I have this problem when trying to install the certificate on windows, I did the steps that was oriented on the screen below, however, the problem persists.
follows the attached error screen.
Bom dia @dhkd,
In the step where it says “Check in a browser to see if the answer file is being served correctly”, did you try doing that? Also after the steps suggested at the bottom?
Good afternoon,
Yes, I did the test directly on the browser on the machine itself. I’m posting the attached image, the problem persists.
Would it be possible to try the test from another machine? It would be worthwhile to see what the challenge looks like to the “outside world”.
(I know that retyping the challenge URL on another machine is kind of a nuisance, but it could be a useful test.)
I’m not very familiar with letsencrypt.exe; do you know if it saved any log files anywhere that might have a more detailed error message? The certificate authority does give more specific reasons why authorizations have failed, which can be more useful for debugging, but here letsencrypt.exe didn’t show the details of the error.
Hello, I did the test on my machine, and it displayed the same message as before, rather, I did test on an external network and it exhibited this error
That test was with a URL that worked properly when checked from a browser running on the server itself?
When Let’s Encrypt validates your server/domain it does so by requesting the challenge file (the URL you managed to browse to internally). If your server is genuinely giving a different response to external users then this will never work - you need to figure out why your server would respond differently for external users (DNS pointing to a different server, or load balancing between servers?), once you’ve fixed that this will work.
Good morning, yes the test was done with the same url!!
Good morning, I made new releases without firewall, using the command letsencrypt --test the error displayed is the same previously, however when I use the command letsencrypt --san displays this message, as per attachment. What is the difference between the commands?
This is an error from the certificate authority saying that you’ve tried too many times and have to wait an hour before trying again.
Okay, I’ll try again now, the last time was in the morning around 7 o’clock, what’s the difference between the command with the --test and --san?
Hello, I did the test again, but the message remains the one I posted first.
Are you still unable to see the URL with a browser outside of your network? If so, this suggests that there’s still a firewall or router problem.
Good morning, check firewall rules, make new adjustments, test the link and now open externally, as shown below:
But still the message persists!!
Do you have any other changes to make? Thank you very much in advance!!!
It would be really helpful to see the specific error that the certificate authority is giving in this case. Can you see if letsencrypt.exe creates any log files that record the error message?
If not, can you try at least temporarily using a different client application?
In addition to the downloadable Windows-based clients, there are web-based clients like https://www.zerossl.com/ where you complete the steps in your web browser instead of on the command line. (This is not really preferable to running an application on the server in terms of things like automated renewal, but it might be useful for debugging purposes to figure out a more specific reason why the certificate isn't being issued.)
Hello, I took the test using zerossl, and presented the screen below:
But if I copy the link and try to open it in the browser, I read the file normally, both on my local network and on the internal network.
This is a case where using a client that gave a more specific error is extremely valuable. In this case the problem is not anything that you're doing, but rather a policy issue related to your domain!
The problem is a system called Certificate Authority Authorization (CAA).
The people who run the Paraná state government domain have created CAA records for pr.gov.br that only allow DigiCert and GlobalSign to issue certificates for pr.gov.br domains.
There are two ways around this:
(1) Get them to add a third CAA record that permits Let's Encrypt to issue certificates.
(2) Create your own CAA record at the marmeleiro.pr.gov.br level that permits Let's Encrypt to issue certificates. This will override the higher-level record.
I guess you didn't mean for people to see your domain name but it's visible in the first image (and seeing it was very helpful for me in understanding what was happening here).
2 Likes
While you’re sorting that out, please also upgrade to the latest version of letsencrypt-win-simple, which has recently been renamed win-acme.
In addition to many other bugfixes and improvements, you’ll get much better error messages:
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:caa
[EROR] [detail] CAA record for example.com prevents issuance
[EROR] [status] 403
[EROR] Create certificate failed
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.