SSL for www not generating

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webemitra.com

I ran this command: $challenge = Get-ACMEChallenge -State $acmeStateDir -Authorization $authZ -Type "http-01";
$chFilename = [System.IO.Path]::Combine($documentRoot+'', $challenge.Data.RelativeUrl.Substring(1));
$chDirectory = [System.IO.Path]::GetDirectoryName($chFilename);
if(-not (Test-Path $chDirectory)) {
New-Item -Path $chDirectory -ItemType Directory;
}
Set-Content -Path $chFilename -Value $challenge.Data.Content -NoNewline;
$webConfigPath = [System.IO.Path]::Combine($chDirectory,"web.config");
if(-not (Test-Path $webConfigPath)) {
Set-Content -Path $webConfigPath -Value '<?xml version="1.0" encoding="UTF-8"?> <system.webServer> </system.webServer> ' -NoNewline;
}
$challenge | Complete-ACMEChallenge -State $acmeStateDir;
}

It produced this output: Type : http-01
Url : https://acme-v02.api.letsencrypt.org/acme/chall-v3/363409331717/oT0kbw
Token : D5SYwSGvQVkeHtHBdOVesaW0JbbgSZKStGxm3i_Ejmg
Status : invalid
Error : @{type=urn:ietf:params:acme:error:unauthorized; detail=74.225.248.154: Invalid response from http://www.webemitra.com/.well-known/acme-challenge/D5SYwSGvQVkeHtHBdOVesaW0JbbgSZKStGxm3i_Ejmg: 404; status=403}
Identifier : dns:www.webemitra.com
Data :

My web server is (include version):

The operating system my web server runs on is (include version): the windows 11 enterprise edition (iis version 10.0.2)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Welcome @Vijeshec1111

First, I see you request a new cert for webemitra.com nearly every day. Please stop doing that. You should only renew your cert periodically. The recommendation is to renew with just 30 days remaining before expiration which is every 60 days.

Your recent cert history. Your cert requests started every day starting on May3. Before that you only requested them periodically.

image1920×1015 403 KB

The "404" is an HTTP Not Found error. That usually means the documentRoot value you placed the challenge token in does not match your IIS server's document root.

Is this different for your www subdomain than it is for your root name?

And, what ACME Client are you using? And what version of it are you using?

If you developed it yourself please say so. Thanks.

Serving ACME challenges via IIS can be difficult because by default it doesn't serve extensionless text files and there can be things like authentication and content management system handlers in the way. If serving via IIS the basic test is to create a text file with no .txt extension at /well-known/acme-challenge/ then try to request that over http - if you get that working then real challenges will generally work as well.

As you are using Posh-ACME you should refer to their documentation but I would suggest that the self-host plugin would be most useful so that you can skip the challenge response via IIS, assuming it tolerates IIS running as well:

For other popular clients that work with IIS, there is also https://certifytheweb.com (a GUI + service, which I develop) and win-acme (command line).

Just curious @webprofusion how did you know it was Posh-ACME? I looked up its doc'd functions but did not see Get-ACMEChallenge so thought it was something else

@MikeMcQ I'm wrong, that's how! You know what they say about assumptions

Looking at this again this is in fact more likely to be ACME-PS ACME-PS/samples/FullfillChallenge.ps1 at master · PKISharp/ACME-PS · GitHub

Root name and subdomain both are same name.
Root Name - webemitra.com
webemitra.com working fine and certificate generated for the same
www.webemitra.com not working and unable to generate certificate
I'm using ACME-PS with v2 version. Thanks.

I'm using * ACME-PS (PowerShell)

Run your script up and including Set-Content -Path $chFilename -Value $challenge.Data.Content -NoNewline; then check the /.well-known/acme-challenge path of your site and see if the expected file has been created and accessible via public http (not just from your local network).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.