Validation failed using Certify The Web

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: uofplannedgifts.org

I ran this command:

Ran the 'Request Certificate' in the Let's Encrypt UI

It produced this output:

Validation of the required challenges did not completed successfully. Domain validation failed: uofplannedgifts.org

Invalid response from HTTP://uoflplannedgifts.org/.well-known/acme-challenge/Wg0enw4001rGRoLF49_U0OpsX4rtCj39MJaX1CxhcZ4: 404 Forbidden urn:ietf:params:acme:error:unauthorized

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Certify The Web

I’m using CertifyTheWeb GUI. The process is supposed to be automated and works for other domains when I run but this error on this domain is preventing me from renewing the certificate.

Hi @eli-igx, and welcome to the LE community forum

I see a name change / TYPO.

Hi, I'm the developer of Certify The Web. So it looks like you are trying to get a cert for uoflplannedgifts.org, can you please clarify if the typo uofplannedgifts.org is also intended to be included in your certificate? If so it needs to be a real domain that points to the same server (so the app can respond for both variants of the domain).

Let's Encrypt will take the list of domains you say you want on your cert and expect you to provide an http response one each domain, if you can't do that validation fails and then you don't get a cert.

I recommend setting a hostname on your exiting http bindings in IIS so that the app can pick those up and an automatically identify the domains to include on your cert, that way you don't get typos.

I note also that your server currently responds with the cert for a different website - make sure you are not defining a binding anywhere that specifically binds your server IP to a given cert, as that will take priority over SNI (server name indication) bindings. IIS often nags you to create a "Default" SSL binding, but don't do it unless you specifically need it as it's arguably better for your site to have no cert/https configured than to have it wrongly configured. In general don't use non-SNI (or empty hostname) bindings unless you have a very specific reason and completely understand the implications.

Hello!

The domain in question is https://uoflplannedgifts.org/ and you are correct that uofplannedgifts.org was a typo.

Thank you for the insight! I'll review the provided information with my web server and hopefully to resolve the issue

Looks like I got past the initial error for this domain (and others) but now I'm receiving the following across

The ACME CA service did not issue a valid certificate in the time allowed. Failed to finalize certificate order: Error finalizing order :: While processing CAA for uoflplannedgifts.org - the domain's nameservers may be malfunctioning

Other domains exhibiting same behavior: plannedgiving.scottishriteforchildren.org & plannedgiving.biglife.org

Update: After numerous retries requesting certificate attempts in the Let's encrypt, it was finally renewed successfully.

Any additional insight to this error would still be beneficial for my future knowledge

There's the possibility something temporarily went wrong the Let's Encrypt side especially as these domains are on different nameservers/dns hosts.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.