The Certificate Authority failed to download the temporary challenge files created by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bstpoc.serviceconnect.defence.gov.au

I ran this command: C:\Windows\system32>certbot certonly --webroot and then C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT

It produced this output:
C:\Windows\system32>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bstpoc.serviceconnect.defence.gov.au
Requesting a certificate for bstpoc.serviceconnect.defence.gov.au
Input the webroot for bstpoc.serviceconnect.defence.gov.au: (Enter 'c' to
cancel): C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: bstpoc.serviceconnect.defence.gov.au
Type: unauthorized
Detail: 20.70.4.114: Invalid response from http://bstpoc.serviceconnect.defence.gov.au/.well-known/acme-challenge/xFVql5iB-O9Lq0GMQgtTmGkqIiLAoa5UoDjB3rOsLas: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache Tomcat 9.0

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: defence.gov.au

I can login to a root shell on my machine (yes or no, or I don't know): Not a Linux machine

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Are you sure that is the correct webroot path?

502 error is usually a backend access problem.
Is there a proxy involved anywhere?

2 Likes

Also, the webroot path used contains two blank spaces.
This may be problematic when not enclosed in quotes [not too sure how certbot 2.6.0 handles them]

Please show the logfile created to better understand if that is being handled as expected [or not]:

2 Likes

In addition to @rg305 comment, your server is not responding to any requests. Even requests to the "home" page get a 502. Here is more of the data from that. Maybe this helps isolate the problem.

curl -i bstpoc.serviceconnect.defence.gov.au

HTTP/1.1 502 Bad Gateway
Server: Microsoft-Azure-Application-Gateway/v2

<!doctype html>
  <title>Site Maintenance</title>
    <h1>We&rsquo;ll be back soon!</h1>

     <!-- Please update time to the expected system return time-->
     <p>We are currently working on developing ServiceConnect.</p>
     <p>Please contact Application Development Team for assistance</p>
     <p>&mdash; The ServiceConnect Project Team</p>
2 Likes

If this system is indeed behind a proxy, the TLS connections may also need to be handled by that proxy.
You may need to speak with your IT department about enabling HTTPS on your Internet accessible site.

edit:
Currently the IP returns a cert for: devpublic.serviceconnect.defence.gov.au
See: SSL Server Test: bstpoc.serviceconnect.defence.gov.au (Powered by Qualys SSL Labs)

2 Likes

letsencrypt.txt (19.1 KB)

Hello All,

Thank you for your responses. Please find the answers below.

Are you sure that is the correct webroot path? Yes, I am sure.

502 error is usually a backend access problem. Is there a proxy involved anywhere? No proxy in place. Local firewall is disabled. No NSG in place.

Also, the webroot path used contains two blank spaces. It is correct. That's how it is in our other env as well where we use certbot.

This may be problematic when not enclosed in quotes. Tried using quotes but no luck.

You may need to speak with your IT department about enabling HTTPS on your Internet accessible site. Internet access is allowed.

Currently the IP returns a cert for: devpublic.serviceconnect.defence.gov.au. Yes, it is because we have copied the server.xml file from another env and we will change that to point to the right jks once certbot is created.

Log file uploaded.

Thanks in advance.

1 Like

Attempting to save validation to C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge\ib1lYNuo5yiHyCSwhRBpC6z1mvJDPP8EkZcjPkEqfvs

Well, it is definitely trying to save it where you asked it to.

Let's try saving a test file in that challenge location:
[create the full challenge path first, if needed]
echo "test" > "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge\test-file"

And then check that the file is there and contains text with:

dir "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge\test-file"

more "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge\test-file"

And then see if it can be accessed from the Internet:
http://bstpoc.serviceconnect.defence.gov.au/.well-known/acme-challenge/test-file

2 Likes


Hi rg305,

Thank you for your response.

I could not create the path with .well-known\acme-challenge in Windows. It won't accept dot in the folder name.

Screenshot attached of the path that we have.

Ran the command below (without the .well-known\acme-challenge)
echo "test" > "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge\test-file"

Checked that the test-file is there and contains text ''test''

Also the url below can be accessed from the Internet. Screenshot attached.
http://bstpoc.serviceconnect.defence.gov.au/test-file

Tried using path till webapps instead of ROOT. Same error:

C:\Windows\system32>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bstpoc.serviceconnect.defence.gov.au
Requesting a certificate for bstpoc.serviceconnect.defence.gov.au
Input the webroot for bstpoc.serviceconnect.defence.gov.au: (Enter 'c' to
cancel): C:\Program Files\Apache\Tomcat 9.0\webapps

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: bstpoc.serviceconnect.defence.gov.au
Type: unauthorized
Detail: 20.70.4.114: Invalid response from http://bstpoc.serviceconnect.defence.gov.au/.well-known/acme-challenge/4gRC9P0bqOMOSM7Y4pu3DbxRUV57TlhkKKm_nZ9QIKA: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

Thanks!

1 Like

That’s a quirk of Windows File Explorer. Put another dot at the end and File Explorer should strip it. Otherwise you can create it from a shell with mkdir .well-known

3 Likes

You must create the full path.
As noted, Windows is a bit quirky about things that start with a dot.
But it can be done:

Try these:
mkdir "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known."
mkdir "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT\.well-known\acme-challenge"

1 Like

Hi,

I have created the folders using the command below but getting same error.

C:\Windows\system32>mkdir "C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT.well-known\acme-challenge"

C:\Windows\system32>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bstpoc.serviceconnect.defence.gov.au
Requesting a certificate for bstpoc.serviceconnect.defence.gov.au
Input the webroot for bstpoc.serviceconnect.defence.gov.au: (Enter 'c' to
cancel): C:\Program Files\Apache\Tomcat 9.0\webapps\ROOT.well-known\acme-challenge

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: bstpoc.serviceconnect.defence.gov.au
Type: unauthorized
Detail: 20.70.4.114: Invalid response from http://bstpoc.serviceconnect.defence.gov.au/.well-known/acme-challenge/p7m-KtynI3p2dWc7ACX5YGPYzF6oDrcGrfgWMSALxr0: 502

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

Please help!

Your domain is replying with a 502 error for any request. Even your home page as I noted earlier in post #5

You would get that same error just trying your domain name in a browser without any URI path at all.

Don't you have any IT support people you can talk with? A 502 for an HTTP request to your home page is not related to Certbot or Let's Encrypt. We are not a general purpose help site for all server configuration issues.

Maybe something is rejecting all HTTP requests. I don't know. You or an IT team would know better how your system is setup. Ask them why your home page fails with a 502.

2 Likes

You were not asked to try to get a cert:

2 Likes

Thank you so much for clarifying issue was not with certbot.
We have checked with App Server team and they had backend port redirection setup from port 80 to 443 which caused the issue. Once removed, we are able to install certbot.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.