Unable to validate domain (IIS)

Hello,

I’m experiencing similar issue with domain validation.

Domain: web.arena.tituto.com

Main domain tituto.com is managed by external NS server but web.arena.tituto.com is pointing to local NS server to which I have access.

Domain has two A records with different IP addresses (DNS round robin) but website is accessible on both of them. Server is IIS 10 and Lets Encrypt is being renewed by control panel (MSP Control) or by external software (https://certifytheweb.com/). Both of certificate requests (control panel and software) end the same. They can’t validate domain. IIS server logs show that there was external attempt of validation with 200 status from IIS server:

2017-10-16 09:58:09 91.219.122.191 GET /.well-known/acme-challenge/Kg-YkYXMtRXzyejWlVSwE8OyWfCndN_000LLLyrf-KU - 80 - 66.133.109.36 HTTP/1.1 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - - web.arena.tituto.com 200 0 0 564 272 179 -

this one is last example when I was trying to create certificate request from Certify app. Website has empty page and no redirects (web.config or .htaccess). Latest file in acme-challenge dir is still accessible:

http://web.arena.tituto.com/.well-known/acme-challenge/Js3PrTIxkwU-BWX9oPgzXm6TnNdx4cO18Q6TNWVHwPo

Any ideas what is causing this issue?

Hello,

I’ve split your post into a new topic. While you’re experiencing similar issues, the details might be different, so it’s easier to work on them separately.

(I’m not good at titles, am I?)

Could you provide more information?

Exactly what commands or steps did you take?

What output and error messages did the clients produce?

I was wondering about creating new topic but I’ve decided to add my post under something which seemed to me as a similar situation.

Do you have any access to let’s encrypt validation process on LE end? I’m using windows control panel called MSPControl (mspcontrol.org). This panel is using https://github.com/ebekker/ACMESharp for performing various tasks related to Lets Encrypt SSL certificates. MSP Control panel has possibility to run scheduled task which renews LE certificates and it works just fine. For some reason I can’t renew this one particular certificate. For each website control panel allows to use some kind of temporary URLs and during SSL requesting panel allows to select which domains should be covered by LE certificate. When I selected temporary domains LE certificates has been issued without any problems but when I’m selecting “web.arena.tituto.com” and “www.web.arena.tituto.com” validation of domains can’t be passed but as I mentioned in my initial post IIS web logs shows remote check for validation file by LE validation server:

2017-10-16 09:58:09 91.219.122.191 GET /.well-known/acme-challenge/Kg-YkYXMtRXzyejWlVSwE8OyWfCndN_000LLLyrf-KU - 80 - 66.133.109.36 HTTP/1.1 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - - web.arena.tituto.com 200 0 0 564 272 179 -

For now I don’t have any specific errors other than domain can’t be validated from MSP Control panel and something similar from Certify app. Interesting thing here is that there was remote query from LE validation server to which IIS server responded with 200 status.

MSP Control scheduled task was able to renew ssl certificates to other domains which has correct DNS settings (some of other domains returned with error that they also can’t be validated but this domains are not pointing to my servers).

Several people do; I personally don't.

Let's Encrypt delivers an error message to the client; it almost always pinpoints exactly what's wrong. It's... highly unfortunate not to have it.

The site has some DNS issues that would probably cause it to fail, but i can't be certain that's the only issue.

tituto.com. has these two nameservers:

tituto.com.             14218   IN      NS      ns1.hekko.net.pl.
tituto.com.             14218   IN      NS      ns2.hekko.net.pl.

They delegate arena.tituto.com. to two other nameservers:

arena.tituto.com.       14400   IN      NS      ns1.webio.pl.
arena.tituto.com.       14400   IN      NS      ns2.webio.pl.

However, those two nameservers don't have an "arena.tituto.com." zone. They have a "web.arena.tituto.com." zone.

web.arena.tituto.com.   10800   IN      NS      ns1.webio.pl.
web.arena.tituto.com.   10800   IN      NS      ns2.webio.pl.
web.arena.tituto.com.   10800   IN      SOA     ns1.webio.pl. hostmaster.web.arena.tituto.com. 2017101510 3600 600 1209600 86400

Therefore, queries for "tituto.com." work, and queries for "web.arena.tituto.com." work, but queries for "arena.tituto.com." or other subdomains like "xyz.arena.tituto.com." fail with an error.

Let's Encrypt looks for CAA records all the way up the tree. If it can't find any, and does receive an error, it will fail.

You should fix the DNS configuration. Either rename the delegation from "arena.tituto.com." to "web.arena.tituto.com.", or rename the zone from "web.arena.tituto.com." to "arena.tituto.com." (and adjust the names of the records in the zone).

(Or create an "arena.tituto.com." zone that further delegates "web.arena.tituto.com.", but that's excessively complicated.)

While you shouldn't go around with broken DNS delegations, Let's Encrypt would probably be satisfied if you created a CAA record at "web.arena.tituto.com.". If it finds a CAA record there, it won't care about errors up (down?) the tree.

AcmeSharp logs its errors to the Windows Event Log. You should be able to track down the error from the ACME server in the Event Viewer if resolving your DNS issues doesn’t fix the problem.

I would suggest working with mspcontrol.org on this as well as they may have further insights (being the ones that write the client)

Thanks for so deep analysis. I would never think about it this way (or it would take me some time I guess). After creating new DNS zone for arena.tituto.com on nsX.webio.pl servers Lets Encrypt validation finished with success.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.