Using Personal Computer to generate certificate for Windons IIS10

Help
1

Hello Everyone in Let's Encrypt Community Support.

This is my first time trying to get the Certificate from Let's Encrypt.
I am using my personal computer via Powershell to use Certbot.
My domain is running on this company "HiNet虛擬主機 - hiHosting 企業網路架站" and the system is "Windows Server 2019 IIS 10"

My domain is: https://www.legia.com.tw/

I ran this command: certbot certonly --manual -m legia.sylvio@gmail.com -d legia.com.tw

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for legia.com.tw

Create a file containing just this data:

d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q.fEdMcTf8hAdbxlTEcQ9ENSBl6OQEEVNgB95bD5GWCQU

And make it available on your web server at this URL:

http://legia.com.tw/.well-known/acme-challenge/d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: legia.com.tw
Type: unauthorized
Detail: Invalid response from http://legia.com.tw/.well-known/acme-challenge/d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q [203.69.42.31]: "\r\n<html xmlns="http"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Windows Server 2019 IIS 10

The operating system my web server runs on is (include version):Windows 10

My hosting provider, if applicable, is: HiNet虛擬主機 - hiHosting 企業網路架站

I can login to a root shell on my machine (yes or no, or I don't know): My hosting provider give me the "IP address", "ID account" and "ID password". So, I don't know that I can login to a root shell or not.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Attached file is the screenshot for the address that I put the challenges.
By the way, when I using Chrome to check the "Sources". Did I put the file address correct or not. However, I can't see the file. Thus I use the web.config to rewrite the address.

Thank you Everyone. If I missed any part of the instructions or any info I can provide, please let me know. Hope I can get the certificate successfully.

I put the screenshot and the Cerbot log file in this page: https://www.legia.com.tw/LetsEncrypt.html

Sincerely,
Sylvio.Chung

5 Likes
2

Is there anyone can give me some suggestions?
Sorry I really need some help.

2 Likes
3

Sorry no one replied. For Windows IIS, clients other than Certbot are easier to use.

You might want to consider a very popular one like Certify The Web. Or, one from this list:

If nothing else you will get better support. Certbot and Windows IIS are not as commonly used and we do not see that often here.

7 Likes
4

Mike thank you so much for your reply. Sorry to trouble the LE community.

I will try certify the web, hope I can get SSL certificate successfully this time. Once again thank you so much.

4 Likes
5

Hi @Sylvio.C
I edited you post above to remove your email address. Wouldn't want you to start getting spam. :wink:

8 Likes
6

Oh sorry that I didn’t notice it.
Jim thank you so much.

4 Likes
7

I have tried to use certify the web. However, I don't have the authority to do the SSH which I checked with the Host provider.

And I found out I put the file name wrongly, so that's why they can't retrieve the file.

This time I have checked the file can be retrieve accurately. But when I press Enter, it showed another failed result.

擷取
擷取1496×472 42.3 KB

Please, give me some hint or advice that I can get the certificate successfully. Thank you.

3 Likes
8

Yes, that error is saying your DNS setup has a problem. Let's Encrypt is looking up the CAA record and getting a SERVFAIL error. You are not required to have a CAA record, but, there should not be a failure looking for it.

I do not know DNS well enough to help you fix it. This website is often helpful to debug DNS problems. I am not certain those problems are causing the CAA failure but might cause other problems. You should discuss this with whoever provides your DNS.
https://dnsviz.net/d/www.legia.com.tw/dnssec/

6 Likes
9

This seems like a mess:

nslookup -q=ns com.tw.
com.tw  nameserver = a.twnic.net.tw
com.tw  nameserver = b.twnic.net.tw
com.tw  nameserver = c.twnic.net.tw
com.tw  nameserver = d.twnic.net.tw
com.tw  nameserver = e.twnic.net.tw
com.tw  nameserver = f.twnic.net.tw
com.tw  nameserver = g.twnic.net.tw
com.tw  nameserver = h.dns.tw
com.tw  nameserver = h.twnic.net.tw
com.tw  nameserver = anytld.apnic.net

nslookup -q=ns legia.com.tw. b.twnic.net.tw.
legia.com.tw    nameserver = ns.idc.hinet.net
legia.com.tw    nameserver = ns2.idc.hinet.net
legia.com.tw    nameserver = ns3.idc.hinet.net

nslookup -q=ns legia.com.tw. ns.idc.hinet.net
legia.com.tw    nameserver = ns.hinetidc.net
legia.com.tw    nameserver = ns1.hinetidc.net
legia.com.tw    nameserver = ns2.hinetidc.net
legia.com.tw    nameserver = ns01.idc.hinet.net
legia.com.tw    nameserver = ns02.idc.hinet.net
legia.com.tw    nameserver = ns03.idc.hinet.net

Although all three names resolve to the same IPs, they are NOT the same name:
ns.hinetidc.net
ns.idc.hinet.net
ns01.idc.hinet.net

[and they don't match the upstream servers' reply]

6 Likes
10

Thank you @MikeMcQ. I will check with my host provider. Hope they can fix up these issue.

So this doesn’t mean that I have try to get the certificate too many attempts. So it caused this error right?

Once again thank you so much.

3 Likes
11

Thank you @rg305.
I will pass this information to my host provider. Hope they can solve this issue. And I can get the certificate successfully.

Thank you for your helping.

3 Likes
12

No, if you make too many attempts you see a different error message. You should get the DNS config fixed up before trying again.

5 Likes
13

Thank you @MikeMcQ. I will wait for my Host provider to fix up this issue.
Hope they can fix this issue as soon as possible.

Thank you so much~

4 Likes
14

Hello @Sylvio, your problem sounded familiar to me... same hosting provider as another person in Taiwan. Checking you domain using https://check-your-website.server-daten.de/?q=legia.com.tw confirmed the same dns problems. There are 9 name servers the company is using. However there is a mismatch between the delegation and the zone. The primary SOA of ns.hinetidc.net is not included in the delegation.

Two of the name servers do not support TCP connections.

And this should be addressed:
Chrome-Connection: info. obsolete connection settings. The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.

7 Likes
15

Good afternoon @JimPas,

Sorry to reply the message late. I have checked with my Host Provider about the DNS issue.

I just told them my domain have a mismatch between the delegation and the zone. And I have no idea what I have the 3 different DNS server. Could you help me to solve the problem? However, they cant understand what I am talking about.

@JimPas would you mind to help me to write down the issue that I encountered in the message? Because I don’t know how to explain to my Host Provider. I am so sorry to trouble you.

@JimPas Thank you so much.:pleading_face:

2 Likes
16

I have checked with my Host Provider. They can’t assist me to fix this issue. But they give me the advice. They can help me to put the TXT for my DNS challenge. It took a long long time.

However, when I use the “ Google Admin Toolbox: Dig (DNS lookup). “ to check if it work or not. It works. So I press “Enter” and hope this time can get my certificate successfully.

Unfortunately, same issue occurs again SERVFAIL.

So I will ask my Host Provider to remove the other DNS tomorrow. Hope this time can work and get the certificate.

image
image1242×2208 86.3 KB

image
image1748×938 261 KB

17

The TXT appears to have been created in the right place.
The problem is that LE can't reach that place because there are DNS issue(s) preventing it:

image
image1007×24 13 KB

I'm not certain what the problem is; I suspect GeoLocation blocking.

I see that unbound can reach the TXT record:
https://unboundtest.com/m/TXT/_acme-challenge.www.legia.com.tw/CDELTSNF
And Let's Debug also finds no issue:
Let's Debug (letsdebug.net)

Maybe someone smarter than I can come along and explain what is going on :frowning:

4 Likes
18

Thank you @rg305. I will let the Host Provider to check for the “ GeoLocation blocking” and ask them to remove the other two domains.

Hope all of the issues was caused by too many DNS server. So they remove the additional DNS server and then we can retrieve our certificate.

Than you for replying @rg305 :laughing:. Wait for my good news.

3 Likes
19

Thank you @rg305 , @JimPas , @MikeMcQ for all of your helping.

Finally I can get the certificate :partying_face::partying_face::partying_face:
I have changed my host provider, and move my DNS server to other service provider. Then I edit the DNS configuration, A record, CNAME, MX and TXT. After changing the configuration and Value, I can get the certificate successfully.

I really really appreciate for this LE community and all your support. Thank you.

5 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.