Problems renewing the certificate

acanivano · October 2, 2020, 6:58am

Good morning.
I am trying to renew the SSL certificate of my website, served by Let's Encrypt. I have installed Certbot on my server but it does not recognize the certificate I have; so I am going to download a new certificate to overwrite the old one.
However, I cannot download the new certificate with Certbot.
Am I missing something? The domain is well written and the ip points correctly to the domain.
Thanks for your help!!

My domain is: geondesa.com

I ran this command: certbot certonly --webroot -w /inetpub/wwwroot/GEO -d geoendesa.com

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for geoendesa.com
Using the webroot path C:\inetpub\wwwroot\GEO for all unmatched domains.
Waiting for verification...
e[31mChallenge failed for domain geoendesa.come[0m
http-01 challenge for geoendesa.com
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: geoendesa.com
Type: unauthorized
Detail: Invalid response from https://geoendesa.com
[15.236.94.226]: "\r\n\r\n\r\n <meta
http-equiv="Content-Type" content="text/html;
charset=utf-8">\r\n <meta name="viewport" "

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): IIS (version 10.0.17763.1)

The operating system my web server runs on is (include version): Windows Server 2019 (vs.1809)

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot version 1.8.0

_az · October 5, 2020, 11:39am

You might need to create a web.config file to allow IIS to serve extensionless files.

I've described how to do that in this comment, that might help you out.

To test whether it works, try creating a file called C:\inetpub\wwwroot\GEO\.well-known\acme-challenge\test and seeing whether you can access it in your browser.

acanivano · October 2, 2020, 9:48am

Thank you for your quick response
I have created the web.config file inside C:\inetpub\wwwroot\GEO\ .well-known\acme-challenge
Also I have done the test you tell me about and I get error 500. (Prior to rebooting the server)
I have run CertBot again and it seems that something has advanced (If you see the detail section of the error returned by Certbot, it seems to read something else).
Thank you again

Domain: geoendesa.com
Type: unauthorized
Detail: Invalid response from
http://geoendesa.com/.well-known/acme-challenge/N1ko46LFUphMyfLJZWrwumT3ZnUWGNn6QLSZ5N3rxk0
[15.236.94.226]: "\r\n<html
xmlns="http"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

JuergenAuer · October 2, 2020, 9:44am

Hi @acanivano

there is a missing \

Must be

C:\inetpub\wwwroot\GEO\.well-known\acme-challenge

acanivano · October 2, 2020, 9:51am

Thanks Juergen.
It was well written, but I don't know why I hadn't picked up the "/" symbol.
This is the full path on my server C:\inetpub\wwwroot\GEO\ .well-known

_az · October 2, 2020, 10:01am

Hmm. It's pretty weird that you would get an HTTP 500 from that.

I just created a Windows 2019 server and tried it, and it worked okay for me.

Did you definitely copy paste the web.config file correctly? If I put an accidental typo somewhere in the file, then it does cause an HTTP 500.

You could try enabling Failed Request Tracing in IIS Manager, if you have the Tracing server role installed.

JuergenAuer · October 2, 2020, 10:09am

If you have the correct path and a 500, your web.config is wrong.

May be a syntax error.

A test file (file name 1234)

http://geoendesa.com/.well-known/acme-challenge/1234

without extension must work before you start Certbot again.

acanivano · October 2, 2020, 10:30am

Thank you for your help.
Things I see on my server

I already have a web.config file in "C:\inetpub\wwwroot\GEO\web.config"
I don't know if it has any influence on having generated another web.config (I have copied and pasted what you have told me in the path "C:\inetpub\wwwroot\GEO\ .well-known\acme-challenge\web.config"
geoendesa.com only reads as https and not as http
One of the messages returned by Certbot is:
Domain: geoendesa.com
Type: unauthorized
Detail: Invalid response from
http://geoendesa.com/.well-known/acme-challenge/N1ko46LFUphMyfLJZWrwumT3ZnUWGNn6QLSZ5N3rxk0
I think port 80 is open

I've done the test and it still gives error 500
https://geoendesa.com/.well-known/acme-challenge/1234

JuergenAuer · October 2, 2020, 10:33am

That's

the problem you have to fix.

External - I can't see the error.

Internal - you should see the full error.

rg305 · October 2, 2020, 5:53pm

What do the error logs show?

rg305 · October 2, 2020, 6:00pm

That happens because the backslash ("\") is used to escape the next special character.
So that "backslash period" becomes an explicit (and only visible) period.
\. becomes .
and
GEO\.well is seen as GEO.well

[which probably explains why you used "/" the forward slash when talking about the "\" - it didn't show]

acanivano · October 5, 2020, 8:56am

I have added the lines that @_az said to my web.config (I already had one configured before this issue that was not a problem).
I have restarted the server and it still gives error 500
The server log file says this:

2020-10-05 08:44:18 172.31.28.146 GET /.well-known/acme-challenge/1234 - 443 - 212.170.58.222 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://community.letsencrypt.org/ 500 19 13 20

The last message was:

2020-10-05 08:53:22 172.31.28.146 GET /.well-known/acme-challenge/1234 - 443 - 212.170.58.222 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 - 500 19 13 21

I am still working on displaying more information on the error. It seems that some configuration is missing in the IIS server

JuergenAuer · October 5, 2020, 9:25am

If you have a 500, normally your web.config is wrong.

Normally, the internal call with 500 should show the result. Use yourdomain/trace.axd to see the exact error.

acanivano · October 5, 2020, 10:07am

geondesa.com/trace.axd doesn´t work, error 500 still appears.
The case is that now appears the renewed certificate, but the page has fallen and keeps giving me error 500.
https://geoendesa.com

JuergenAuer · October 5, 2020, 11:39am

That's

your wrong web.config, that blocks the trace-system.

acanivano · October 5, 2020, 11:38am

I managed to update the certificate and make the website work properly. However I have to see the error 500.
Finally I omitted the web.config I had before the incident and generated a new one inside the "C:\inetpub\wwroot\GEO.known\acme-challenge" folder.
The new certificate came into force on 2/10, but since I have been having these problems I don't know if it was because of Certbot or because it was renewed automatically. I will continue to investigate.
Thanks for everything