Challenge http-01 on IIS, non default port


#1

Hello everyone,

We are unable to generate a certificate using the http-01 challenge. We can see that it creates the files/folders needed on IIS, but the validation always fails.

The interface says that redirections are permitted, but it seems that not for external access. We’ve understood it right?


#2

Hi David, sorry I may need a little more to go on in order to help. Perhaps you could send your log file through to support at certifytheweb.com?

The http-01 challenge requires port 80 to be open as let’s encrypt will only start with http on port 80 for validation (although it will will redirection to https from there). You should confirm that accessing your site via http on port works externally before proceeding with the http-01 challenge type.

If you are on the latest version and have not disabled the internal http challenge server the default configuration will actually not use IIS at all (although it will create config folders as a fallback) and will instead create a temporary port 80 listener in front of IIS while responding to the http challenge.


#3

I’ll send the file.

We have a fully operational IIS here, and for security reasons we rather go with non-default ports for http and https, so from external side it will not respond to requests on 80/443.

This is not a supported scenario for http-01 validation, right?


#4

@david.lynch that’s correct. You don’t have to run IIS on port 80 or have any port 80 bindings but you do need port 80 open for the built-in http challenge server to be able to respond. Unfortunately for Let’s Encrypt http validation there is no option to begin challenge response on any port other than 80.