Status 403 while issueing certificate

Por favor, preencha todos os campos abaixo para que nós possamos ajudar você. Obs.: você deve indicar seu nome de domínio para receber ajuda. Os nomes de domínio dos certificados emitidos são divulgados nos logs da Transparência de Certificados (por exemplo, https://crt.sh/?q=example.com). Assim, não indicar seu nome de domínio não o mantém em segredo, mas torna a nossa ajuda mais difícil.

Posso ler respostas em inglês: sim

Meu nome de domínio é: portaltv.erc.pt

Executei esse comando: wacs.exe

Produziu essa saída:
(…)
Target generated using plugin IIS: portaltv.erc.pt

First chance error calling into ACME server, retrying with new nonce…
[portaltv.erc.pt] Authorizing…
[portaltv.erc.pt] Authorizing using http-01 validation (SelfHosting)
[portaltv.erc.pt] Authorization result: invalid
[portaltv.erc.pt] {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from http://portaltv.erc.pt/.well-known/acme-chall
enge/dDUV4UOmdTcGgH-PbaNJFwxGRrZY-T4bE4QlzCMxS_k [195.23.11.227]: “\r\n<html xmlns=\“http””,
“status”: 403
}

Please note that “.well-know” folder was not created…

Meu servidor web é (com versão):IIS 7.5

O sistema operacional no meu servidor web é (com versão): Windows Server 2008 R2

O serviço de hospedagem do meu site (se aplicável) é:

Posso aceder a uma shell root na minha máquina (sim ou não, ou não sei): sim

Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle): não

And I tried let’s debug and everything seems to be fine:

*## Test result for portaltv.erc.pt using http-01 *

All OK!

OK

No issues were found with portaltv.erc.pt. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.

More than that, I already have another site with a SSL certificate running on the same machine/IIS

The WACS self-hosting plugin (https://www.win-acme.com/reference/plugins/validation/http/selfhosting) starts a webserver on port 80.

For you to use that plugin, you might need to first stop your IIS server, so that WACS can bind to port 80 instead. Then you can start IIS again afterwards. The docs mention:

This plugin launches a temporary built-in web listener that stores the validation response in memory. It can share port 80 with IIS and other (Microsoft) software so this doesn’t interfere with regular traffic. Not all software supports this port sharing feature though. If you get errors telling you that the listener cannot be started, try to (temporarely) shut down other processes using the port, or look for another validation method.

Maybe give that a shot, to see if it’s the cause of your problems.

If that is not convenient for you, you should look into using one of the other plugins, like the Filesystem one.

Thanks very much for your anwser

In fact the site is ‘nattted’ to port 85 but from the outside it responds on port 80.
I will take a look at the link you sent
Regards

Ah, maybe in that case, you just need to add:

--validationport 85

which is mentioned on that doc.

1 Like

Thanks a lot, _az!

It’s now working with “–validationport 85”.
It did not create the bindings because I already had one site binded to 443. So I just bind it to 444 and NATed 443 (from the outside) to 444 (at IIS).
Regards

2 Likes