With akamai renewal not working

Hi buddies! i have a windows server where iis manage a site and i use from many time the "win-acme" wacs.exe for create e reneawal my certificates. From some days i have Akamai setted on my domain. To the best of my knowledge the traffic is that not blocking the acme's traffic because the country that Akamai trace now with the path "/well-known/*" are only Sweden, Netherlan, Singapore and USA, and isn't in GEOList denied.

When i try win acme i have this output:

Renewing [IIS] (any site), (any host)
Cached order has status invalid, discarding
[enpap.it] Authorizing...
[enpap.it] Authorizing using http-01 validation (SelfHosting)
[enpap.it] Authorization result: invalid
[enpap.it] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "23.7.22.108: Invalid response from http://dcv.akamai.com/.well-known/acme-challenge/TOKENblablabla1234567890: 503",
"status": 403
}
[enpap.it] Deactivating pending authorization
[www.enpap.it] Deactivating pending authorization
Renewal for [IIS] (any site), (any host) failed, will retry on next run

Renewing [IIS] (any site), (any host)
Cached order has status invalid, discarding
[enpap.it] Authorizing...
[enpap.it] Authorizing using http-01 validation (SelfHosting)
[enpap.it] Authorization result: invalid
[enpap.it] {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "23.7.22.108: Invalid response from http://dcv.akamai.com/.well-known/acme-challenge/TOKENblablabla1234567890: 503",
"status": 403
}
[enpap.it] Deactivating pending authorization
[www.enpap.it] Deactivating pending authorization
Renewal for [IIS] (any site), (any host) failed, will retry on next run

where is the problem? i'm going crazy!

The "503" is an HTTP Service Unavailable error. Your server (AkamaiGHost) is returning that error for any request. Even for its "home" page.

You need to review your server config. It is not related to your cert but will prevent getting a new one.

curl -i http://dcv.akamai.com

HTTP/1.1 503 Service Unavailable
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 371
Expires: Tue, 11 Jun 2024 12:48:29 GMT
Date: Tue, 11 Jun 2024 12:48:29 GMT
Connection: keep-alive
5 Likes

I'm guessing you are not trying to get a certificate for dcv.akamai.com -- I would have expected that the detail from Let's Encrypt would have the domain you are trying to validate in the error message...
The presence of the other domain ('dcv.akamai.com') might suggest your web server has a 3xx redirect setup for the HTTP-01 challenge request path (i.e. '/.well-known/acme-challenge/') that might be causing the confusion...

2 Likes

@MikeMcQ thanks for your suggest. My answer is where it keeps the domain dcv.akamai.com if my domain is enpap.it :smiley:

2 Likes

It looks like you are using an Akamai CDN product based on your DNS settings

And, that CDN is probably doing the redirect from your domain to the dcv domain.

curl -i http://enpap.it/.well-known/acme-challenge/Test404
HTTP/1.1 302 Moved Temporarily
Location: http://dcv.akamai.com/.well-known/acme-challenge/Test404

If you don't manage the DNS or Akamai settings you should talk with your network support

nslookup www.enpap.it

www.enpap.it    canonical name = www.enpap.it.edgekey.net.
www.enpap.it.edgekey.net        canonical name = e235336.dscb.akamaiedge.net.
Name:   e235336.dscb.akamaiedge.net
Address: 23.53.35.113
Address: 23.53.35.108
Address: 2600:1408:7400::17de:4fea
Address: 2600:1408:7400::17de:4fa8
4 Likes

well guys i change somethings like the redirect and now i have this response:

now my domain reply is correct but somethings don't like to winacme :smiling_face_with_tear:

When Let's Encrypt check HTTP challenges they try the IPv6 address first (the AAAA record), that is going directly to the Akamai server, not begin passed back to your server.

You either need to either remove the IPv6 entry or contact Akamai and ask how to get that to work.

[Edit: based on your original post IPv4 won't work either because it's all getting redirected to Akamai domain validation servers. Speak to Akamai. You could possibly use DNS validation instead which would solve this issue.]

2 Likes

Also, your root domain is now forwarding to your www subdomain. Nothing wrong with that but the DNS are very different for these two names. You need to make sure the HTTP request sent via IPv6 to the www subdomain gets the proper response to the challenge.

Your error is a 404 which is an HTTP Not Found. That means the responding system did not know the correct challenge token that was setup by win-acme for your root domain. Might be something like the Akamai CDN replied but didn't know about the token. Or, the origin server it directed the request to was different than where you ran win-acme. These are common reasons for failing.

dig +noall +answer enpap.it
enpap.it.               289     IN      A       172.232.208.150

dig +noall +answer www.enpap.it
www.enpap.it.           300     IN      CNAME   www.enpap.it.edgekey.net.
www.enpap.it.edgekey.net. 300   IN      CNAME   e235336.dscb.akamaiedge.net.
e235336.dscb.akamaiedge.net. 20 IN      A       23.53.35.113
e235336.dscb.akamaiedge.net. 20 IN      A       23.53.35.108
e235336.dscb.akamaiedge.net. 20 IN      AAAA    2600:1408:ec00:10::1730:cb05
e235336.dscb.akamaiedge.net. 20 IN      AAAA    2600:1408:ec00:10::1730:cb0d
3 Likes