HTTP-01 challenge failing

Your app is very slick and well thought out.
I have a client site that requires port 8443 for SSL certs and I don’t have access to the DNS system. So that leaves me with a HTTP-01 challenge. The cert was created without incident. however the renewal process fails and the logs hint at a firewall issue.

I have created a web.config rule to clear rewrite for the acme-challenge folder and the content is served on port 80.
The folder has full control for the system account which the Certify SSL Manager Service uses.
I have never seen the challenge file written to the folder. If I manually recreate one from the logs it is externally viewable from the logs.

here are the logs

2019-07-17 15:24:51.056 +10:00 [INF] Certify/ (Windows; Microsoft Windows NT 6.2.9200.0) 
2019-07-17 15:24:51.056 +10:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2019-07-17 15:24:51.057 +10:00 [INF] Registering Domain Identifiers
2019-07-17 15:24:51.058 +10:00 [ERR] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2019-07-17 15:24:54.562 +10:00 [INF] Created ACME Order:
2019-07-17 15:24:55.571 +10:00 [INF] Fetching Authorizations.
2019-07-17 15:25:00.369 +10:00 [INF] Got http-01 challenge
2019-07-17 15:25:02.183 +10:00 [INF] Got dns-01 challenge
2019-07-17 15:25:03.283 +10:00 [INF] Http Challenge Server process available.
2019-07-17 15:25:03.283 +10:00 [INF] Attempting Domain Validation:
2019-07-17 15:25:03.283 +10:00 [INF] Registering and Validating 
2019-07-17 15:25:03.283 +10:00 [INF] Performing automated challenge responses (
2019-07-17 15:25:03.284 +10:00 [INF] Preparing challenge response for Let's Encrypt server to check at: with content 8qxseVaLLuWg5V3jMuaneVh2iyGPefG6SZLaVag8CGI.f3Bx4MmrPs22NAozN9ILj4RV8Y_wNMws3E3AeSEt3qc
2019-07-17 15:25:03.284 +10:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2019-07-17 15:25:03.298 +10:00 [INF] Using website path C:\inetpub\wwwroot
2019-07-17 15:25:03.299 +10:00 [INF] Checking URL is accessible: [proxyAPI: True, timeout: 5000ms]
2019-07-17 15:25:03.811 +10:00 [INF] URL is accessible. Check passed.
2019-07-17 15:25:03.811 +10:00 [INF] Requesting Validation from Let's Encrypt:
2019-07-17 15:25:03.811 +10:00 [INF] Attempting Challenge Response Validation for Domain:
2019-07-17 15:25:03.812 +10:00 [INF] Registering and Validating 
2019-07-17 15:25:03.812 +10:00 [INF] Checking automated challenge response for Domain:
2019-07-17 15:25:16.463 +10:00 [INF] Fetching Timeout during connect (likely firewall problem)
2019-07-17 15:25:16.602 +10:00 [INF] Validation of the required challenges did not complete successfully. Fetching Timeout during connect (likely firewall problem)
2019-07-17 15:25:16.603 +10:00 [INF] Validation of the required challenges did not complete successfully. Fetching Timeout during connect (likely firewall problem)
2019-07-17 16:24:51.152 +10:00 [INF] Previous renewals failed: 54. Renewal will be attempted within 48hrs.


Checking your site in letsdebug suggests that port 80 isn’t open:

However it seems to work for me (in Australia) -do you have any firewall rules that block geographically?

Northeast US, here. Port 80 times out. Port 443 responds with a certificate reporting to be Port 8443 times out.

Thanks webprofusion and jljtgr, I have forwarded your comments on to the site’s network team. I’ll post back what they say when I hear back (this week)

Here is the network guy’s reply

Hi Noel,

I found 2 problems with this.

  1. I was blocking the US. I have US and Australia allowed now.

  2. I found a typo in the URL Rewrite that was causing the challenge requests to be redirected to HTTPS as well.

Both problems are fixed now and the Certificate is renewed.

1 Like