Unable to make certificate

My domain is:
Easyinstallmdm.ista.dk

I ran this command:
Certbot certonly --standalone and later typed in my domain “Easyinstallmdm.ista.dk”

It produced this output:
http-01 challenge for easyinstallmdm.ista.dk
Waiting for verification…
e[31mChallenge failed for domain easyinstallmdm.ista.dke[0m
http-01 challenge for easyinstallmdm.ista.dk
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: easyinstallmdm.ista.dk
Type: connection
Detail: Fetching
http://easyinstallmdm.ista.dk/.well-known/acme-challenge/u_X4jEuWzGs2PpzfucSYmWYtXBtZvySEMX39hV_L2A0:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
Running some MDM solution on the server.

The operating system my web server runs on is (include version):
Windows Server 2019

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certbot 1.5.0

It used to work, but I was lazy / had vacation and didnt renew the certificate…
And Now I cannot get this to work again :frowning:

1 Like

Hi @Reek2750

standalone is hard to debug because it’s not possible to check your configuration. Result (see your “check-your-website” - result):

Only timeouts. But it’s unknown if it is a firewall / routing / ip problem or another problem.

So first step: Is it possible to start a port 80 webserver and use that? --webroot should always work.

3 Likes

Thanks for your reply, I'll try to contact our reseller of the software we're using because I can't seem to find any webroot on the server actually.

So he needs to tell me how the website is created.

Hi again @JuergenAuer

I'm quite the rookie to certificates.
But I cannot launch my MDM soloution without a SSL certificate.
So this means I have to use LetsEncrypt and create a SSL certificate for my potential website before the website is online.

I don't know if LetsEncrypt allows this feature, so i've made a IIS with the same name.
Hint the server is behind a firewall, which only allows incoming trafics to 443 and now also 80.
Could that be the issue? If LetsEncrypt uses DNS port?

But I get the error below.

C:\PROGRA~2\Certbot>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): easyinstallmdm.ista.dk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for easyinstallmdm.ista.dk
Input the webroot for easyinstallmdm.ista.dk: (Enter 'c' to cancel): C:\inetpub\wwwroot\easyinstallmdm
Waiting for verification...
e[31mChallenge failed for domain easyinstallmdm.ista.dke[0m
http-01 challenge for easyinstallmdm.ista.dk
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: easyinstallmdm.ista.dk
Type: unauthorized
Detail: Invalid response from
http://easyinstallmdm.ista.dk/.well-known/acme-challenge/7AsGqlEyW_tl9VlNem01wl1YfN_joflcBxSGhu_kTrU
[213.83.173.171]: "\r\nNot
Found\r"

That looks like an improvement!

You might also have to create a web.config file at C:\inetpub\wwwroot\easyinstallmdm\.well-known\acme-challenge\web.config to allow extensionless files in IIS:

<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension=".*" mimeType="text/plain" />
         </staticContent>
     </system.webServer>
 </configuration>

@_az

Doesn't work :frowning:
C:\PROGRA~2\Certbot>certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): easyinstallmdm.ista.dk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for easyinstallmdm.ista.dk
Input the webroot for easyinstallmdm.ista.dk: (Enter 'c' to cancel): C:\inetpub\wwwroot\easyinstallmdm
Waiting for verification...
e[31mChallenge failed for domain easyinstallmdm.ista.dke[0m
http-01 challenge for easyinstallmdm.ista.dk
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: easyinstallmdm.ista.dk
Type: unauthorized
Detail: Invalid response from
http://easyinstallmdm.ista.dk/.well-known/acme-challenge/D8osiPKMv0-1UgJO0N4NkbUllGSlq1JM45avXGiIWM4
[213.83.173.171]: "\r\nNot
Found\r"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

Create the subdirectories

C:\inetpub\wwwroot\easyinstallmdm\.well-known\acme-challenge

there a file (file name 1234), then try to load that file via

http://easyinstallmdm.ista.dk/.well-known/acme-challenge/1234

That must work. If not, fix it.

Do you run Certbot on that ip 213.83.173.171?

@JuergenAuer

I've created the subdirectories
billede

But there is no file inside.

Now I got locked out due to many failed attemps so I have to wait a few hours before I can contiune my work.

But yes the certbot runs on the same server, is that bad practice? :slight_smile:

I probably have to add Anonymous user to have read to the sub directory.

You have to create the second subdirectory, there a file.

Then check the directory permissions.

That's required,Certbot must be able to create the validation file there.

Running Certbot on another machine wouldn't work.

Hi @JuergenAuer

I've tried again, but it still doesn't work.
Any other suggestions?

I mean I can easily access www.easyinstallmdm.ista.dk from outside my local network.
But it still fails with the SSL certificate :frowning:

I got a clean result from letsdebug.net for easyinstallmdm.ista.dk, but www.easyinstallmdm.ista.dk seems to have no A record.

@griffin

Mmh it should be in place and alright.
It must be some FW I think :l, i've just enabled almost everything.

You need an A (or CNAME) record for **www.**easyinstallmdm.ista.dk

How did I miss this :open_mouth:
I'll do the modifcations and see if that works

Before you do, let me help with your certbot command.

What doesn't work? The exact command and the exact error message is required.

If you don't use the www version in your command, you don't need an A record with the www subdomain.

PS: Your older command didn't use the ww subdomain.

So that's not the problem.

Create the test file in /.well-known/acme-challenge (file name 1234).

certbot certonly --cert-name easyinstallmdm.ista.dk -a webroot -w C:\inetpub\wwwroot\easyinstallmdm -d easyinstallmdm.ista.dk

If you want the www, just add -d www.easyinstallmdm.ista.dk to the end.

I've enabled directory browsing on easyinstallmdm folder.

You should be able to see the 1234 file, is it correct that it should be .txt?

but I still get the DNS A/AAA error.

No, that's exact the problem @_az has explained - two days earlier:

Extensionless files are required, file name 1234, not 1234.txt

PS: And never, never, never allow that:

I've enabled directory browsing on easyinstallmdm folder.

That's always a critical security problem.

1 Like