Problem with OS and ports (http challenge)


#1

Hello,

My specs:

Windows Server 2012 running on a home pc which is dedicated to be a server.
IIS

Issue:

I have been trying now for example letsencrypt simple windows-tool, which complains about http challenge.

I tried also two different web based tools, and I cant verify my ownership anyhow. I created manually the folders, I put the verification file in it and tried to verify - cant verify.

Seems that the biggest problem is that, that I am using port 8080 (at least one of these web tools said it needs to be either 80 or 443.) I tried with 443 also, with no luck. One web tool error included some info about port 80 (I cant read so well these error messages)

I tried also dns challenge, which doesnt seem to work either.

Error message from one of the tools:

System.Reflection.TargetInvocationException: Exception has been thrown by the ta
rget of an invocation. —> System.InvalidOperationException: This implementatio
n is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.SHA256Managed…ctor()
— End of inner exception stack trace —
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments,
Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, B
inder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Obje
ct[] args)
at System.Security.Cryptography.SHA256.Create()
at ACMESharp.JOSE.JwsHelper.ComputeKeyAuthorization(ISigner signer, String to
ken)
at ACMESharp.ACME.Providers.HttpChallengeDecoder.Decode(IdentifierPart ip, Ch
allengePart cp, ISigner signer)
at ACMESharp.AcmeClient.DecodeChallenge(AuthorizationState authzState, String
challengeType)
at LetsEncrypt.ACME.Simple.Program.Authorize(Target target)
at LetsEncrypt.ACME.Simple.Program.Auto(Target binding)
at LetsEncrypt.ACME.Simple.Plugin.Auto(Target target)
at LetsEncrypt.ACME.Simple.Program.Main(String[] args)

What can I do?


#2

Asking more:

Should I FIRST make my site https with self signed cert, or to use http? I have tried both.

I have manually created needed folders.

I have that another website with port 80 and it would cause much work to swap ports between sites, so I would like to go forward with port 8080 before having the cert.

Can anyone help?

I am doing this all to do some self study plus helping my wife to access her files from outside our lan, but in secure way. Im not comfortable with credentials being forwarded as clear text.


#3

The ACME protocol (the protocol [version] which Let’s Encrypt uses for the issuing of certificates (i.e., communication between client and server) currently has three challenges: http-01 which uses port 80, tls-sni-01 which uses port 443 and dns-01 which uses the DNS system (so no ports).

The Let’s Encrypt server will always try to connect to those ports. You can run your webserver or client on other ports, but you will need to redirect port 80 (or 443) to that port on which the client is running.

So if your port 443 is available, you can use that one for the tls-sni-01 challenge.

The next “problem” is: most of the clients out there for Let’s Encrypt are Linux based. There are a few Windows clients, but I recon finding good support for it is hard. Most guys on this community run Linux. I personally have no clue at all what the above log you posted says for example :worried:


#4

Hello, and thanks for your reply!

I should really do port forwarding differently then…

I tried dns challenge with txt setting, adding to dns server but it didnt help. I tried it again and again, after waiting for a while between tries.

Well, maybe that port forwarding swap will do…

I have used Ubuntu and Mint as my main operating systems like 2 years ago for half a year, but Im not a guru with it. I just know apt-get install and some grub and alsa settings. Of course I can also make from c++ code etc., but otherwise Im not good with it ^^

I have studied mainly Windows OS’s.

Oh well, Im going to try that forwarding thing when I have time.

Thanks again!


#5

Ok I tried… nothing seems to work. I tried now two different browser tools again, and now its error message is:

Invalid response from http://sub.domain.xx.xx/.well-known/acme-challenge/iznMcxQBgZwisTuwJ8asRGdtMEC2uZYHSyGp8oOmIgA: " <html xmlns=“http”


#6

Well another browser based tool says:

Domain “sub.domain.xx.xx” challenge3 failed. Response from “https://acme-v01.api.letsencrypt.org/acme/challenge/JO_blabla” was: { “type”: “http-01”, “status”: “invalid”, “error”: { “type”: “urn:acme:error:unauthorized”, “detail”: "Invalid response from http://sub.domain.xx.xx/.well-known/acme-challenge/blaa-535: “\u003c!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”\u003e\r\n\u003chtml xmlns=“http””, “status”: 403 }, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/blabla”, “token”: “blabla”, “keyAuthorization”: “bla”, “validationRecord”: [ { “url”: “http://sub.domain.xx.xx/.well-known/acme-challenge/bla”, “hostname”: “sub.domain.xx.xx”, “port”: “80”, “addressesResolved”: [ “xxx.xxx.xxx.xxx” ], “addressUsed”: “xxx.xxx.xxx.xxx” } ] }

Seems to be same error. What in the earth it can be??? Im getting gray hair from this. I have tried, I can access files on that website from outside my home lan, so how can I be getting this error constantly. Even that dns challenge doesnt work.


#7

It’s a 403 error, which is the code for “Forbidden”. Could it be your Windows server isn’t allowing requests for /.well-known/ because it starts with a dot?


#8

Hi @Osiris

This is a known problem

You can get around it by using powershell to create the directories

You also need to enable directory browsing and a couple of other bits

Andrei


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.