Invalid Response 403 - Forbidden when renewing certificate


#1

I receive “Validation of the required challenges did not complete successfully. Invalid response from … 403” when trying to renew. I have looked at other posts people have had with this and I have implemented them to no success.
What I have tried is adding:

And:

I can’t actually access anything in the acme-challenge folder even though authentication is set to Anonymous. Any help would be greatly appreciated. Thanks.


#2

Hi, in v4 we added a built in http challenge server feature to reduce reliance on configuring IIS. This is a port 80 listener that spins up when we’re about to attempt an http challenge and uses http.sys to sit in front of IIS and listen for /.well-known/acme-challenge requests. It then shuts down again after a period of inactivity.

So, if you are on the latest v4.x version and you still have the http challenge server on (by default) then it should be responding (not IIS) unless there is something else non-microsoft using port 80 (like apache/nginx etc).

Please check your log file for the managed certificate to see if you get a message like ‘http challenge server available’ or similar. Also check c:\programdata\certify\logs\httpChallengeServer.log

If for some reason you can’t use the built in server, we would fall back to IIS. For certify we loop through some common configurations (see C:\Program Files\CertifyTheWeb\Scripts\Web.config) and test each one to see which works (if any) in your configuration and allows access to a test extension-less text file in the /.well-known/acme-challenge path of your website called ‘configcheck’, so the test is to use your dekstop browser to browse to http://<yourdomain>/.well-known/acme-challenge/configcheck and once that works everything else is likely to work as well.

Your error is a 403 and you have correctly tried to open up anonymous authorization but your web app (a content management system?) is preventing that. You need to modify the web.config for this top level web app to let the requests through as this takes priority over the web.config in /.well-known/acme-challenge (and we don’t attempt to automatically modify it).

I know you’ve looked at that already but if you can’t get the built in http challenge server working (and can’t use DNS challenges instead) you’ll need to take another look at top level web.config.


#3

I am receiving the message “Http Challenge Server process available” in the logs. The httpChallengeServer.log does say it is responding to key requests as well. This is what my top level web.config looks like:

<configuration>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
     <staticContent>
       <mimeMap fileExtension="." mimeType="text/json" />
    </staticContent>
<handlers>
  <clear />
  <add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
</handlers>
</system.webServer>
<location path=".well-known/acme-challenge">
<system.web>
  <authorization>
  <allow users="*"/>
</authorization>
    </system.web>
   </location>
</configuration>

My web.config in acme-challenge looks like this

<configuration>
  <system.webServer>
    <validation validateIntegratedModeConfiguration="false" />
    <staticContent>
      <mimeMap fileExtension=".*" mimeType="text/json" />
    </staticContent>
    <handlers>
      <clear />
      <add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
    </handlers>
        <directoryBrowse enabled="false" />
  </system.webServer>
  <location path=".well-known/acme-challenge">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
  </location>
</configuration>

#4

Do you have https redirection or url rewriting enabled? it could be that although you have added a rule to allow /.well-known/acme-challenge access that you are still redirecting all requests. You can email details of your domain/website address to support at certifytheweb.com to dig a little deeper into this issues.


#5

As a side note I am also receiving this error now and again:

2019-03-15 13:16:33.736 -04:00 [INF] Default Web Site: Request failed - Failed to begin certificate order. System.Exception: Failed to begin certificate order.
at Certify.Providers.Certes.CertesACMEProvider.d__26.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__11.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 463
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Management.CertifyManager.d__8.MoveNext() in C:\Work\GIT\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 333

Perhaps this is because I have tried to renew too many times within a time period? It used to tell me I have tried to renew too many times in the error log.