Setting up certificates error - 403

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sending-news.com

I ran this command: wacs.exe

It produced this output: [sending-news.com] Authorizing... [sending-news.com]
Authorizing using http-01 validation (SelfHosting)
[sending-news.com] Authorization result:
invalid [sending-news.com]
{ "type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2001:8d8:100f:f000::200:
Invalid response from
http://sending-news.com/.well-known/acme-challenge/tvR2mDX3mH1Fn5VEFewvoGZ_uI_WflrRYa5d0t1KNX8:
204", "status": 403

My web server is (include version):windows server 2016 IIS 10

The operating system my web server runs on is (include version): windows server 2016

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.22.1289.x86.pluggable

2

Welcome @maheshjain

I don't know Windows well enough to help but I see a couple odd things. You say you are using Windows IIS server but I see Apache and nginx responding. Having two servers is odd by itself not to mention neither is what you say it should be. Can you explain?

curl -i6 sending-news.com/.well-known/acme-challenge/TestChallenge123
HTTP/1.1 204
Server: nginx
Date: Sat, 15 Oct 2022 13:28:48 GMT

curl -i6 sending-news.com
HTTP/1.1 302 Found
Server: Apache
Location: http://130.185.119.113/sending-news.com

Also, the second test request gets redirected (the 302). But, the Location looks wrong. You have an IP address in front of your domain name. And, that IP is not the one in the DNS for your server even. This is not affecting the HTTP Challenge but points to a likely problem elsewhere.

3 Likes
3

What happened to the IPv6 address?

Name:    eddienetworks.ddnsfree.com
Address: 101.112.48.248
1 Like
4

@MikeMcQ

I am using server is windows 2016 and IIS version 10

I don’t know how it shows different servers nginx and apache.

Do you think is it related to something wrong in dns entry?

Also I don’t know why it showing IP address im front of domain while browsing.

Please explain me what needs to be done I order to troubleshoot further.
Thank you

2 Likes
5

Ipv6 address but it ping and telnet port 80 443 from outside..

What to do further troubleshooting?

Thank you

2 Likes
6

Please show the IP address found by: http://ifconfig.co/

2 Likes
7

ifconfig.co — What is my IP address?

130.185.119.113

8

DNS Records for sending-news.com DNS Lookup - Check DNS Records

And here is what I find for an IPv4 address for sending-news.com

$ ping sending-news.com
PING sending-news.com (217.160.0.237) 56(84) bytes of data.
64 bytes from 217-160-0-237.elastic-ssl.ui-r.com (217.160.0.237): icmp_seq=1 ttl=34 time=174 ms
64 bytes from 217-160-0-237.elastic-ssl.ui-r.com (217.160.0.237): icmp_seq=2 ttl=34 time=172 ms
64 bytes from 217-160-0-237.elastic-ssl.ui-r.com (217.160.0.237): icmp_seq=3 ttl=34 time=173 ms
^C
--- sending-news.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 172.108/173.036/173.908/0.735 ms

$ nslookup
> sending-news.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   sending-news.com
Address: 217.160.0.237
> set q=soa
> sending-news.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
sending-news.com
        origin = ns1026.ui-dns.biz
        mail addr = hostmaster.1und1.com
        serial = 2017060113
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600

Authoritative answers can be found from:
> server ns1026.ui-dns.biz
Default server: ns1026.ui-dns.biz
Address: 217.160.81.26#53
> sending-news.com
Server:         ns1026.ui-dns.biz
Address:        217.160.81.26#53

sending-news.com
        origin = ns1026.ui-dns.biz
        mail addr = hostmaster.1und1.com
        serial = 2017060113
        refresh = 28800
        retry = 7200
        expire = 604800
        minimum = 600
> set q=a
> sending-news.com
Server:         ns1026.ui-dns.biz
Address:        217.160.81.26#53

Name:   sending-news.com
Address: 217.160.0.237
>
1 Like
9

And as @MikeMcQ has pointed out the redirects, using this https://www.redirect-checker.org/

image
image1006×973 69.7 KB

image
And I do not know how Let's Encrypt handles a HTML Response code of 302

I feel sure other volunteers do know how Let's Encrypt handles a HTML Response code of 302.

10

That's a problem. Your DNS A record should be your public IP address but it is this instead:

nslookup sending-news.com
A    Address: 217.160.0.237
AAAA Address: 2001:8d8:100f:f000::200

I don't know how to check IPv6 address on a Windows Server 2016 but your AAAA address is also probably wrong. You could delete that until you find out what it should be. Let's Encrypt will try to use IPv6 address if one is present.

Your www subdomain has the same wrong IP addresses in the DNS

2 Likes
11

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

And to assist with debugging there is a great place to start is Let's Debug.

1 Like
12

Thanks guys,

So I need to stop redirects then only will I be able to use letsencrypt ssl or other ssl?
Any idea what could have been triggered this?
How to fix it?

Many thanks

1 Like
13

I do not know if you need to stop redirects, but I would think that they should be HTTP Response of 301 instead of 302.

1 Like
14

No. The first step is to fix your DNS records

2 Likes
15

So I will change my DNS A record and www sub record to follow ip-

130.185.119.113

Many thanks

3 Likes
16

ok

I will do that first.

Thanks

3 Likes
17

@maheshjain please be aware that DNS has caching with a Time To Live (TTL) that is in the DNS SOA record, so your DNS A record change may not be instantaneously to the Internet.

1 Like
18

It looks like your DNS now points to your IIS Server.

You might want to try getting a Let's Encrypt cert. I see you got a cert from ZeroSSL about 6H ago. Although, your server is not using it and your https config in IIS seems faulty.

Since you are just starting and seem inexperienced, you might try using Certify The Web instead of win-acme. It's a popular gui and may be easier to use. It is on the Let's Encrypt list (here)

Nothing wrong with win-acme. Just giving you another option.

2 Likes
19

@mikeMcQ

Yes Its pointing to my IIS server now after I changed dns to my new webhosting dns.

Also lets encrypt ssl done now..

Issue left is when I browse "sending-news.com" from local IIS or public internet my default webpage is not loading and just blank. But when I type Url like - "sending-news.com/sending-news.com" it loads the default page..I don't know why this new issue appeared.

Please any help would be appreciated.

Thanks

1 Like
20

Glad to hear your certificate is working. I see it working too.

But, this is not a forum to help with general IIS configuration. There are many other sources for that info. google is good place to start

2 Likes