SAN cert - some sub-domains authorize ok - others fail


#1

I’m trying to create a SAN certificate, but I get authorization errors on [some] of the base domain’s sub-domains, while other sub-domains of the same base domains are authorized successfully.

server hosting = Rackspace

Main domain (@ Rackspace):

Other domains hosted (@ Network Solutions) whose DNS A records point to businessdts.com:

Windows Server 2008 R2
IIS 7.5

C:\Program Files (x86)\letsencrypt-win-simple>letsencrypt.exe --san

NOTE: All of the base domains and their WWW sub-domains authorized successfully.

Some of the other sub-domains were authorized successfully… others failed with:
“ACME server was probably unable to reach http:\sub.domain.com…”

PASS:
SERVER-NAME.businessdatatransfer.com
SERVER-NAME.bdts.us
SERVER-NAME.businessdataaccess.com
smtp.businessdts.com
mail.businessdts.com

FAIL:
SERVER-NAME.businessdts.com
smtp.businessdatatransfer.com
mail.businessdatatransfer.com
smtp.bdts.us
mail.bdts.us
smtp.businessdataaccess.com
mail.businessdataaccess.com

Does anyone have an idea of what could cause the mix of authentication successes and failures across these sub-domains?

Thanks,
CBruce


#2

hi @CBruce

are you using a specific challenge for all your requests?

do you have permission to execute that request for all your domains

don’t forget it’s one challenge per domain


#3

Hi @ahaw021,

I’m NOT using the LE api. I’m using the Windows client, letsencrypt-win-simple (I’ll abbreviate to LWS for this message), with only its “–san” parameter. So all of the challenge values are generated automatically.

From the output of LWS, I can see that each challenge has a separate value - like this:


Authorizing Identifier MY-SERVER-NAME.businessdts.com Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/1Gv7TObeA1SCG2ydPSGlzUE00fOX_UAJwTvTyqgBIKQ
Writing web.config to add extensionless mime type to C:\inetpub\wwwroot.well-known\acme-challenge\web.config
Answer should now be browsable at http://MY-SERVER-NAME.businessdts.com/.well-known/acme-challenge/1Gv7TObeA1SCG2ydPSGlzUE00fOX_UAJwTvTyqgBIKQ
Submitting answer
Refreshing authorization
Authorization Result: invalid


The ACME server was probably unable to reach http://MY-SERVER-NAME.businessdts.com/.well-known/acme-challenge/1Gv7TObeA1SCG2ydPSGlzUE00fOX_UAJwTvTyqgBIKQ
Check in a browser to see if the answer file is being served correctly.
This could be caused by IIS not being setup to handle extensionless static
files. Here’s how to fix that:

  1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
  2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
    (like this http://i.stack.imgur.com/nkvrL.png)
  3. If you need to make changes to your web.config file, update the one
    at C:\Program Files (x86)\letsencrypt-win-simple\web_config.xml


Authorizing Identifier mail.businessdatatransfer.com Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/CgXIdvJSWecjhD4F5V0RY1L_8-sdYuJmM9xCpUyIexU
Writing web.config to add extensionless mime type to C:\inetpub\wwwroot.well-known\acme-challenge\web.config
Answer should now be browsable at http://mail.businessdatatransfer.com/.well-known/acme-challenge/CgXIdvJSWecjhD4F5V0RY1L_8-sdYuJmM9xCpUyIexU
Submitting answer
Refreshing authorization
Authorization Result: invalid


The ACME server was probably unable to reach http://mail.businessdatatransfer.com/.well-known/acme-challenge/CgXIdvJSWecjhD4F5V0RY1L_8-sdYuJmM9xCpUyIexU
Check in a browser to see if the answer file is being served correctly.
This could be caused by IIS not being setup to handle extensionless static
files. Here’s how to fix that:

  1. In IIS manager goto Site/Server->Handler Mappings->View Ordered List
  2. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.
    (like this http://i.stack.imgur.com/nkvrL.png)
  3. If you need to make changes to your web.config file, update the one
    at C:\Program Files (x86)\letsencrypt-win-simple\web_config.xml

As you can see; MY-SERVER-NAME.businessdts.com failed, (even though businessdts.com is the base domain of our Windows server). But the challenges for MY-SERVER-NAME.other-domains-pointing-to-businessdts.com were successful.

On the other hand, mail.businessdts.com succeeded, but the mail and smtp sub-domains failed for all of our other domains.

We own all four domains and I’m able to make DNS changes for all of them.

(NOTE: During an LWS run with the parameters “–san --test”, ALL domain mappings were successful.)

Does this information help, @ahaw021?

Thanks,
@CBruce


#4

hi cbruce

if you right click on your links above you can see they go nowhere

as there is not HTTP file being served up letsnecrypt cannot verify your domain and will not issue the certificate

for example try browse to:

http://MY-SERVER-NAME.businessdts.com/.well-known/acme-challenge/1Gv7TObeA1SCG2ydPSGlzUE00fOX_UAJwTvTyqgBIKQ

You can see you get a timeout hence why your validation doesnt work


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.