Renew Certificate

Hi.
Forgive my simple question. I am unable to renew my licence. I get the error shown below.

Thank you very much for your help

My domain is: sagcm.crsoncloud.it

I ran this command: certbot -v certonly --force-renew -d sagcm.crsoncloud.it

It produced this output:
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for sagcm.crsoncloud.it
Performing the following challenges:
http-01 challenge for sagcm.crsoncloud.it
Input the webroot for sagcm.crsoncloud.it: (Enter 'c' to cancel): C:\inetpub\wwwroot\ServiceAGCM
Creating a web.config file in C:\inetpub\wwwroot\ServiceAGCM.well-known\acme-challenge to allow IIS to serve challenge files.
Waiting for verification...
Challenge failed for domain sagcm.crsoncloud.it
http-01 challenge for sagcm.crsoncloud.it

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: sagcm.crsoncloud.it
  Type:   unauthorized
  Detail: 185.221.175.251: Invalid response from http://sagcm.crsoncloud.it/.well-known/acme-challenge/VQWfXqN5sS__8AlM354sDRMw0YRDCZS21drnHBnij8Y: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Cleaning web.config file generated by Certbot in C:\inetpub\wwwroot\ServiceAGCM\.well-known\acme-challenge.
Some challenges have failed.

My web server is (include version): IIS (Windows Server 2022 - ver 21H2)
The operating system my web server runs on is (include version): windows
My hosting provider, if applicable, is: register.it
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Please note that the Certbot team has discontinued Windows support. See Certbot Discontinuing Windows Beta Support in 2024 for more information.

I would advice you to switch to a different ACME client. See the link above where some suggestions are made or e.g. ACME Client Implementations - Let's Encrypt for some options.

Also: don't use any "force" option if you don't know what it does: it does NOT magically make a failing challenge suddenly succeed.

3 Likes

Hello @Sandro,

The HTTP Response code received was
HTTP/1.1 403 Forbidden - 403 Forbidden - HTTP | MDN
would have expected for a nonexistent file 404 Not Found - HTTP | MDN

$ curl -Ii http://sagcm.crsoncloud.it/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Cache-Control: private
Content-Length: 5198
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Sun, 08 Dec 2024 18:52:23 GMT

Seem there maybe a Configuration configuration when serving up http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>

4 Likes

Sorry, but they don't know these things well.
Using ‘certify certificate manager’ I created a new certificate.
Everything is OK, although I don't really understand it.

Thanks for the support.

3 Likes

The above implies a missing path separator before \.well-known but certbot also doesn't know how to configure IIS to serve extensionless files or to disable existing content handlers (such as a content management system etc).

The reason it works with Certify Certificate Manager (which I develop) is because it runs its own temporary http challenge listener for /.well-known/acme-challenge requests in the HTTP pipeline (via http.sys) in front of IIS. If that challenge listener cannot run for some reason it can fall back to using IIS (including detecting the correct website root path automatically and auto configuring the challenge file handling).

3 Likes

Thank you for your reply.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.