Win-acme: Invalid Response of 403 and 404

wessleym · June 13, 2022, 4:39pm

When I try to use win-acme to renew my certificates, I've started to receive errors that are somehow 403 and 404 at the time (as if that makes any sense). The output below will show what I mean.
I find it strange that I'm not seeing the .well-known directories being made while win-acme is running. That said, I've never seen them made, but win-acme has always worked on every other server and even previously on this server. But now it's as if the .well-known data is not being created, and the request to locate those files fails.
win-acme said I should try Let's Debug, which told me I should try posting on this site. Thank you for helping me!

My domain is: account.lynnimaging.com (wildcard certificate for several other domains as well)

I ran this command: wacs.exe > Run 1 renewal (for wildcard domain)

It produced this output:

 Renewing [IIS] (any site), (any host)
 Cached order has status invalid, discarding
 [account.lynnimaging.com] Authorizing...
 [account.lynnimaging.com] Authorizing using http-01 validation (SelfHosting)
 [account.lynnimaging.com] Authorization result: invalid
 [account.lynnimaging.com] {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "20.114.189.176: Invalid response from https://account.lynnimaging.com:443/.well-known/acme-challenge/n7iuhpocygban8ucn6qpa0i5bt8zactwavn2keiewz8: 404",
  "status": 403
}
 Renewal for [IIS] (any site), (any host) failed, will retry on next run

(Notice this output shows a 403 and 404 error somehow.)

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is: win-acme 2.1.22.1267

webprofusion · June 13, 2022, 11:52pm

The server that's responding is Apache (not IIS), so self hosting the challenge with win-acme won't work because it can't share port 80. You would need to use the web root method and you would need to allow anonymous http requests to the /.well-known/acme-challenge path of your site.

wessleym · June 14, 2022, 1:13pm

That's insightful. Thank you. But how do you know it's Apache? (I just performed a Web request and inspected the headers, and I do see Server = "Apache.")
We do have some kind of proxy thing that sits "in front" of our Web server, so maybe that thing is messing everything up. Weirdly, we've had it for a while, and I've never seen this problem. I think it's a Sophos product.

webprofusion · June 14, 2022, 1:35pm

I'm just going by the server header. If your proxy is on a different server it still needs to forward the http /.well-known/acme-challenge requests to your actual server running win-acme to port 80 (http).

wessleym · June 28, 2022, 9:42pm

I spoke with server support, and they switched us to file-system validation. That was the only way they were able to get it to work. Thank you for advice!

system · July 28, 2022, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.