Won't validate challenge with WinCertes

erict · November 7, 2018, 1:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: navigationsports.com

I ran this command:
wincertes -s https://acme-v02.api.letsencrypt.org/directory -e erict@powersoft.ca -d navigationsports.com -b “NavigationSports” -w “c:\inetpub\wwwroot\navigationsports”

It produced this output:
Failed to register and validate order with CA: Could not validate challenge https://acme-v02.api.letsencrypt.org/acme/challenge/SsosCA7l-f_YVALld6Yj4CKvtkrgpwppiMYs4fPs87k/9048608666
Could not delete challenge file directory: The directory is not empty.

[The .well-known folder is not deleted, but it’s empty]

My web server is (include version):
IIS 10

The operating system my web server runs on is (include version):
Windows Server 2016 Datacenter

My hosting provider, if applicable, is:
Azure VM

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

NOTE:
Using fiddler4, I could see the last message sent to the CA is:
GET /acme/challenge/SsosCA7l-f_YVALld6Yj4CKvtkrgpwppiMYs4fPs87k/9048608666

The response from the CA is:
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://navigationsports.com/.well-known/acme-challenge/o6kxLtjRcoILbibrxCNwQADhd_8topCAoP81HFxDKq0 [13.71.189.202]: 500”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/SsosCA7l-f_YVALld6Yj4CKvtkrgpwppiMYs4fPs87k/9048608666”,
“token”: “o6kxLtjRcoILbibrxCNwQADhd_8topCAoP81HFxDKq0”,
“validationRecord”: [
{
“url”: “http://navigationsports.com/.well-known/acme-challenge/o6kxLtjRcoILbibrxCNwQADhd_8topCAoP81HFxDKq0”,
“hostname”: “navigationsports.com”,
“port”: “80”,
“addressesResolved”: [
“13.71.189.202”
],
“addressUsed”: “13.71.189.202”
}
]
}

I see the 500 and the 403 in the error section, but Fiddler does not report any statuses other than 200 OK. Please advise.

JuergenAuer · November 7, 2018, 4:02pm

Hi @erict

do you have something like

<configuration>
    <system.webServer>
        <staticContent>
            <mimeMap fileExtension="." mimeType="text/plain" />
        </staticContent>
    </system.webServer>
</configuration>

in your configuration file to allow files without extension?

Put a new file in /.well-known/acme-challenge, file name 1234 without extension and try to load it via

http://navigationsports.com/.well-known/acme-challenge/1234

to check if this file is sent.

erict · November 7, 2018, 5:17pm

Thanks for pointing out a mistake, I had fileExtension=".*", i.e. dot star, instead of plain dot. I’ve also changed the original application/octet-stream to text/plain. You can test the URL if you wish, the file is still there.
However, I get the same error on the command-line and fiddler shows the same 403 and 500 as I showed in the original post.

JuergenAuer · November 7, 2018, 5:34pm

Your file

http://navigationsports.com/.well-known/acme-challenge/1234

is correct, I can load it. I don’t use wincertes. Are there more debug-options or a better log?

erict · November 7, 2018, 6:30pm

There doesn’t seem to be. Can you recommend a ACME-V2 compatible windows client?

JuergenAuer · November 7, 2018, 6:42pm

Check the list of clients.

There are different clients with different options. I'm using my own client (not published).

erict · November 21, 2018, 9:19pm

Switched client to win-acme. Works great. Thanks for your help.

system · December 21, 2018, 9:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.