Domain Validation failed - 404 forbidden

Trying to get http domain validation working on my SmarterMail (IIS) web site and validation is failing and I can’t figure out why. I just did this a week ago on a different server (Win Server 2019) and it worked fine. I just switched web hosts and am now on Win Server 2022. That’s the only difference I can think of, but it doesn’t explain the failure.

So from the log file: Invalid response from 404 Forbidden urn:ietf:params:acme:error:unauthorized

I have made sure I added a MIME type for “.” and “text/plain”.

I can browse to the /.well-known/acme-challenge/configcheck URL just fine (via “the internet” from a browser on a different machine).

And when I run the “Request Certificate”, I can see the challenge file being created (and then deleted) in that folder on the file system. Of course its gone so fast I can’t do any further testing on it, but the fact that its coming back 404 Forbidden/unauthorized makes no sense to me.

What am I missing?

The URL path is set to give a 401 auth challenge, which if you fail means you cannot access the path.

You probably are using some sort of Microsoft browser that can pass KERBEROS authentication of your currently logged in user. I have no such thing, so I am prompted to give my username/password.

My guess is that you need to add anonymous authentication to the virtual folder or website…

1 Like

I see that SmarterMail has has a guide mentioning Certify (and IIS) so I presume it must work: Securing SmarterMail With Let's Encrypt - Note that their step for exporting the PFX is outdated and you can just use the Export Certificate deployment task to copy the PFX where you need it.

The way Certify The Web works with IIS you don’t actually need to configure IIS to handle the challenges, Certify adds an http listener for the /.well-known/acme-challenge url pattern using http.sys, which sits in front of IIS during validation.

Check you have this option enabled under the main app Settings > General Settings > Enable Http Challenge Server, then if possible restart your server. If you can’t restart your server then restart the Certify background service and make sure there are no old Certify.exe processes running (the process the challenge server runs as).

I did have anonymous authentication enabled. I would expect you to not be able to browse a directory, e.g. just browsing to the /.well-known/ folder shouldn’t work, although I would expect IIS to report that browsing directories isn’t enabled, not give a 401 Unauthorized.

Also, as I had mentioned, I had done this exact thing with SmarterMail last week, and it worked fine. Thanks for including that link to doing it with SmarterMail, I’m sure it will help someone in the future. And yes, I do have a post deployment task set up to automatically export the certification, and it works sweet!

I restarted the web server, and restarted the CertifyTheWeb service (I didn’t see any Certify.exe process running, but did it anyway), and guess what, it works now.

Thanks for your help guys. I thought I was going insane.

Thanks for this great product (and support)!!!

1 Like