Validation did not complete successfully

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rhgw.redhammer.it

I ran this command:

It produced this output:

2021-01-04 13:13:39.573 -10:00 [INF] ---- Beginning Request [Default Web Site] ----
2021-01-04 13:13:39.574 -10:00 [INF] Certify/5.2.1.0 (Windows; Microsoft Windows NT 10.0.17763.0) 
2021-01-04 13:13:39.577 -10:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2021-01-04 13:13:39.577 -10:00 [INF] Requested domains to include on certificate: rhgw.redhammer.it
2021-01-04 13:13:39.577 -10:00 [INF] Beginning certificate order for requested domains
2021-01-04 13:13:39.578 -10:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2021-01-04 13:13:40.783 -10:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/97523421/7127571580
2021-01-04 13:13:40.966 -10:00 [INF] Fetching Authorizations.
2021-01-04 13:13:41.883 -10:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/9823547903/UhHlIA
2021-01-04 13:13:42.247 -10:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/9823547903/-QXu2A
2021-01-04 13:13:43.569 -10:00 [INF] Http Challenge Server process available.
2021-01-04 13:13:43.569 -10:00 [INF] Attempting Domain Validation: rhgw.redhammer.it
2021-01-04 13:13:43.569 -10:00 [INF] Registering and Validating rhgw.redhammer.it 
2021-01-04 13:13:43.569 -10:00 [INF] Performing automated challenge responses (rhgw.redhammer.it)
2021-01-04 13:13:43.569 -10:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk with content 9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk.m8-GEjpK0gQ1rE3Ftnu0T5ILieFLerFTeJUYC0_ca-c
2021-01-04 13:13:43.570 -10:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-01-04 13:13:43.609 -10:00 [INF] Using website path C:\inetpub\wwwroot
2021-01-04 13:13:43.610 -10:00 [INF] Checking URL is accessible: http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [proxyAPI: True, timeout: 5000ms]
2021-01-04 13:13:45.427 -10:00 [INF] (proxy api) URL is not accessible. Result: [404] Resource not accessible, Timeout or Redirected
2021-01-04 13:13:45.428 -10:00 [INF] Checking URL is accessible: http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [proxyAPI: False, timeout: 5000ms]
2021-01-04 13:13:45.554 -10:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2021-01-04 13:13:45.554 -10:00 [INF] Requesting Validation: rhgw.redhammer.it
2021-01-04 13:13:45.559 -10:00 [INF] Attempting Challenge Response Validation for Domain: rhgw.redhammer.it
2021-01-04 13:13:45.559 -10:00 [INF] Registering and Validating rhgw.redhammer.it 
2021-01-04 13:13:45.559 -10:00 [INF] Checking automated challenge response for Domain: rhgw.redhammer.it
2021-01-04 13:13:45.825 -10:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2021-01-04 13:13:47.506 -10:00 [INF] Invalid response from http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [173.227.179.205]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
2021-01-04 13:13:48.714 -10:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [173.227.179.205]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
2021-01-04 13:13:48.714 -10:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [173.227.179.205]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
2021-01-04 13:13:48.714 -10:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://rhgw.redhammer.it/.well-known/acme-challenge/9Yg9p7-lCb-wdNVHUVqbFBLgx6RLvQXnddidmSDsplk [173.227.179.205]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certify the Web 5.2.1.0

Trying to request a certificate and got the error above. This server is a Remote Desktop gateway using Windows Server 2019. Not sure how to resolve the issue. Ports 80 and 443 are both open.

Thanks
TECH-JEFF

1 Like

Hi @TECH-JEFF,

If you create a file called test at

C:\inetpub\wwwroot\test

can you see its contents on http://rhgw.redhammer.it/test?

If so, if you now create a file called test2 at

C:\inetpub\wwwroot\.well-known\acme-challenge\test

can you see its contents on http://rhgw.redhammer.it/.well-known/acme-challenge/test?

If not, does either or both work if you instead use the name test.txt (in both the local filename and the URL) instead of just test?

1 Like

I think, I should've given more detailed info and i do apologize for the incomplete info.

So I recently setup 2 RD Gateways both added to server farm in RD Gateway manager. Also setup Microsoft NLB(Network Load balancer).

RDGW1 - Server 2019

IP: 192.168.2.15

Public IP: 10.10.10.15

RDGW2 - Server 2019

IP: 192.168.2.16

Public IP: 10.10.10.16

CDN - Cluster domain name

IP: 192.168.2.17

Public IP: 10.10.10.17

In order to complete this setup, used LetsEncrypt to add cert for the cluster domain CDN.domain.com but obviously since the cluster domain is not a physical server, certificates should reside on the physical servers RDGW1 and RDGW2.

Installed both with CertifytheWeb tool and I was able to generate the certificate on RDGW1 but not on RDGW2 showing a validation of the required challenges did not complete successfully, invalid response...

So what I did was just to make it work, since I was able to successfully generate the certificate on RDGW1, I export the cert and import it to RDGW2. but the issue is after every 3 months LetsEncrypt will auto renew for RDGW1 and most probably RDGW2 cert will expire and I had to export/import the renewed cert from RDGW1 to RDGW2. My assumption is you really can't generate a cert from RDGW2 because LetsEncrypt already detected an existing. Is there a workaround for RDGW2 to be auto renewed for the cert?

1 Like

If you certify and terminate SSL/TLS at the load balancer instead of the workers, you will probably have better fortunes.

I'm going to loop-in someone to assist here...

@webprofusion

Hi, if you are load balancing your http validation will fail unless the correct server happens to be the one the load balancer directs traffic to. You either need to either only perform http validation on your load balancer (so it's the one responding to validation requests) or use DNS validation (either one of the supported DNS providers or acme-dns) to perform your domain validation - this can be on your servers on on a separate machine.

Once you have your cert you should then use Central Certificate Store (CCS) deployment task as the most commonly supported way of sharing certificates between Microsoft servers, or you should script the deployment to each server as a deployment task in Certify.

Getting and using a certificate are two different jobs:

  • order the certificate from Let's Encrypt then participate in the domain validation to prove you're entitled to the cert, then get a cert. This happens for every renewal. This is the primary function of Certify.
  • Once you have a cert it needs to be deployed to each server that needs it, in your case it's at least the load balancer that needs to have the cert, whether the instances each need the cert is up to you but I imagine your load balancer uses the servers internal names, not the main public name. So if each instance will have it's own cert then probably each instance should validate their own cert.
2 Likes

Note that even if you haven't purchased support for Certify you can still ask questions on our support community: https://community.certifytheweb.com/

2 Likes

Thanks, as always, @webprofusion. :slightly_smiling_face:

1 Like

I'll try to use dns validation and see how it goes.

Thanks for the inputs, have a good night
TECH-JEFF

1 Like