Unable to generate SAN certificate


#1

Hello everyone,

I am hoping someone can help me with the following problem.

I have a domain - bitfragment.com and I want to generate a SAN certificate for one of my DEV exchange servers. I was able to successfully generate a certificate in the past using the exact same steps I’m following now:

  1. create .well-known\acme-challenge folder in C:\inetpub\wwwroot\
  2. copy the web.config file to acme-challenge from the letsencrypt folder I’ve downloaded from Github (letsencrypt-win-simple-V1.9.3)
  3. disable SSL from IIS on the acme-challenge folder and make sure anonymous authentication is permitted
  4. create a central SSL store
  5. run letsencrypy.exe --san --centralsslstore storename and go through the process

These are the logs:

Authorizing Identifier mail.bitfragment.com Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/SEevqPLMe_5435cCEZFeonA7jJqh6L8nWx12AmMocFM
Answer should now be browsable at http://mail.bitfragment.com/.well-known/acme-challenge/SEevqPLMe_5435cCEZFeonA7jJqh6L8nWx12AmMocFM
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid


The ACME server was probably unable to reach http://mail.bitfragment.com/.well-known/acme-challenge/SEevqPLMe_5435cCEZFeonA7jJqh6L8nWx12AmMocFM

Check in a browser to see if the answer file is being served correctly.


Authorizing Identifier autodiscover.bitfragment.com Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot.well-known/acme-challenge/dwMnLxmBrNl2DgL_AGgAqku6OYTiA4a1GNs7t4NKZcs
Answer should now be browsable at http://autodiscover.bitfragment.com/.well-known/acme-challenge/dwMnLxmBrNl2DgL_AGgAqku6OYTiA4a1GNs7t4NKZcs
Submitting answer
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid


The ACME server was probably unable to reach http://autodiscover.bitfragment.com/.well-known/acme-challenge/dwMnLxmBrNl2DgL_AGgAqku6OYTiA4a1GNs7t4NKZcs

Check in a browser to see if the answer file is being served correctly.

I have added the necessary DNS zones in my external/internal firewall and I’m allowing connections on port 80.

If I browse to the aforementioned http links (from an external source) where the answer file should be served from, I am able to see its contents.

What else can I try to make this work please? I am not doing anything different from what I was doing a few months ago when I was able to successfully generate certificates.

Thanks!


#2

hi @VladP,

I looked into this a little bit and unfortunately it seems like the Win-Simple ACME client isn’t showing you all of the information that the Let’s Encrypt server returns to it when there is a failure. I opened an issue with the developers of Win-Simple to try and get that fixed.

In this case it seems like you have some DNS problems for the two affected domains:

"Error":"urn:acme:error:unknownHost :: No valid IP addresses found for autodiscover.bitfragment.com"

"Error":"urn:acme:error:unknownHost :: No valid IP addresses found for mail.bitfragment.com"

I’m able to replicate this locally from my own machine:

~$ dig +short mail.bitfragment.com
~$ dig +short autodiscover.bitfragment.com
~$ 

I would double check that you updated the zones and that the domain names can be resolved to IPs from external queries.

Hope this helps!


#3

Hi @cpu,

Thank you for looking into this and for your detailed response.

I have now changed locations and have access to a whole different network infrastructure.
It appears that, while my DNS records do resolve from external sources, I am unable to get a ping reply. Therefore, I believe this has to do with the firewall.

I’ll look into it and if I manage to fix it I’ll let you guys know.

Thanks again!


#4

It does seem like the earlier problem with the missing A records from your authoritative DNS have been resolved

~$ dig +short mail.bitfragment.com
93.122.224.81
~$ dig +short autodiscover.bitfragment.com
93.122.224.81

Seems likely! Best of luck getting to the bottom of it.


#5

I’ve manged to obtain the certificates. Thank you for pointing me in the right direction, I could’ve sworn that I had everything configured properly!

In this case, my firewall was configured okay and the NAT rules were in place. The problem was with the external DNS zone - the autodiscover and mail records were not pointing to the public IP address.

Luckly, I had short TTLs :smiley:

Cheers!


#6

Woohoo! Glad to hear everything worked out @VladP :tada: :lock:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.