Une attente un peu trop longue!

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais :yes

Mon nom de domaine est :chez.jcz.fr

Mon serveur Web est (inclure la version) :WampServer / Apache 2.4.55

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :Windows 10 Pro

Mon hébergeur, le cas échéant, est :chez moi
Bonjour à l'équipe Let's Encrypt et à la communauté.

J'ai un petit problème d'attente lors de la création d'un certificat :slight_smile :

[code] A simple Windows ACMEv2 client (WACS)
Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task points to different location for .exe and/or working directory
Scheduled task random delay mismatch
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
Running in mode: Unattended
Source generated using plugin Manual: chez.jcz.fr

Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.3-September-21-2022.pdf
[chez.jcz.fr] Authorizing...
[chez.jcz.fr] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://chez.jcz.fr/.well-known/acme-challenge/ov_5Y46Fr6WGMg9DtOuHQcoG8NTpi_I5d54Lvh3c8VQ
Preliminary validation failed because 'An error occurred while sending the request.'
[chez.jcz.fr] Authorization result: valid
Downloading certificate [Manual] chez.jcz.fr
Store with PemFiles...
Exporting .pem files to K:\Utilitaires_Wamp\07.Certificats\04.Lets-Encrypt\04.Store\02.Reel
Scheduled task points to different location for .exe and/or working directory
Scheduled task random delay mismatch
Scheduled task exists but does not look healthy
Proceeding with unhealthy scheduled task, automatic renewals may not work until this is addressed
Adding renewal for [Manual] chez.jcz.fr
Next renewal due at 2023/3/31 17:55:51
Certificate [Manual] chez.jcz.fr created

Appuyez sur une touche pour continuer...[/code]
L'attente est assez longue.
Voici la ligne où j'ai ce problème :

 Preliminary validation failed because 'An error occurred while sending the request.'

Dans mon pare-feu, les ports 53, 80, 443, 8080 et 8443 sont ouverts.
Qu'est-ce qui bloque la phase préliminaire ?

Merci !
Cordialement.
Artemus24.
@+

DNS Addresses Multi-country domain resolving with DNS service: Check host - online website monitoring

HTTP connectivity Check website performance and response: Check host - online website monitoring

Let's Debug is showing an ERROR https://letsdebug.net/chez.jcz.fr/1362065

From my IPv4 only location I get

$ curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to chez.jcz.fr port 80 after 76163 ms: Operation timed out

$ nmap -Pn chez.jcz.fr
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-04 10:52 PST
Nmap scan report for chez.jcz.fr (109.16.70.70)
Host is up.
Other addresses for chez.jcz.fr (not scanned): 2001:470:c94a::100
rDNS record for 109.16.70.70: 70.70.16.109.rev.sfr.net
All 1000 scanned ports on chez.jcz.fr (109.16.70.70) are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.78 seconds

Best Practice - Keep Port 80 Open

I configure my site "chez.jcz.fr" with the PFX client certificate, but I can't. Hence the unavailability of my site. I manage to create the PFX certificate. When I consult it, it is valid. But the verification of the client with the server is not done.

If the site is not available, let's encrypt can still create the certificate. Is it this ? Hence the message above and the slowness I noticed.

I fail to see the relevance of that statement, as I was showing a general lack of connectivity to the domain.

Connectivity has improved.

$ curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sun, 05 Feb 2023 19:21:33 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/2 200
last-modified: Sat, 04 Feb 2023 18:08:15 GMT
accept-ranges: bytes
content-length: 168
vary: Accept-Encoding,User-Agent
content-language: fr
date: Sun, 05 Feb 2023 19:21:55 GMT
server: Apache

$ nmap -Pn chez.jcz.fr
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-05 19:22 UTC
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.00% done; ETC: 19:28 (0:05:43 remaining)
Nmap scan report for chez.jcz.fr (109.16.70.70)
Host is up (0.28s latency).
Other addresses for chez.jcz.fr (not scanned): 2001:470:c94a::100
rDNS record for 109.16.70.70: 70.70.16.109.rev.sfr.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 44.03 seconds

Presently the Rate Limits seem in force https://tools.letsdebug.net/cert-search?m=domain&q=chez.jcz.fr&d=168

Testing and debugging are best done using the Staging Environment.

Also here is a list of issued certificates crt.sh | chez.jcz.fr the latest being 2023-02-05.

The certificate presently being served looks good https://decoder.link/sslchecker/chez.jcz.fr/443
however connectivity to IPv6 SSL Server Test: chez.jcz.fr (Powered by Qualys SSL Labs) is showing "Unable to connect to the server"

I know.
But my main problem is to find a way to create my three certificates: PFX, server Key and Server crt for Apache 2.4.55.
Any help on this would be appreciated.

Apache has never used .PFX files.

I don't put the PFX certificate in apache, but in the "my" store so that it is available in my Google Chrome browser.
The certificates I use in Apache are the ".pem" ones that Let's Encrypt created.
I already explained everything in my other topic.

This is incorrect.
I don't know where you read that is required.

Since you mention it...
Please be mindful that the responses are coming from volunteers.

Actually, I think that is correct. They are setting up two-way authentication and the client needs to send a cert to the server. Clients dictate what format is needed to send to the server. In Chrome's case I believe it requires pfx.

That said, I am far from expert in two-way but that's what I understand so far.

Maybe also look to a different client as well.

I would love to read the requirements on that.
I suspect that there may be a simpler way of handling this...

Not exactly requirements here but a pointer Mutual authentication - Wikipedia

So would I !

It starts with Apache SSLVerifyClient require but it is not very helpful sadly

From that Wiki:
As it requires provisioning of the certificates to the clients and involves less user-friendly experience, it's rarely used in end-user applications.

So now, I would really LOVE to hear their specific requirements.
What (problem/security issue) are they trying to overcome?

As would I.

[quote=""]Actually, I think that is correct. They are setting up two-way authentication and the client needs to send a cert to the server. Clients dictate what format is needed to send to the server. In Chrome's case I believe it requires pfx.
That said, I am far from expert in two-way but that's what I understand so far.[/quote]
You understood well. I'm trying to set up two-way identification.

me too because the procedure to create the PFX client certificate is far too complicated to do from the files provided by let's encrypt.

with a Let' Encrypt certificate, my site is accessible to everyone.
I want it to be accessible only by those who have my client certificate.
This is for privacy reasons.

@Artemus24 See my response to your other thread on this question

This Apache feature does not work like you expect. See that link

Then you have missed the target.
As implemented, you will allow anyone with any valid certificate to enter your site.