What IIS settings are needed for certbot?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:test.missionassist.org.uk

I ran this command: certbot certonly --webroot --test-cert --debug-challenges -w “c:\inetpub\wwwroot”

It produced this output:
Domain: test.missionassist.org.uk
Type: unauthorized
Detail: Invalid response from
http://test.missionassist.org.uk/.well-known/acme-challenge/vrA117AaGVnJP234f5wVSWlmuNf1t0GzUFAvIx0ddEE
[51.104.239.1]: "\r\n<html
xmlns=“http”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): IIS on Windows Server 2019

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is:
N/A - the server runs under Azure.
I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
IIS Manager under Windows Server 2019
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.7.0

I have tried various things, but to no avail. --standalone fails with a timeout despite getting a quick response from a web browser running on the local machine. Let’s Debug summary shows:
All OK!

OK

No issues were found with test.missionassist.org.uk. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.,
However, the verbose information shows things like:
Request to: test.missionassist.org.uk/51.104.239.1, Result: [Address=51.104.239.1,Address Type=IPv4,Server=Microsoft-IIS/10.0,HTTP Status=404], Issue:
Trace:
@0ms: Making a request to http://test.missionassist.org.uk/.well-known/acme-challenge/letsdebug-test (using initial IP 51.104.239.1)
@0ms: Dialing 51.104.239.1

So, what configuration do I need for IIS to work with certbot?

Are you sure that http://test.missionassist.org.uk is correctly configured in IIS?

When I go to it, I see the “iisstart.htm” welcome page. I’m not a Windows user myself, but doesn’t that indicate that you haven’t setup an IIS binding for that domain?

Consequently, the webroot you passed to Certbot would not be correct.

Thanks. The web root in question isn’t the one I intend to use eventually; I switched to it to remove any script errors causing problems. The fact that you see the iisstart.htm indicates that IIS is serving the domain. The problem seems to be access the .well-known folder. Is it because IIS doesn’t like serving files without extensions.
http://test.missionassist.org.uk/.well-known/acme-challenge/letsdebug-test gives a 404 error, but

http://test.missionassist.org.uk/.well-known/acme-challenge/letsdebug-test.txt

displays the text file.

Putting this in the acme-challenge web.config removes the 404 error.

<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension="." mimeType="text/xml" />
         </staticContent>
     </system.webServer>
 </configuration>

See https://stackoverflow.com/questions/19950882/iis-how-to-serve-a-file-without-extension

And this appears to solve the problem!

Hi @spalmstr

you have to change that.

Read https://check-your-website.server-daten.de/?q=server-daten.de#comments - part 3 has the sample:

Create a web.config in that directory. Content: 
<configuration><system.webServer><staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent></system.webServer></configuration>

or change your existing web.config.

PS:

And this appears to solve the problem!

Yep, that's always required, if IIS is used.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.