Unifi and Let's Encrypt Error with Certify The Web

My domain is redacted.ddns.net. I used the latest CertifytheWeb app however, the following error appears:
"Validation of the required challenges did not complete successfully. Domain validation failed: redacted.ddns.net
Invalid response from http://redacted.ddns.net/.well-known/acme-challenge/MUK6tnu70MEUMz7_4R16ZtKmerc-H36gtTkYAUZC4Qw [177.23.139.162]"

but in the test (app and let's debug) everything is ok. (i need cert for unifi)

I made this guide: https://community.ui.com/questions/GUIDE-Lets-Encrypt-on-Windows-Unifi-Controller/d180534e-4a5e-4e24-b14f-9c263ecc990a

Obs: on another network everything was ok

Help me?
Sorry my bad English.

Hi, you can get Certify specific support over at https://community.certifytheweb.com but happy to help here.

With http validation (the default) the machine running Certify The Web needs to be the same machine that's responding to the Let's Encrypt http validation (so that the app can provider the http validation response).

What is 177.23.139.162 - is it your server, a firewall, a router etc?

If it's a router etc, where does it forward port 80 traffic to?

Your Unifi guide is cool, but it used DNS validation and you're currently trying to use http validation instead (did you mean to use DNS validation instead?).

Regarding your guide, the extra steps to convert the pfx into a format that unifi likes are probably not entirely necessary, you most likely just need to set a password on the default pfx the app produces (Certificate > Advanced > Signing & Security), you may also want to set the "preferred chain" to ISRG Root X under Certificate > Advanced > Certificate Authority so that your PFX contains the correct chain).

Yeap, plus 443 (https), 8080 and 8443.

DNS validation not works because I'm using domain "noip" and CNAME doesn't exist.

Steps of this guide works on another client.

By "client" do you mean this works with another "ACME Client" or a different customer?

When you perform http validation using Certify The Web by default it starts up it's own http challenge listener on port 80, sitting in front of IIS (this does not work if you are using a different webserver such as Apache or nginx because these do not support port sharing).

What is the result of clicking "Test" in the app?

It's a router: UNifi USG. I forwarded port 80, 443, 8080 and 8443 to 192.168.0.200 (unifi controller). The router internal address is 192.168.0.254

Different customer. Sorry.

All tests Completed Ok
Application Pool: Configuration Override Enabled
Http Challenge Server process available.
Verified URL is accessible: http://redacted.ddns.net/.well-known/acme-challenge/configcheck

Great, so http://redacted.ddns.net/.well-known/acme-challenge/configcheck is a url that becomes active during Test.

You can try this URL on your phone using your mobile data (so that you're accessing from an external network, not corporate WiFi etc).

Normally this will return a 404 or other page not found type result, but during Test it will resolve to 'OK'.

If during 'Test' it still does not resolve to OK then it would appear that port 80 is being forwarded to the wrong server [http via port 80 must reach your machine running Certify The Web, nothing else]. Once you have this resolving to OK during test from the public internet, http challenges will work.

SOLVED!
It was an NVR that had port 80 enabled and strangely "walked over" the router. I changed his port to 8001 and it solved!

You can lock the topic. Note: I know this can help other people, but wouldn't it be interesting to delete the address of the posts above or mask it to avoid problems for my costumer?

Now that the problem is solved, I edited the posts to change the subdomain to the word "redacted". I hope that's helpful.

(For future posters, providing the real hostname is very helpful for debugging, because people on the forum will run live tests on your domain in order to diagnose problems for you. If you don't provide the real domain name initially, they won't be able to do so.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.