Windows installation - issue at step 5

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:btaliyun.com

I ran this command: certbot certonly --standalone

It produced this output:
C:\Users\Administrator>certbot certonly --standalone
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): btaliyun.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for btaliyun.com
Waiting for verification…
e[31mChallenge failed for domain btaliyun.come[0m
http-01 challenge for btaliyun.com
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: btaliyun.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for btaliyun.com - check
that a DNS record exists for this domain

My web server is (include version): IIS

The operating system my web server runs on is (include version):windows server 2019

My hosting provider, if applicable, is: alibaba cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 1.7.0

Hi @boteta,

It looks like this domain is not registered at all. You can only get publicly-trusted certificates for domain names that you already own.

Hi, latest error below. any advise? thanks in advance

certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): btali.tk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for btali.tk
Input the webroot for btali.tk: (Enter ‘c’ to cancel): C:\inetpub\wwwroot
Waiting for verification…
e[31mChallenge failed for domain btali.tke[0m
http-01 challenge for btali.tk
Cleaning up challenges
e[31mSome challenges have failed.e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: btali.tk
Type: unauthorized
Detail: Invalid response from
http://btali.tk/.well-known/acme-challenge/CFIdyTZMRVCcvtFnON55HOX8timb5k4Kug2cmwKd3m4
[161.117.252.66]: "\r\n<html
xmlns=“http”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

It looks like your hosting provider is not connected to your site’s IP address. What is your hosting provider?

Hi, I got the free domain from my.freenom.com . i did nslookup and open btali.tk in browser, it work. thus, i am guessing it may be some config in certbot

Is 161.117.252.66 the IP address of your Windows server on Alibaba Cloud?

When I visit btali.tk in the browser, I don’t see the usual Server response header sent by IIS servers, which is unusual.

Is the “Hello Alibaba Cloud” page I see in your browser in your wwwroot?

Hi,

161.117.252.66 is my server load balancer that points to my windows server vm (161.117.249.237)

yes , “Hello Alibaba Cloud” page is in my wwwroot

That’s probably fine.

You might have to tell IIS to allow extensionless files. In C:\inetput\wwwroot\.well-known\acme-challenge\, create web.config:

<?xml version="1.0" encoding="UTF-8"?>
 <configuration>
     <system.webServer>
         <staticContent>
             <mimeMap fileExtension=".*" mimeType="text/plain" />
         </staticContent>
     </system.webServer>
 </configuration>

Try create a test file in there as well, and see whether you can access it from the browser.

thanks. the cert is created as shown below now. however, all the *.pem file are empty. I believe the public key cert file shall start with “-----BEGIN CERTIFICATE-----” and private key cert file shall start with “-----BEGIN RSA PRIVATE KEY-----”. am i missing something? thanks in advance

certbot certonly --webroot
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): btali.tk
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for btali.tk
Input the webroot for btali.tk: (Enter ‘c’ to cancel): C:\inetpub\wwwroot
Waiting for verification…
Cleaning up challenges
e[1m
IMPORTANT NOTES:
e[0m - Congratulations! Your certificate and chain have been saved at:
C:\Certbot\live\btali.tk\fullchain.pem
Your key file has been saved at:
C:\Certbot\live\btali.tk\privkey.pem
Your cert will expire on 2020-12-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

That certainly should not be the case.

Have you tried making sure you are opening the files as administrator?

I’m not a Windows user, but that’s my guess.

got it. thank you very much

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.