Hi,
I am new to certifytheweb and trying to provision my first certificate (using Lets Encrypt). I want to clarify a few things.
The server I am using is Windows Server 2025 and the application is SonarQube. This does not use IIS.
For http challenge I use npm http-server and ngrok to expose this publicly. But I get 404s, and I read on the app that certifytheweb can expose the http server.
I am a little confused on the best way to proceed.
So I have this: http://sonarqube.gssira.com/.well-known/acme-challenge/
With the file there, but I noticed the file content keeps changng. Is this correct/
Hi,
Typically users will be using IIS and with that the app can share port 80 (http) and run it’s own temporary http listener for /.well-known/acme-challenge requests and respond accordingly. This is because IIS is built around a windows component called http.sys, which in turn allows a shared http pipeline.
When the apps http listener can’t be used (because something else is exclusively using port 80) then the app will try to fall back to filesystem based http validation, this writes out the /.well-known/acme-challenge/ files that are required. These change for every request and the actual name and value are determined by the certificate authority you are requesting a a certificate from, which is how they validate your domain.
Ideally you wouldn’t have anything running on TCP port 80, that would free up the port so that the app can respond on your behalf and would avoid having to perform http challenge responses via your npm http-server. Ngrok might work but if you are trying to use your own http server then you must also configure it to serve extensionless files as text etc. e.g. if you create a file in that folder called hello (with no extension) you would then need to be able to browse to it successfully.
So, ideally don’t run your own http server on port 80 and let the app launch it’s own listener.
Also, if you can use DNS validation instead of HTTP validation (your domain is with cloudflare, which is supported for DNS automation) then you will find it much easier to get certs for services. HTTP is easiest when your service is already public. DNS Domain Validation (dns-01) | Certify The Web Docs
Ok so I fixed this ans can start the http challenge server. The test completes but in the request of the cert I get this error:
Response from Certificate Authority: 2600:1f16:d83:1202::6e:5: Invalid response from https://acme.ngrok.com/certs-auto/.well-known/acme-challenge/tYrIFGBDPNKlDj0kf4jbBPrsKW_ltidrtYhMS1qRkt0?host=sonarqube.gssira.com: 404 [Forbidden :: urn:ietf:params:acme:error:unauthorized]
2025-05-21 04:22:43.721 +01:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: sonarqube.gssira.com
Response from Certificate Authority: 2600:1f16:d83:1202::6e:5: Invalid response from https://acme.ngrok.com/certs-auto/.well-known/acme-challenge/tYrIFGBDPNKlDj0kf4jbBPrsKW_ltidrtYhMS1qRkt0?host=sonarqube.gssira.com: 404 [Forbidden :: urn:ietf:params:acme:error:unauthorized]
I am not sure if this is a certifytheweb issue or ngrok. Any help appreciated.
ngrok is redirecting http (tcp port 80) to https (tcp port 443). The certify http listener is just http, tcp port 80. So you ideally want to direct ngrok http to the local http listener on port 80 instead of having it try to do https stuff.
Maybe something useful here or other grok docs: https://stackoverflow.com/questions/72744384/how-do-you-force-ngrok-to-forward-to-http-and-not-https