Letsencrypt-win-simple unable to complete challenges - Firewall Blocking Incoming Requests

luncar · March 30, 2017, 6:14am

Please fill out the fields below so we can help you better.

My domain is: portal.retentionpoint.com.au

I ran this command: letsencrypt-win-simple --test

It produced this output:

Authorizing Identifier portal.retentionpoint.com.au Using Challenge Type http-01

Writing challenge answer to C:\Websites\RETENTIONPOINT\Control Panel\wwwroot.we
ll-known/acme-challenge/9S3kNAJAd31Yu6DW1up9Rblo9ciBgZ5wnG5gvvXWrac
Writing web.config to add extensionless mime type to C:\Websites\RETENTIONPOINT
Control Panel\wwwroot.well-known\acme-challenge\web.config
Answer should now be browsable at http://portal.retentionpoint.com.au/.well-know
n/acme-challenge/9S3kNAJAd31Yu6DW1up9Rblo9ciBgZ5wnG5gvvXWrac
Submitting answer
Refreshing authorization
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

The ACME server was probably unable to reach http://portal.retentionpoint.com.au
/.well-known/acme-challenge/9S3kNAJAd31Yu6DW1up9Rblo9ciBgZ5wnG5gvvXWrac

Check in a browser to see if the answer file is being served correctly.
Authorize failed: This could be caused by IIS not being setup to handle extensio
nless static files.Here’s how to fix that:
1.In IIS manager goto Site/ Server->Handler Mappings->View Ordered List
2.Move the StaticFile mapping above the ExtensionlessUrlHandler mappings. (like
this http://i.stack.imgur.com/nkvrL.png)
3.If you need to make changes to your web.config file, update the one at C:\Util
s\letsencrypt-win-simple_1.9.2\web_config.xml

My operating system is (include version): Windows Server 2012 R2

My web server is (include version): IIS 8.5

My hosting provider, if applicable, is: Not Applicable

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, I can login to the server desktop and can launch an elevated Command prompt

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I have checked the the ACME challenge file is accessible using a browser in a separate location, to confirm the file is accessible over the internet.

I have used Wireshark to monitor network activity. When I browse for the challenge file I can see the HTTP GET requests in the Wireshark trace. When using letsencrypt-win-simple there is nothing in the Wireshark trace to indicate it is trying to retrieve the file.

I have also tested this with Certify (http://certify.webprofusion.com/) which may suggest this is not a client issue.
Is there a test page available that I can use to verify that ACME/LetsEncrypt can reach the challenge files?

luncar · March 30, 2017, 6:37am

It’s ok, I know what the issue is. Access to this web server is currently restricted so the ACME protocol servers won’t be able to connect.

ahaw021 · April 1, 2017, 10:46am

hi @luncar

That is correct. The other challenge you have is that letsencrypt does not pulish it's public IPs

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, because they may change at any time. In the future we may validate from multiple IP addresses at once.

You solutions are to use the DNS challenge or to temporarily allow incoming connections

A harder option is to figure out what the IP being used is and whitelist it only (temporarily once again)

Andrei

system · May 1, 2017, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.