Using Personal Computer to generate certificate for Windons IIS10

Hello Everyone in Let's Encrypt Community Support.

This is my first time trying to get the Certificate from Let's Encrypt.
I am using my personal computer via Powershell to use Certbot.
My domain is running on this company "HiNet虛擬主機 - hiHosting 企業網路架站" and the system is "Windows Server 2019 IIS 10"

My domain is: https://www.legia.com.tw/

I ran this command: certbot certonly --manual -m legia.sylvio@gmail.com -d legia.com.tw

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for legia.com.tw


Create a file containing just this data:

d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q.fEdMcTf8hAdbxlTEcQ9ENSBl6OQEEVNgB95bD5GWCQU

And make it available on your web server at this URL:

http://legia.com.tw/.well-known/acme-challenge/d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q


Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: legia.com.tw
Type: unauthorized
Detail: Invalid response from http://legia.com.tw/.well-known/acme-challenge/d5_AJktkqntRnQ1LhEjl3ZCkeHLJgP2UtWN99lRsp6Q [203.69.42.31]: "\r\n<html xmlns="http"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Windows Server 2019 IIS 10

The operating system my web server runs on is (include version):Windows 10

My hosting provider, if applicable, is: HiNet虛擬主機 - hiHosting 企業網路架站

I can login to a root shell on my machine (yes or no, or I don't know): My hosting provider give me the "IP address", "ID account" and "ID password". So, I don't know that I can login to a root shell or not.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

Attached file is the screenshot for the address that I put the challenges.
By the way, when I using Chrome to check the "Sources". Did I put the file address correct or not. However, I can't see the file. Thus I use the web.config to rewrite the address.

Thank you Everyone. If I missed any part of the instructions or any info I can provide, please let me know. Hope I can get the certificate successfully.

I put the screenshot and the Cerbot log file in this page: https://www.legia.com.tw/LetsEncrypt.html

Sincerely,
Sylvio.Chung

5 Likes

Is there anyone can give me some suggestions?
Sorry I really need some help.

2 Likes

Sorry no one replied. For Windows IIS, clients other than Certbot are easier to use.

You might want to consider a very popular one like Certify The Web. Or, one from this list:

If nothing else you will get better support. Certbot and Windows IIS are not as commonly used and we do not see that often here.

5 Likes

Mike thank you so much for your reply. Sorry to trouble the LE community.

I will try certify the web, hope I can get SSL certificate successfully this time. Once again thank you so much.

4 Likes

Hi @Sylvio.C
I edited you post above to remove your email address. Wouldn't want you to start getting spam. :wink:

4 Likes

Oh sorry that I didn’t notice it.
Jim thank you so much.

4 Likes

I have tried to use certify the web. However, I don't have the authority to do the SSH which I checked with the Host provider.

And I found out I put the file name wrongly, so that's why they can't retrieve the file.

This time I have checked the file can be retrieve accurately. But when I press Enter, it showed another failed result.

Please, give me some hint or advice that I can get the certificate successfully. Thank you.

3 Likes

Yes, that error is saying your DNS setup has a problem. Let's Encrypt is looking up the CAA record and getting a SERVFAIL error. You are not required to have a CAA record, but, there should not be a failure looking for it.

I do not know DNS well enough to help you fix it. This website is often helpful to debug DNS problems. I am not certain those problems are causing the CAA failure but might cause other problems. You should discuss this with whoever provides your DNS.
https://dnsviz.net/d/www.legia.com.tw/dnssec/

4 Likes

This seems like a mess:

nslookup -q=ns com.tw.
com.tw  nameserver = a.twnic.net.tw
com.tw  nameserver = b.twnic.net.tw
com.tw  nameserver = c.twnic.net.tw
com.tw  nameserver = d.twnic.net.tw
com.tw  nameserver = e.twnic.net.tw
com.tw  nameserver = f.twnic.net.tw
com.tw  nameserver = g.twnic.net.tw
com.tw  nameserver = h.dns.tw
com.tw  nameserver = h.twnic.net.tw
com.tw  nameserver = anytld.apnic.net
nslookup -q=ns legia.com.tw. b.twnic.net.tw.
legia.com.tw    nameserver = ns.idc.hinet.net
legia.com.tw    nameserver = ns2.idc.hinet.net
legia.com.tw    nameserver = ns3.idc.hinet.net
nslookup -q=ns legia.com.tw. ns.idc.hinet.net
legia.com.tw    nameserver = ns.hinetidc.net
legia.com.tw    nameserver = ns1.hinetidc.net
legia.com.tw    nameserver = ns2.hinetidc.net
legia.com.tw    nameserver = ns01.idc.hinet.net
legia.com.tw    nameserver = ns02.idc.hinet.net
legia.com.tw    nameserver = ns03.idc.hinet.net

Although all three names resolve to the same IPs, they are NOT the same name:
ns.hinetidc.net
ns.idc.hinet.net
ns01.idc.hinet.net

[and they don't match the upstream servers' reply]

4 Likes

Thank you @MikeMcQ. I will check with my host provider. Hope they can fix up these issue.

So this doesn’t mean that I have try to get the certificate too many attempts. So it caused this error right?

Once again thank you so much.

3 Likes

Thank you @rg305.
I will pass this information to my host provider. Hope they can solve this issue. And I can get the certificate successfully.

Thank you for your helping.

3 Likes

No, if you make too many attempts you see a different error message. You should get the DNS config fixed up before trying again.

3 Likes

Thank you @MikeMcQ. I will wait for my Host provider to fix up this issue.
Hope they can fix this issue as soon as possible.

Thank you so much~

4 Likes

Hello @Sylvio, your problem sounded familiar to me... same hosting provider as another person in Taiwan. Checking you domain using https://check-your-website.server-daten.de/?q=legia.com.tw confirmed the same dns problems. There are 9 name servers the company is using. However there is a mismatch between the delegation and the zone. The primary SOA of ns.hinetidc.net is not included in the delegation.

Two of the name servers do not support TCP connections.

And this should be addressed:
Chrome-Connection: info. obsolete connection settings. The connection to this site is encrypted and authenticated using TLS 1.2, RSA, and AES_256_GCM.

4 Likes

Good afternoon @JimPas,

Sorry to reply the message late. I have checked with my Host Provider about the DNS issue.

I just told them my domain have a mismatch between the delegation and the zone. And I have no idea what I have the 3 different DNS server. Could you help me to solve the problem? However, they cant understand what I am talking about.

@JimPas would you mind to help me to write down the issue that I encountered in the message? Because I don’t know how to explain to my Host Provider. I am so sorry to trouble you.

@JimPas Thank you so much.:pleading_face:

2 Likes

I have checked with my Host Provider. They can’t assist me to fix this issue. But they give me the advice. They can help me to put the TXT for my DNS challenge. It took a long long time.

However, when I use the “ Google Admin Toolbox: Dig (DNS lookup). “ to check if it work or not. It works. So I press “Enter” and hope this time can get my certificate successfully.

Unfortunately, same issue occurs again SERVFAIL.

So I will ask my Host Provider to remove the other DNS tomorrow. Hope this time can work and get the certificate.

The TXT appears to have been created in the right place.
The problem is that LE can't reach that place because there are DNS issue(s) preventing it:

I'm not certain what the problem is; I suspect GeoLocation blocking.

I see that unbound can reach the TXT record:
https://unboundtest.com/m/TXT/_acme-challenge.www.legia.com.tw/CDELTSNF
And Let's Debug also finds no issue:
Let's Debug (letsdebug.net)

Maybe someone smarter than I can come along and explain what is going on :frowning:

3 Likes

Thank you @rg305. I will let the Host Provider to check for the “ GeoLocation blocking” and ask them to remove the other two domains.

Hope all of the issues was caused by too many DNS server. So they remove the additional DNS server and then we can retrieve our certificate.

Than you for replying @rg305 :laughing:. Wait for my good news.

2 Likes