Error creating order

Question
1

At this point I am running out of troubleshooting.
I have manually whitelisted *.certifytheweb.com and *.letsencrypt.org
This is for a government school and a proxy is mandatory.
I can access the IP address on :443 in a browser through the proxy to get to the ACME page telling me I shouldn’t be here with a browser.
Is it just taking too long to get to the destination?
Is the request getting lost somehow?
I can’t get a new certificate. It was working great for over a year and now it is not.

2020-06-02 15:57:44.801 +10:00 [INF] Certify/4.1.8.0 (Windows; Microsoft Windows NT 6.2.9200.0) 
2020-06-02 15:57:44.801 +10:00 [INF] Beginning Certificate Request Process: AccelerusWeb using ACME Provider:Certes
2020-06-02 15:57:44.801 +10:00 [INF] Registering Domain Identifiers
2020-06-02 15:57:44.803 +10:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2020-06-02 15:58:05.813 +10:00 [ERR] BeginCertificateOrder: error creating order. Retries remaining:1 :: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.65.32.248:443
   at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certify.Providers.Certes.LoggingHandler.<SendAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.Acme.AcmeHttpClient.<Get>d__10`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.AcmeContext.<GetDirectory>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.IAcmeContextExtensions.<GetResourceUri>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.AcmeContext.<NewOrder>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Certify.Providers.Certes.CertesACMEProvider.<BeginCertificateOrder>d__26.MoveNext() 
2020-06-02 15:58:06.815 +10:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:0 
2020-06-02 15:58:27.811 +10:00 [ERR] BeginCertificateOrder: error creating order. Retries remaining:-1 :: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.65.32.248:443
   at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
   at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certify.Providers.Certes.LoggingHandler.<SendAsync>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsyncBuffered>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.Acme.AcmeHttpClient.<Get>d__10`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.AcmeContext.<GetDirectory>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.IAcmeContextExtensions.<GetResourceUri>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certes.AcmeContext.<NewOrder>d__19.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Certify.Providers.Certes.CertesACMEProvider.<BeginCertificateOrder>d__26.MoveNext() 
2020-06-02 15:58:28.812 +10:00 [INF] Failed to create certificate order: Failed to begin certificate order.
2

Hi,

Proxies are not supported by Certify and never have been, so it’s cool that you got it working before but that’s still currently an unsupported configuration, sorry there are just too many other features to develop. Proxy support may eventually be added but the requests for it are increasingly infrequent so it’s not a priority for the app currently.

That said, the outgoing IP you appear to be resolving is most likely the Let’s Encrypt API (based on a quick ping test) not your proxy server, so the issue is that your firewall or proxy are blocking outgoing https to that IP/from your IP by default (maybe you don’t when the proxy is working and therefore that’s why IE works).

You may possibly be able to do something using https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/defaultproxy-element-network-settings but I don’t know.

Nothing has changed regarding proxies in Certify, but what is most likely to have changed is your proxy or some IP whitelist that you have, and the Let’s Encrypt API IPs will definitely have changed.

3

You also have the option of using a completely different machine (with no proxy) to acquire certificates using Certify, then use a Deployment Task (v5) to get the new certificate onto the server.

4

Further to this, I tried the current version of the app out using Squid as a proxy (no user/password required) by setting the default connection proxy in IE > Internet options. Everything worked fine and I could see the traffic being logged in the squid log. This is more by luck than design but it shows that the default system proxy should be OK especially if no password is required for the proxy (i.e no auth or mac address filtering etc). I’m no proxy expert though.

5

I believe that proxies can be set per user… so the SYSTEM user would not by default be able to use a user configured proxy. That’s why a Windows service built on .NET would use a proxy configuration in the app.config file.

Usually a .NET application can use proxies without even noticing it. Or rather, no considerations need to be made for proxies to work. (as long as all network communication happens through Microsoft libraries and not something like libcurl)

1 Like
6

Thanks! That would make a big difference as of course the background service does run as SYSTEM (and my test was in dev).

7

Looks like there are ways to apply the proxy for SYSTEM: https://serverfault.com/questions/34940/how-do-i-configure-proxy-settings-for-local-system