Auto Update Failing


My sites are all working currently but set to expire in a month or so. If I request a new certificate the request fails, but in addition to this if I try to use the most recent certificate the site I add it to is failing ERR_SSL_PROTOCOL_ERROR. I know the problem is with the certificate as I get this error in the browser if I apply it; then if I go back to the older one (the one currently installed) it works again.

The error I am getting for the sites I try to renew is:
Invalid response from https://www.[website]/.well-known/acme-challenge/XAkd29QFHVpy0pqMARmO535OJa-DRm5PKzOzemwjTKY [IP]: "\r\n\r\n\t\r\n \r\n \r\n \r\n \r\n \r\n\r\n\r\n\t\r\n\t\r\n\t\r\n\t\r\n\r\n\r\n\r\n\r\n\t\r\n\r\n\t\r\n \r\n\t\r\n\r\n \r\n \r\n \r\n\r\n \r\n \r\n \r\n\t\r\n \r\n " Forbidden urn:ietf:params:acme:error:unauthorized

I am using Load Balancer in Windows Server 2012 so I can’t use the built in challenge/response server.

I also have Certify running on a newer server (Server 2016) and it works fine from there (just entering the domains manually and the path to the web site as a network path). So I can renew a certificate but then I need to do a few things manually and that’s a bit of a pain.

So something is wrong with Windows 2012 - could I have the wrong root certificates? Or maybe my permissions are screwed up trying to write the file?

Thanks for any help.

Hi, there are two different problems here:

  • your webserver or load balancer is not serving a valid certificate or is failing to select a common TLS cipher for the client (the ERR_SSL_PROTOCOL_ERROR)
  • your http validation is failing (I’ve never seen the response with all the carriage return/newlines and tabs before, this would suggest this is a custom text response from your load balancer.

If you have to load balance http validation across servers then you need to use a shared filesystem which all web servers for your domain can see, that way Certify The Web can write the challenge response file to disk then any of the servers will respond when Let’s Encrypt attempts to validate the domain using http.

I don’t know anything about the Windows Load Balancer or how you would have configured it but it needs to know about the ISRG Root X1 root certificate (which came into effect at the end of September), presumably though it uses the windows certificate store. Perhaps you could disable load balancing to identify which component is having problems (the load balancer or IIS).

Without knowing your domain I can’t really check your site but I’d check to ensure that:

  • You are running the latest version of Certify The Web
  • Your server has been restarted fairly recently
  • You are not using outdated TLS cipher settings (my general advice is to download Nartac Software - IIS Crypto and use the ‘Best Practises’ option, apply it and restart. This applies a reasonably broad default set of TLS cipher suite registry settings).

Regarding permissions, this would only likely be a problem if you changed the Certify background service to run as some other user, or you had manually applied custom permissions to the OS private key store.

And I would recommend using DNS validation instead of http validation in load balanced configurations, that way you don’t need the individual servers to know about the http challenge response.

Actually I didn’t really consider this but that makes perfect sense - I’ll give it a try.