Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:play-pen.net
I ran this command: create new cert
It produced this output:DNS problem: NXDOMAIN looking up A for mail.play-pen.net
2019-10-07 12:46:49.272 -05:00 [INF] Validation of the required challenges did not complete successfully. DNS problem: NXDOMAIN looking up A for mail.play-pen.net
My web server is (include version): iis v:10
The operating system my web server runs on is (include version): windows server 2016 v:1607
My hosting provider, if applicable, is: self hosting internal dns server + public dns via zoneedit.com
I can login to a root shell on my machine (yes or no, or I don’t know): n/a windows
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot): certify ssl/tls certificate manager 22.214.171.124
the mail - subdomain doesn't have an A- or AAAA record ( https://check-your-website.server-daten.de/?q=mail.play-pen.net ):
If you want to use http validation, you need an A record
Your Domain name -> your ip address.
If you run the client on your
play-pen.net domain, create an A record with the same ip address.
PS: Your main domain
has a correct configuration. So create such an entry with your mail subdomain.
I’ve tried to reply to your support requests but your email just doesn’t work (i.e. people cannot reply externally to your email at play-pen.net). I think you need to take a look at all of your DNS configuration for this domain and while your at it your public mail server settings (MX etc).
ok… i’ve created an “a” record in both my network dns and my public dns. this is the error i’m getting now.
Invalid response from http://mail.play-pen.net/.well-known/acme-challenge/m1bv8nhCI8X7aEpS3RR21w48ExkcVeTaEI2GLC4Pu1U [126.96.36.199]: "\r\n<html xmlns=“http”
the ip address is my public internet ip
There is a check of your domain - https://check-your-website.server-daten.de/?q=mail.play-pen.net
Now the ip part looks good.
Find the webroot of the Website that answers. Then create the two subdirectories
there a file (file name 1234 without extension), then try to load that file via
That should work.
deleted old cert request… created new one with just play-pen.net, owa.play-pen.net, autodiscover.play-pen.net. ran test and it failed with
Could not verify URL is accessible: http://play-pen.net/.well-known/acme-challenge/configcheck
this error occurred after i created the 1234 file.
That doesn’t work.
Do you have a web.config file in your application?
<staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent>
is required to allow extensionless files.
autodiscover looks like a certificate created with another tool, so that tool (Plesk or another) may block your client.
this is the web.config file in the /.well-known/acme-challenge folder.
<?xml version="1.0" encoding="UTF-8"?>
which server does certify uses. the local domain dns or the public dns server. i ask as the error msg relates to the external ip address of 188.8.131.52 and not the internal ip address of 192.168.22.20…
An external client sees only the external address. So the error message can only show that address.
But your web config is wrong, you must allow extensionless files, so your test file must work.
Add the shared content to your empty web.config.
Gene, if you have the built in Certify http challenge server enabled (which you did originally) then you don’t need to worry about the IIS config as the app will temporarily register an http listener for the /.well-known/acme-challenge/ prefix and respond to the challenges that way. Failing that it should auto configure the IIS web config etc.
If it does have to auto configure IIS then your website folder will have a new .well-known/acme-challenge folder, in there is a file called ‘configcheck’ - once your web.config lets you browse to this file externally you’re all set.
Does mail.play-pen.net resolve to the actual server that’s running Certify? If not then that would explain why it’s not handling the challenge response.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.