Hi, in v4 we added a built in http challenge server feature to reduce reliance on configuring IIS. This is a port 80 listener that spins up when we’re about to attempt an http challenge and uses http.sys to sit in front of IIS and listen for /.well-known/acme-challenge requests. It then shuts down again after a period of inactivity.
So, if you are on the latest v4.x version and you still have the http challenge server on (by default) then it should be responding (not IIS) unless there is something else non-microsoft using port 80 (like apache/nginx etc).
Please check your log file for the managed certificate to see if you get a message like ‘http challenge server available’ or similar. Also check c:\programdata\certify\logs\httpChallengeServer.log
If for some reason you can’t use the built in server, we would fall back to IIS. For certify we loop through some common configurations (see C:\Program Files\CertifyTheWeb\Scripts\Web.config) and test each one to see which works (if any) in your configuration and allows access to a test extension-less text file in the /.well-known/acme-challenge path of your website called ‘configcheck’, so the test is to use your dekstop browser to browse to
http://<yourdomain>/.well-known/acme-challenge/configcheck and once that works everything else is likely to work as well.
Your error is a 403 and you have correctly tried to open up anonymous authorization but your web app (a content management system?) is preventing that. You need to modify the web.config for this top level web app to let the requests through as this takes priority over the web.config in /.well-known/acme-challenge (and we don’t attempt to automatically modify it).
I know you’ve looked at that already but if you can’t get the built in http challenge server working (and can’t use DNS challenges instead) you’ll need to take another look at top level web.config.