Noob Question Cannot Get Renewal Certificate

Help
1

Hi guys,

This is my first post ever and I'm a TOTAL noob to Let's Encrypt so please be gentle with my ignorance :grinning:
I'm not our normal web admin, I'm filling in and trying to renew a certificate that he originally installed with Let's Encrypt. I think I have everything needed. This website is running using IIS on a Windows cloud server. Requested information answered below:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
microsoftsqlexpert.com
(I hope this is correct. In IIS bindings there are several host names listed, but this is the "main" IIS site.)

I ran this command:
certbot certonly --webroot -w d:\Inetpub\www_root
(Then it asked me for the domain name which I entered as above)

It produced this output:
(You really want the WHOLE thing? LOL)
Requesting a certificate for microsoftsqlexpert.com
Performing the following challenges:
http-01 challenge for microsoftsqlexpert.com
Using the webroot path d:\Inetpub\www_root for all unmatched domains.
Waiting for verification...
e[31mChallenge failed for domain microsoftsqlexpert.come[0m
http-01 challenge for microsoftsqlexpert.com
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

   Domain: microsoftsqlexpert.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.microsoftsqlexpert.com/.well-known/acme-challenge/cGYAekkUWQOUt1q4RgR6wPK5-by4kfDb6MbC5BLMRFA
   [62.151.180.73]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html
   xmlns=\"http"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Internet Information Services 10

The operating system my web server runs on is (include version):
WINDOWS Server 2019

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Idk, What's a root shell???? I can get into Windows Powershell with admin access if that's what you mean.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.11.0

1 Like
2

Welcome to the Let's Encrypt Community, David!

This most likely means your DNS from your hosting provider is not pointed to your server.

3

I thank you for your help @Litbelb. We have no hosting provider. I did go into the DNS manager and there is no entry for this domain, which is weird because it's been running fine up until this point. We have an SSL that is expiring in a month.

4

This is possible, but it could also be related to server configuration.

A couple of classic tests to try to help diagnose things:

(1) Create a text file called d:\Inetpub\www_root\test.txt and see if it is visible at http://www.microsoftsqlexpert.com/test.txt

(2) Create a text file called d:\Inetpub\www_root\test (with no file extension) and see if it is visible at http://www.microsoftsqlexpert.com/test

(3) Create a text file called d:\Inetpub\www_root\.well-known\acme-challenge\test and see if it is visible at http://www.microsoftsqlexpert.com/.well-known/acme-challenge/test

3 Likes
5

Okay thanks, I ran your test. The first one worked, the second two did not. I assume you meant to put those files in the root of the website, not the www_root.

So on (2) and (3) I got a

IIS 10.0 Detailed Error - 404.17 - Not Found. The requested content appears to be script and will not be served by the static file handler.

1 Like
6

What's the difference between those two?

It's very possible that this is related to your problem with Certbot! You might check this older thread:

1 Like
7

I assumed the difference was that if I wanted to navigate from mysite.com/test.txt that the test.txt had to be in the mysite.com folder, not the web root folder. But I moved them all into www_root and had the same results anyway except in (2) and (3) this time I just got the plain old 404. I'l take a loopk at that other thread.

1 Like
8

I don't have too much experience with IIS, but I'm pretty sure that the www_root folder is where you put your files.

1 Like
9

Being that the only difference in them is their file extension (or lack thereof), it would seem that IIS doesn't like serving files of such "unknown" types.
Which is a critical problem for LE; as all the HTTP challenge files are of the extensionless type.

3 Likes
10

Yes but we have multiple sites on that server.

1 Like
11

We have other Let'sEncrypt certificates on that same server, in fact what I'm doing is renewing an already existing LetsEncrypt certificate so I don't think that's the issue here, or at least it wasn't at the time.. But being unfamiliar with how it works, is it supposed to place the extensionless file in the challenge folder and then read from it? Because after the failed attempt I found no other folders of those names.

1 Like
12

Welcome to the Let's Encrypt Community, David :slightly_smiling_face:

To allow extensionless files in IIS, create a file named web.config in the acme-challenge folder containing the following:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension=".*" mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>
2 Likes
13

Okay I did that and it solved the problem of the .test file. But am I supposed to be able to open an extension-less file as text? Because normally it would consider that a folder.

I also wonder, what the correct folder structure should be here. There are multiple sites on this IIS server. They're all in subfolders of D:\Inetpub\www_root, so I find they don't load unless I put them in the Inetpub\www_root\microsoftsqlexpert folder. THanks for your help so far, I'll try Certbot again in the meantime.

1 Like
14

So just backing up to start over after the recommended fixes:

Typed in certbot certonly --webroot
Then when asked for the domain I typed in the domain we're trying to renew
"microsoftsqlexpert.com."
Then when asked for the webroot I typed the path to the root of this site
"d:\Inetpub\www_root\microsoftsqlexpert.com"

Still, failed the challenge and came back with

The following errors were reported by the server:

   Domain: microsoftsqlexpert.com
   Type:   unauthorized
   Detail: Invalid response from
   https://www.microsoftsqlexpert.com/.well-known/acme-challenge/nzzXzxwqwcnQ9yKxQPKUSnqy6F_Yg48XPCISRXmJ_Uc
   [62.151.180.73]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0
   Strict//EN\"
   \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html
   xmlns=\"http"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like
15

Finally got it working! A colleague told me about another app, win-acme, made specifically for Windows Server. Thanks all who helped!

2 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.