Renew Certificate Using Certbot Failed on Windows Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://recruitment.creditbank.com

I ran this command: certbot renew (as the certificate was expired)

It produced this output:

Domain: recruitment.creditbank.com
Type: unauthorized
Detail: Invalid response from
https://recruitment.creditbank.com/.well-known/acme-challenge/5kqefQZGt-Vbt3F0okEt-gJLQIK-lS1Lk6bYA3uA_mg
[185.171.108.30]: "\r\n<html
xmlns="http"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): IIS 10.0.14393.0

The operating system my web server runs on is (include version): windows server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.6.0

@tmourad Welcome to the community.

I am not experienced in your setup so will leave it for others. But, just wanted to clarify something. You say you are using IIS 10 but a request to your server responds with a header that says server: Kestrel

Can you provide any more details about your Kestrel and server setup? Might be helpful thanks

2 Likes

Kestrel is the highly performant web server library built-into .NET Core. I believe when it was first released, they had recommended typically running it behind a reverse proxy (which can include IIS). The docs now claim it can run at the edge directly as well with some limitations.

I'd guess IIS is configured as the reverse proxy layer for a Kestrel-based web app/api in this case. Unfortunately, I don't know much beyond that.

3 Likes

When using certbot and other tools not optimised for IIS you need to have a clear idea of how the http validation works. Certbot will create a special validation text file (with no file extension) under the path you give it as <website root>/well-known-acme-challenge/<challenge response file>. It may or may not also create a web.config to try to configure the file handler (depends on the version).

You can test your setup by creating a file such as 'test.txt' under the ./well-known/acme-challenge path of your website (or wwwroot), with the content 'Hello World'. You should be able to browse to this file in a web browser. Then rename the file to just 'test' (remove the .txt extension) and try browsing to it again, if that works then you should be all good to go.

If you fetched your original cert before setting up the web app, then your entire configuration has effectively changed - there are new content handlers in the pipeline that weren't there before. Specifically for a .net core web app you will have a app.UseStaticFiles(); call in your web app startup configuration and this conventionally maps to the wwwroot subfolder of your app, so for http validation your web root is that folder, not the app root.

While you're here, check out the app I develop (which is optimised for IIS, and is commercially supported) https://certifytheweb.com. It has a temporary http validation listener which generally skips the need to have special IIS configuration etc.

2 Likes

HI and thanks for your reply. i have downloaded the tool from the website https://certifytheweb.com , i can see the certificates but i have a message telling me that it is managed by cerbot.

i have certbot installed on the virtual machine.
so what do you suggest? uninstall certbot from the vm in order to let the new tool able to mange the certificates?
many thanks

2 Likes

Thanks for your reply.

2 Likes

Yes that's OK, just create a new managed certificate for the same website, leave the certbot one in place for now. Click "New Certificate", Select your IIS site, your domains [from your IIS site bindings] should appear in the list then click "Request Certificate". If that all works OK then you should find your IIS site has a new https binding with a working certificate, this certificate will be automatically renewed.

If the Certify The Web one works more easily for you then you can delete the certbot renewal one using the standard certbot delete functionality, your website itself will be unaffected (User Guide — Certbot 1.22.0 documentation).

If you cannot get the Certify The Web one to work then I can at least help you figure that out.

2 Likes

Dear @webprofusion,

based on your proposition my issue was solved. thanks so much for your help.

best regards ,

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.