.
Do i need to give public ip to my dns server or the windows machine.

Waiting for your response thank you sir.

amarnath · December 10, 2019, 4:10am

example.mpgps.co is the sub-domain name.

JuergenAuer · December 10, 2019, 7:26am

Check, if there is a plugin you can use. If not, you have to create a TXT entry manual.

Your dns server must be public visible, so Letsencrypt can query the TXT entry.

Reading https://check-your-website.server-daten.de/?q=mpgps.co

ns07.domaincontrol.com is your name server.

There you have to create the TXT entry. Looks like your local bind is completely irrelevant.

amarnath · December 10, 2019, 1:29pm

@JuergenAuer 1.how i can get ssl certificate for my local web server. Is there any option?
2. how i can get ssl certificate for my web server iis where dns get resolves by AWS Route 53 ?I tried but it ask me to add txt value for domain name:_acme_challenge.hrmsho.mpgpsdc.com.
3. Do i need to take my local bind dns server to public address where it can resolves any internal domain name.?
What i can do in such senarios. Kindly help me .Thank you.

JuergenAuer · December 10, 2019, 1:41pm

Check the options of your client. And read

Same. These are basics about dns validation.

Looks like your local bind is completely unrelevant. If you use dns validation, no ip address is checked.

amarnath · December 10, 2019, 4:00pm

@JuergenAuer my dns server resolves domain name in LAN. But how i can generate ssl for local server bby using local dns server which works fine in LAN. Kindly help sir.

Thank you

JuergenAuer · December 10, 2019, 4:05pm

You can't.

Please read the basics:

Letsencrypt can only check your global dns server.

So you have to use your ns07.domaincontrol.com from GoDaddy, not your local dns.

PS: You have to proof you are the domain owner. So a check of your public dns server is required.

rmbolger · December 10, 2019, 4:07pm

You can not use your local DNS server to generate a certificate unless it is also the DNS server that is authoritative and internet facing for your domain. But that does not appear to be the case.

Public NS records for mpgps.co point to ns08.domaincontrol.com and ns07.domaincontrol.com which I believe are GoDaddy DNS servers. So you would need to use a client that can work with the GoDaddy DNS API or manually create your TXT records there.

amarnath · December 10, 2019, 4:39pm

@JuergenAuer @rmbolger what if i use dns server from aws route53 . There to i have to record txt for my sub-domain name in aws.

Thank you

JuergenAuer · December 10, 2019, 4:42pm

Please read the basics. Your name server is GoDaddy, so you have to use that dns server.

amarnath · December 10, 2019, 4:44pm

Thank you . End of the topic.

rmbolger · December 10, 2019, 4:59pm

You can certainly use Route53 as your public DNS provider. But you have to update your nameserver settings at GoDaddy to point to the AWS ones. You would first create the zone in Route53 in order to know which nameservers to set. Then, take those over to GoDaddy and change from the default nameservers to the Route53 ones you were assigned.

system · January 9, 2020, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.