Unable to renew cert after auto renew failed

I had a renewal which failed. Tried a manual renewall using win-acme.v1.9.12.2 which also failed.
Downloaded verson win-acme.v2.0.4.227 and tried to create a new cert in test mode which resulted with some errors. I reviewed the validation page from PKISharp/win-acme and found under Anonymous authentication to Enable anonymous authentication to the /.well-known/acme-challenge/ path to allow access from the ACME server. Cannot find /.well-known/acme-challenge/ path to enable anonymous authentication.

Your help would be much appreciated.

My domain is:5220dessource.com

My web server is (include version):iis8.5

The operating system my web server runs on is (include version):2012 r2

My hosting provider, if applicable, is: hosting myself

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.0.4.227 (RELEASE)
[INFO] IIS version 8.5
[INFO] Please report issues at https://github.com/PKISharp/win-acme

[VERB] Verbose mode logging enabled
[VERB] Arguments: --test --verbose
[DBUG] Config folder: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org
[DBUG] Certificate cache: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates
[VERB] Settings SettingsService {ConfigPath=“C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org”, CertificatePath=“C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates”, ClientNames=[“win-acme”, “win-acme”], RenewalDays=60, HostsPerPage=50, ScheduledTaskRandomDelay=00:00:00, ScheduledTaskStartBoundary=09:00:00, ScheduledTaskExecutionTimeLimit=02:00:00}
[VERB] Sending e-mails False
[DBUG] Renewal period: 60 days

[DBUG] Scanning IIS site bindings for hosts
[INFO] Target generated using plugin IISBinding: www.5220dessources.com
[DBUG] Scanning IIS site bindings for hosts
[VERB] Checking [IISBinding] www.5220dessources.com
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/directory
[DBUG] Send HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/W6l61auQV7qd_AXNdO4uf7PnYD6LHXQCShzdgeThQrc
[INFO] Authorize identifier: www.5220dessources.com
[INFO] Authorizing www.5220dessources.com using http-01 validation (SelfHosting)
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/W6l61auQV7qd_AXNdO4uf7PnYD6LHXQCShzdgeThQrc/287324153
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/W6l61auQV7qd_AXNdO4uf7PnYD6LHXQCShzdgeThQrc/287324153
[EROR] {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from http://www.5220dessources.com/.well-known/acme-challenge/MGSiTcoxP2pDaBlLs9AaWfZi4fQBQ4LjfGrv-E3gtgM [69.165.167.236]: “\r\n<html xmlns=\“http””,
“status”: 403
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

Hi @kiekar

if you have an IIS, you must allow extensionless files.

Go to your webroot. Then create the two directories

yourWebRoot\.well-known\acme-challenge

there a file (file name 1234 without extension).

Then try to load that file via

http://www.5220dessources.com/.well-known/acme-challenge/1234

Hi Juergen,

When I enter

http://www.5220dessources.com/.well-known/acme-challenge/1234

I receive a 404 error and the tranfer protocol changes from http to https. I did disable the url rewrite rule in iis and on the web config file. I am also using haproxy on my pfsense firewall.

Browsers are limited to check such things. Too much caching.

But that's one reason I've created my online tool: https://check-your-website.server-daten.de/?q=5220dessources.com%2F.well-known%2Facme-challenge%2F1234

And there is something visible:

There answers always the same

Server: Microsoft-IIS/8.5

with the same size

Content-Length: 1245

So add the following config file in /.well-known/acme-challenge to allow extensionless files:

<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

Then recheck your domain + file to see, if there is a http status 200 checking /.well-known/acme-challenge/1234.

Hi Juergen,

I added a web.config file as you instructed. This time i received a blank page when going to

http://www.5220dessources.com/.well-known/acme-challenge/1234

with no error.

Now you have 4 * http status 200:

Is there content in your test file? The word “test”? Or is it an empty file?

Is there content in your test file? The word “test”? Or is it an empty file?

It's empty. Should I have test in the 1234 file?

Then you can't check if you see the correct content.

Create a file with content.

Hi Juergen and thanks for all help.

I added "test" to the file and I do now see the text when going to

http://www.5220dessources.com/.well-known/acme-challenge/1234

Now that looks good.

So try it again to create a certificate.

Tried again but unfortunately I’m still getting the same error.

[DBUG] Scanning IIS site bindings for hosts
[INFO] Target generated using plugin IISBinding: www.5220dessources.com
[DBUG] Scanning IIS site bindings for hosts
[VERB] Checking [IISBinding] www.5220dessources.com
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/directory
[DBUG] Send HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/6-ocPaT0qOPGgeYDTfwYv-bWc0cxrSuvGDQU1KSLqrU
[INFO] Authorize identifier: www.5220dessources.com
[INFO] Authorizing www.5220dessources.com using http-01 validation (SelfHosting)
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/6-ocPaT0qOPGgeYDTfwYv-bWc0cxrSuvGDQU1KSLqrU/289599559
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/6-ocPaT0qOPGgeYDTfwYv-bWc0cxrSuvGDQU1KSLqrU/289599559
[EROR] {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from http://www.5220dessources.com/.well-known/acme-challenge/1-2foU6k3NjbZpb0Fbv9Q4jVOP8iye9c1gKIi8SSpno [69.165.167.236]: “\r\n<html xmlns=\“http””,
“status”: 403
}
[EROR] Authorization result: invalid
[EROR] Create certificate failed: Authorization failed

Hello,

Is the error due to IIS configuration or haproxy on pfsense?

As written:

But perhaps you have changed something.

There is a new check of your domain - https://check-your-website.server-daten.de/?q=5220dessources.com

there are always IIS-answers.

Hi Juergen,

There is a new check of your domain - [https://check-your-website.server-daten.de/?q=5220dessources.com ](https://check-your-website.server-daten.de/?q=5220dessources

Is there a specific area in the output I should focus on?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.