Unable to bind, invalid response - certbot on IIS

arkietech · April 7, 2021, 6:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arkieit.com

I ran this command: certbot certonly --webroot ; certbot certonly --standalone

It produced this output: for --webroot:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.arkieit.com
Requesting a certificate for www.arkieit.com
Performing the following challenges:
http-01 challenge for www.arkieit.com
Input the webroot for www.arkieit.com: (Enter 'c' to cancel): C:\inetpub\wwwroot\jrod
Waiting for verification...
e[31mChallenge failed for domain www.arkieit.come[0m
http-01 challenge for www.arkieit.com
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

** Domain: www.arkieit.com**
** Type: unauthorized**
** Detail: Invalid response from**
** http://www.arkieit.com/.well-known/acme-challenge/Fn73-4CYbSk0p0ufuzeJBYcERvtZtBn8rsmN_Y9IWeI**
** [173.187.90.161]: "\r\n<html**
** xmlns="http"**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address.**

for --standalone:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): www.arkieit.com
Requesting a certificate for www.arkieit.com
Performing the following challenges:
http-01 challenge for www.arkieit.com
Cleaning up challenges
e[31mProblem binding to port 80: Could not bind to IPv4 or IPv6.e[0m

My web server is (include version): IIS 10.0.17763.1

The operating system my web server runs on is (include version): Windows Server 2019 - 1809

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): IIS module

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.13.0

This is an initial request as it has no ssl currently. I've temporarily locked myself one before from trying different variations.

schoen · April 7, 2021, 7:38pm

Hi @arkietech,

For the --webroot error, you need to make sure that your IIS is configured to be able to serve files from directories whose names begin with a dot (with ASP) and/or files that have no extension (with IIS in general). Apparently this is often not the default behavior.

For the --standalone error, you would need to temporary stop IIS entirely while running certbot --standalone (as it requires that there is no other web server listening on port 80).

arkietech · April 7, 2021, 8:11pm

I've already followed all the steps for the .well-known serve (ie, creating a virtual directory with alias .well-known that maps to a directory without a .) and i've created a mime type that is blank for the folder. I've even turned on directory browsing.

When certbot wants the web root... it wants the root of the site correct? where the index.html and the .well-known virtual directory are located correct?

for the --standalone. I have turned off every web site and service that could possibly use port 80 and it still complains about not being able to bind. when i run "netstat -aon | findstr 80" the only thing that comes up as using the port is "system" and it is in a listening state.

JuergenAuer · April 7, 2021, 9:45pm

Hi @arkietech

second works - http://www.arkieit.com/.well-known/acme-challenge/ answers.

If first works: Create a file (file name 1234) in that subdirectory to check, if it possible to load that file via

http://www.arkieit.com/.well-known/acme-challenge/1234

PS: If you use a virtual directory with an alias, that may not work. Because Certbot tries to create the file in your webroot, not your "alias webroot". And using that alias webroot it wouldn't work, because there is no /.well-known/ subdirectory.

Normally, you should be able to create the subdirectory directly in your webroot, so you don't need a virtual path.

PPS: Conclusion: Certbot may not work with an alias, so the first check isn't relevant.

arkietech · April 8, 2021, 12:57am

I ended up using a different program, which you suggested in a different post. Certify ssl community edition. Worked like a charm!

system · May 8, 2021, 12:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.