WinAcme with IIS: Authorization result: invalid

Hello!

Not sure what is different here as we use LE/WinAcme for other sites on this server (as well as on other servers). I appreciate any help figuring this out. It's my first post so please let me know if I've left out pertinent information.

Thanks!

My domain is:
www.brandhesion.com

I ran this command:
Create new cert with default settings (interactive, simple)

It produced this output:
Plugin IIS generated source www.brandhesion.com with 1 identifiers
Plugin Single created 1 order
First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[www.brandhesion.com] Authorizing...
[www.brandhesion.com] Authorizing using http-01 validation (SelfHosting)
[www.brandhesion.com] Authorization result: invalid
[www.brandhesion.com] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"64.186.50.238: Invalid response from http://www.brandhesion.com/.well-known/acme-challenge/px9RuxS8GQLGM9E7emn7RpTl6vL2rfeMjvr35uAk_ds: 404","status":403,"instance":null}
[www.brandhesion.com] Deactivating pending authorization

My web server is (include version):
IIS (10.0.17763)

The operating system my web server runs on is (include version):
Windows Server 2019 Std. (version 1809)

I can login to a root shell on my machine (yes or no, or I don't know):
Not sure (PS as admin - yes)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Not sure (not certbot)

Hi @adam_b, and welcome to the LE community forum

I see online:
Server: Microsoft-IIS/8.5

Is there some other device inline (proxy, etc.)?
Does port 80 reach your IIS 10 server?

Hi @rg305 - thanks for the reply!

There are other sites being run and successfully accessed on that server. So, I know that port's open.

Here's where I got the IIS 10 number from:

I am our accidental SysAdmin and certainly not an expert in networking, web servers, certificates or any of it. So, I'm happy to confirm configuration settings or answer any questions that will help you help me.

Thanks, again!
-Adam

Who handles the routing and NATting?

I saw this from the outside:

curl -Ii http://www.brandhesion.com/
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5       <<<<<<<<<<<<<<<<<<<<<<<<<<< NOT version 10
Set-Cookie: .AspNetCore.Mvc.CookieTempDataProvider=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax; httponly
X-Powered-By: ASP.NET
Date: Tue, 25 Apr 2023 23:17:05 GMT

As @rg305 says this version of IIS doesn't match Server 2019, it matches the much older Server 2012 R2 so I suspect you are looking on the wrong server. This would also explain why the validation is failing as the 2019 server you are on can't present the challenge response if the domain DNS isn't pointing to it.

So the server your domain is pointing to has the IP address 64.186.50.238 and is hosted by US Signal.

If the intent is to setup a new server for this website you'd need to update DNS first to point to the newer server (new being relative, 2022 would be the current version of Windows Server). You can open a browser on the desktop of the 2019 server and google "My IP address" to see what it seems to be externally.

Well, this is a little embarrassing. You guys are absolutely right! I only took over managing the DNS for this domain yesterday and was operating under some of my own (incorrect!) assumptions instead of checking to confirm.

There is an old (2012 R2) server I didn't realize was still running. Even thought the sites had been copied to, and are running on, the new server (from my screenshot), they obviously didn't have the appropriate DNS settings.

Lesson learned. Thanks for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.