Win-acme.v2.1.13.978.x64.trimmed fails windows sever 2016 iis 10

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: remote.psr1.com

I ran this command: wasc.exe

It produced this output: Target generated using plugin IIS: remote.psr1.com

[remote.psr1.com] Authorizing...
[remote.psr1.com] Authorizing using http-01 validation (SelfHosting)
[remote.psr1.com] Authorization result: invalid
[remote.psr1.com] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://remote.psr1.com/.well-known/acme-challenge/UiWECCMr3hXxXDCmgnw0mxh6crXba-I6lNgFdAXrmL8 [173.163.87.162]: "\r\n<html xmlns=\"http"",
"status": 403
}

My web server is (include version): iis 10

The operating system my web server runs on is (include version): windows server 2016 datacenter

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme.v2.1.13.978.x64.trimmed

i can create a file with out an extension an put it in the acme challenge folder and can see the file over the web but it is failing

Server shows:
Server: Microsoft-IIS/7.0
The response above shows 403 which (to me) implies your system is requiring authentication/login.
My response shows 404 (not found).

curl -Iki http://remote.psr1.com/.well-known/acme-challenge/UiWECCMr3hXxXDCmgnw0mxh6crXba-I6lNgFdAXrmL8
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Mon, 07 Dec 2020 23:39:19 GMT

I would place a test text file in the expected challenge location to see if that file can indeed be served.

I think your domain is pointing to a different server to the one running win-acme, clearly if II7.0 is responding that's Server 2008, suggesting that you're perhaps trying to migrate to a new server and DNS hasn't been updated yet, so it's trying to do http validation against the old server.

1 Like

cloudflare dns.
www.psr1.com point to public business site
email.psr1.com point to 173.163.87.165 port fowarded to ports 80 443 25 and other mail protocol
on 192.168.1.7 exchange server
remote.psr1.com point to 173.163.87.162 port forward to ports 80 and 443 on 192.168.1.3 for windows essential services on windows server 2016 with IIS 10

i started to use the wacs.exe --test --verbose one the 2016 machine i added the mime . text/plain.
and still get the following

i did try this on the exchange machine but it was windows 2008 sp3 32bit with exchange 2010 and it killed the IIS i want to get it working on remote clean before i migrate exchange to 2016

[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[INFO] Target generated using plugin IIS: remote.psr1.com

[DBUG] Scanning IIS site bindings for hosts
[VERB] 1 named bindings found in IIS
[DBUG] Filtering by site(s) [1]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] Default Web Site, (any host)
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["remote.psr1.com"]
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/16986674/198826234 created
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/169408510
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [remote.psr1.com] Authorizing...
[VERB] [remote.psr1.com] Initial authorization status: pending
[VERB] [remote.psr1.com] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [remote.psr1.com] Initial challenge status: pending
[INFO] [remote.psr1.com] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [remote.psr1.com] Submitting challenge answer
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/169408510/7C3mMQ
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/169408510/7C3mMQ
[VERB] Request completed with status OK
[EROR] [remote.psr1.com] Authorization result: invalid
[EROR] [remote.psr1.com] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://remote.psr1.com/.well-known/acme-challenge/KxOZt0-qAJTG8YE5C-Q1oLmYXTX1wElHAVgf09OOW5s [173.163.87.162]: "\r\n<html xmlns=\"http"",
"status": 403
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful

Let's try placing a test text file in the expected challenge location.
Unless you have taken some other action, we can start from the document root for:
http://remote.psr1.com/
in that local folder, you need to create a folder and then a sub-folder.
For this example, let's say the document root is: c:\folder1
you have to make a folder there:
mkdir c:\folder1\.well-known
then another in the new one:
mkdir c:\folder1\.well-known\acme-challenge
Now we are ready to create the test text file.
echo "testing" > c:\folder1\.well-known\acme-challenge\test-file-1234

Please only change "folder1" to the actual web root path - leave the folders and file name as shown.

Let me know when that is done, so we can test access to it from the Internet.

below is what i used

http://remote.psr1.com/
in that local folder, you need to create a folder and then a sub-folder.
For this example, let's say the document root is: c:\folder1
you have to make a folder there:
mkdir C:\inetpub\wwwroot.well-known
then another in the new one:
mkdir C:\inetpub\wwwroot.well-known\acme-challenge
Now we are ready to create the test text file.
echo "testing" > C:\inetpub\wwwroot.well-known\acme-challenge\test-file-1234

Well that failed :frowning:

curl -Iki http://remote.psr1.com/.well-known/acme-challenge/test-file-1234
HTTP/1.1 404 Not Found
Content-Length: 1245
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 09 Dec 2020 16:42:53 GMT

You need to troubleshoot that until it does work.
I would start by checking the IIS logs.

from IIS logs

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-12-09 11:06:06
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2020-12-09 11:06:06 192.168.1.3 GET /.well-known - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 - 301 0 0 125
2020-12-09 11:06:06 192.168.1.3 GET /.well-known/ - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 - 200 0 0 109
2020-12-09 11:06:08 192.168.1.3 GET /.well-known/acme-challenge/ - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://remote.psr1.com/.well-known/ 200 0 0 62
2020-12-09 11:06:08 192.168.1.3 GET /.well-known/acme-challenge/test-file-1234 - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://remote.psr1.com/.well-known/acme-challenge/ 200 0 0 78
2020-12-09 11:06:12 192.168.1.3 GET /.well-known/acme-challenge/ - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://remote.psr1.com/.well-known/ 200 0 0 78
2020-12-09 11:06:18 192.168.1.3 GET /.well-known/acme-challenge/test-file-1234 - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://remote.psr1.com/.well-known/acme-challenge/ 200 0 0 62
2020-12-09 11:06:20 192.168.1.3 GET /.well-known/acme-challenge/ - 443 - 71.58.151.233 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://remote.psr1.com/.well-known/ 200 0 0 69

From the windows application logs

First chance error calling into ACME server, retrying with new nonce...
["remote.psr1.com"] Authorization result: "invalid"
["remote.psr1.com"] "{
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://remote.psr1.com/.well-known/acme-challenge/Noxoe2yhqvhRV8ldHP1RJDgz-9g3XXbqVSf3xaAPk4Q [173.163.87.162]: \"\r\n<html xmlns=\\"http\"",
"status": 403

Those IIS logs only show the 200 connections.
You need to find the 403/404 connections.
Is there an error log file?

the only thing that shows up in the event logs is "type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://remote.psr1.com/.well-known/acme-challenge/Noxoe2yhqvhRV8ldHP1RJDgz-9g3XXbqVSf3xaAPk4Q [173.163.87.162]: "\r\n<html xmlns=\"http"",
"status": 403

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.