HTTP-01 challenge failing

Hi,
Your app is very slick and well thought out.
I have a client site that requires port 8443 for SSL certs and I don’t have access to the DNS system. So that leaves me with a HTTP-01 challenge. The cert was created without incident. however the renewal process fails and the logs hint at a firewall issue.

I have created a web.config rule to clear rewrite for the acme-challenge folder and the content is served on port 80.
The folder has full control for the system account which the Certify SSL Manager Service uses.
I have never seen the challenge file written to the folder. If I manually recreate one from the logs it is externally viewable from the logs.

here are the logs

2019-07-17 15:24:51.056 +10:00 [INF] Certify/4.1.6.0 (Windows; Microsoft Windows NT 6.2.9200.0) 
2019-07-17 15:24:51.056 +10:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2019-07-17 15:24:51.057 +10:00 [INF] Registering Domain Identifiers
2019-07-17 15:24:51.058 +10:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2019-07-17 15:24:54.562 +10:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/56540514/732660688
2019-07-17 15:24:55.571 +10:00 [INF] Fetching Authorizations.
2019-07-17 15:25:00.369 +10:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/YEhU4Cz5irWJaB0Of0ATB1usugFgMzxOznKEMmanlZI/18375895758
2019-07-17 15:25:02.183 +10:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/challenge/YEhU4Cz5irWJaB0Of0ATB1usugFgMzxOznKEMmanlZI/18375895759
2019-07-17 15:25:03.283 +10:00 [INF] Http Challenge Server process available.
2019-07-17 15:25:03.283 +10:00 [INF] Attempting Domain Validation: staff.wangcinema.com.au
2019-07-17 15:25:03.283 +10:00 [INF] Registering and Validating staff.wangcinema.com.au 
2019-07-17 15:25:03.283 +10:00 [INF] Performing automated challenge responses (staff.wangcinema.com.au)
2019-07-17 15:25:03.284 +10:00 [INF] Preparing challenge response for Let's Encrypt server to check at: http://staff.wangcinema.com.au/.well-known/acme-challenge/8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI with content 8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI.f3Bx4MmrPs22NAozN9ILj4RV8Y_wNMws3E3AeSEt3qc
2019-07-17 15:25:03.284 +10:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2019-07-17 15:25:03.298 +10:00 [INF] Using website path C:\inetpub\wwwroot
2019-07-17 15:25:03.299 +10:00 [INF] Checking URL is accessible: http://staff.wangcinema.com.au/.well-known/acme-challenge/8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI [proxyAPI: True, timeout: 5000ms]
2019-07-17 15:25:03.811 +10:00 [INF] URL is accessible. Check passed.
2019-07-17 15:25:03.811 +10:00 [INF] Requesting Validation from Let's Encrypt: staff.wangcinema.com.au
2019-07-17 15:25:03.811 +10:00 [INF] Attempting Challenge Response Validation for Domain: staff.wangcinema.com.au
2019-07-17 15:25:03.812 +10:00 [INF] Registering and Validating staff.wangcinema.com.au 
2019-07-17 15:25:03.812 +10:00 [INF] Checking automated challenge response for Domain: staff.wangcinema.com.au
2019-07-17 15:25:16.463 +10:00 [INF] Fetching http://staff.wangcinema.com.au/.well-known/acme-challenge/8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI: Timeout during connect (likely firewall problem)
2019-07-17 15:25:16.602 +10:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://staff.wangcinema.com.au/.well-known/acme-challenge/8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI: Timeout during connect (likely firewall problem)
2019-07-17 15:25:16.603 +10:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://staff.wangcinema.com.au/.well-known/acme-challenge/8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI: Timeout during connect (likely firewall problem)
2019-07-17 16:24:51.152 +10:00 [INF] Previous renewals failed: 54. Renewal will be attempted within 48hrs.

Hi,

Checking your site in letsdebug suggests that port 80 isn’t open:

https://letsdebug.net/staff.wangcinema.com.au/50768

However it seems to work for me (in Australia) -do you have any firewall rules that block geographically?

Northeast US, here. Port 80 times out. Port 443 responds with a certificate reporting to be remote.wangcinema.com.au. Port 8443 times out.

Thanks webprofusion and jljtgr, I have forwarded your comments on to the site’s network team. I’ll post back what they say when I hear back (this week)

Here is the network guy’s reply

Hi Noel,

I found 2 problems with this.

  1. I was blocking the US. I have US and Australia allowed now.

  2. I found a typo in the URL Rewrite that was causing the challenge requests to be redirected to HTTPS as well.

Both problems are fixed now and the Certificate is renewed.

1 Like