Acme Challenge In wwwroot?

Jay · June 11, 2021, 11:04am

Hi all,

Does CTW support placing the .well-known/acme files in the wwwroot?

I just created a test site on IIS, placed a wwwroot folder in it, but CTW still placed these files next to the wwwroot folder, instead of in it.

I can find no setting for this. I don’t think renewal will work correctly for my .NET Core site, if this feature is not supported.

Sincerely,

Jay

Jay · June 11, 2021, 11:33am

Ok, I just found the ‘Site Root Folder’ setting in the Authorization section.

Never mind.

webprofusion · June 11, 2021, 2:54pm

For servers that use http.sys such as IIS, Certify has a built in http listener that temporarily sits in front of IIS etc during validation.

That means the whole IIS part is skipped and is usually not even required unless for some reason the http challenge server is disabled or can’t run. We should really skip creating those files/folders unless the challenge server runs into issue.

Jay · June 11, 2021, 4:16pm

Doesn’t Let’s Encrypt require those files to be there during the creation/renewal process?

jljtgr · June 11, 2021, 10:56pm

Think of them as existing in two places at once. The IIS versions don’t need to exist when the temporary challenge server has them. The temporary challenge server tells Windows to use it for /.well-known/ requests instead of seeing if IIS wants to handle it.

webprofusion · June 12, 2021, 5:43am

Yes the temporary challenge server is like an in-memory webserver and it co-exists with IIS transparently.

Jay · June 12, 2021, 11:55am

So you guys are discussing letting the acme challenge files be served temporarily from memory, as opposed to files on disk?

I used to run a script that auto renewed my certificates and loaded them into IIS. I was just not able to figure out how to set the certs on my sites. But now I have CTW handling this for me.

Very happy to have found a complete solution for my SSL certs. I don’t mind those temp acme files much.

webprofusion · June 13, 2021, 4:54am

Yes, the default behavior is to serve the challenge responses from memory. So you shouldn’t have to do anything more to get the certificate requests to work.

Jay · June 13, 2021, 12:54pm

Doesn’t look like that to me. I have a combobox with 2 options: http-01 and dns-01. I have to select one of them. And the http-01 is selected by default.

How to make use of the response-from-memory, then?

webprofusion · June 14, 2021, 2:14am

Jay, it’s automatic and it’s the default unless you’ve switched it off (Settings > Renewal Settings > Enable Http Challenge Server).

You haven’t mentioned if renewal is actually failing? If you click Request Certificate does it all work or not? Automatic renewal is exactly the same as clicking that button except it only happens when the default renewal interval time has elapsed.