Unable to generate a SAN certificate. Authorization result: Invalid


#1

Please fill out the fields below so we can help you better.

My domain is: bitfragment.com

I ran this command: letsencrypt.exe --san --centralsslstore c:\centralssl

It produced this output:

Authorizing identifier mail.bitfragment.com using challenge type http-01
Writing answer to c:\inetpub\wwwroot.well-known\acme-challenge[answerfile]
Answer should now be browsable at http://mail.bitfragment.com/.well-known\acme-challenge/[answerfile]
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

Authorizing identifier autodiscover.bitfragment.com using challenge type http-01
Writing answer to c:\inetpub\wwwroot.well-known\acme-challenge[answerfile]
Answer should now be browsable at http://mail.bitfragment.com/.well-known\acme-challenge/[answerfile]
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

The ACME server was probably unable to reach [answerfile]. Check in a browser to see if the answer file is served correctly.

My operating system is (include version): 2012R2

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I know this probably has been asked a hundred times, but nothing really applied to my case.

What I did before running letsencrypt.exe:

  1. create the .well-known\acme-challenge folder in wwwroot
  2. copy the web_config.xml file to the aforementioned folder and rename it to web.config
  3. create c:\centralssl directory
  4. in IIS, disable SSL on the .well-known folder and make sure anonymous authentication is enabled
  5. in IIS, on the acme-challenge folder I have created a MIME extension of * and a type of application/octet-stream

I’ve disabled firewall and ran again, same result. Tried to browse the answer file and could access it.

I believe there’s an actual issue with my DNS, for some reason it couldn’t resolve autodiscover and mail externally I suppose. Do I need to set up any MX/DNS records in GoDaddy to support this operation?

Thanks


#2

Hi @Attitude,

Yes, you do. At least an A record for the domains you want to issue a certificate, at this moment none of your 2 dns servers resolves mail.bitfragment.com

 $ dig @ns23.domaincontrol.com mail.bitfragment.com

; <<>> DiG 9.9.7 <<>> @ns23.domaincontrol.com mail.bitfragment.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41039
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.bitfragment.com.          IN      A

;; AUTHORITY SECTION:
bitfragment.com.        600     IN      SOA     ns23.domaincontrol.com. dns.jomax.net. 2017041601 28800 7200 604800 600

;; Query time: 50 msec
;; SERVER: 216.69.185.12#53(216.69.185.12)
;; WHEN: dom abr 16 19:32:51     2017
;; MSG SIZE  rcvd: 117

                                                                                                                                                                                         ✔
$ dig @ns24.domaincontrol.com mail.bitfragment.com

; <<>> DiG 9.9.7 <<>> @ns24.domaincontrol.com mail.bitfragment.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65232
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.bitfragment.com.          IN      A

;; AUTHORITY SECTION:
bitfragment.com.        600     IN      SOA     ns23.domaincontrol.com. dns.jomax.net. 2017041601 28800 7200 604800 600

;; Query time: 72 msec
;; SERVER: 208.109.255.12#53(208.109.255.12)
;; WHEN: dom abr 16 19:32:57     2017
;; MSG SIZE  rcvd: 117

Let’s Encrypt needs to reach your domain to validate it, if no A record for your domain… validation is not possible ;).

Cheers,
sahsanu


#3

Hi @sahsanu

Thanks for your reply.
I have created an A record for mail.bitfragment.com and autodiscover.bitfragment.com and a MX record to support these.

I was still having the same issue until I’ve checked my firewall settings and they were blocking port 80.

I was now able to generate the certificates.

Thanks again.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.