Many Thanks + Timeout Issue?

Hi,

Can I start by saying thank you for providing such an easy to use gui for something that’s been solely coded previously.

I am having the following issue:
The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to get new certificate from LetsEncrypt :: The operation has timed out
I’ve never been able to get the system to generate it’s own LetsEncrypt cert.

Is it something to do with Content Inspection on my Firewall repacking the certificate?
Is there a domain that I can add to my exclusion list so that it won’t be checked by the firewall?

The log before this is:
2018-04-22 11:13:57.031 +10:00 [INF] Performing Config Tests
2018-04-22 11:13:57.754 +10:00 [INF] Beginning Certificate Request Process: Default Web Site
2018-04-22 11:13:57.756 +10:00 [INF] Registering Domain Identifiers
2018-04-22 11:13:57.761 +10:00 [INF] Attempting Domain Validation: mail.domain.com.au
2018-04-22 11:13:57.762 +10:00 [INF] Registering and Validating mail.domain.com.au
2018-04-22 11:14:06.329 +10:00 [INF] Performing Challenge Response via IIS: mail.domain.com.au
2018-04-22 11:14:06.438 +10:00 [INF] Requesting Validation from Let’s Encrypt: mail.domain.com.au
2018-04-22 11:14:09.753 +10:00 [INF] Domain validation completed: mail.domain.com.au
2018-04-22 11:14:09.755 +10:00 [INF] Attempting Domain Validation: autodiscover.domain.com.au
2018-04-22 11:14:09.755 +10:00 [INF] Registering and Validating autodiscover.domain.com.au
2018-04-22 11:14:13.568 +10:00 [INF] Performing Challenge Response via IIS: autodiscover.domain.com.au
2018-04-22 11:14:13.647 +10:00 [INF] Requesting Validation from Let’s Encrypt: autodiscover.domain.com.au
2018-04-22 11:14:23.532 +10:00 [INF] Domain validation completed: autodiscover.domain.com.au
2018-04-22 11:14:23.534 +10:00 [INF] Requesting Certificate via Lets Encrypt
2018-04-22 11:16:16.576 +10:00 [INF] The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to get new certificate from LetsEncrypt :: The operation has timed out

Thanks, are you running the latest version? It does indeed look like the actual validation is fine but the certificate request is failing.

I haven’t heard of firewalls filtering certificate responses before (just blocking requests altogether) but you should allow unfiltered requests against:
https://acme-v01.api.letsencrypt.org
https://acme-v02.api.letsencrypt.org

However the most common issue if that something is failing when we make the certificate signing request and submit that to the Let’s Encrypt API. If you could install Fiddler (temporarily) you could inspect the API responses from the Let’s Encrypt API and that might tell you more. I’d suspect it may be likely to hit a rate limit (too many certificates issued) if you have previously gotten to this stage many times before. Normally that would be in the error message though.

Really strange, but I left it for a while and it all of a sudden presented me with a new certificate that had been created.

Is there anything special that I need to do to link it with my Exchange 2013 setup ? I have verified that it is currently listed in the certificates, however I’m unsure how to make sure it defaults to this once the renewal happens?

Also am I correct in saying the Let’s Encrypt Authority X3 certificate, issued by DST Root CA X3 is not present on machines by default? So I will need to deploy it via GPO?

Your prompt response on my last message is very greatly appreciated.

Thanks.

Looks like it was a temporary issue with the Let’s Encrypt API, which is something we attempt to recover from by retrying after an hour or so, then after a few failed attempts we start to check less frequently.

Regarding Exchange, I’m not an expert on that but when the certificate renews you need to tell exchange the thumbprint of the new certificate, for that you need a ‘Post-Request script’ (under Advanced): https://github.com/webprofusion/certify/blob/development/docs/Request%20Script%20Hooks.md#example-enable-certificate-for-exchange-2013--2016-services-on-same-server

Some users find they need to wrap that in a 64-bit call (see examples), as v3 of the app is currently 32-bit, v4 will be 64-bit.

p.s. I’m not aware of any issue with the root certificate, that may have been something a few years ago when Let’s Encrypt was a new CA but not now.

Ok, I worked out what the issue was with the certificate that I had previously generated , it didn’t have the local hostname in the certificate so it was providing errors not because the root certificate wasn’t loaded.

However I’m still experiencing an issue with Certify the Web generating new certificates, I’ve opened Fiddler and turned on Stream while I’m running a request certificate but Certify the Web doesn’t even show in the list(nor any references to Let’s Encrypt). Is it something that I could be doing wrong? It only seems to be working when I’ve got a broser open?
Sorry to sound like a beginner with this, but it’s the first time i’ve made any headway at all with using a Let’s Encrypt on this server.

Thanks again for your prompt responses.

Hmm, from the sounds of it it’s turning out a little more complicated than it needs to be. Fiddler maybe needs the WinInet options configured but maybe you just need to run it as Administrator. Might not be work pursing just now, really it should be necessary to debug this at all.

When you say you didn’t have the local hostname in the certificate, Let’s Encrypt can only issue certificates for public sites (accessible over the web externally). So all hostnames on the cert need to be fully qualified and public (not internal to your network). If you use the public hostname rather than the private machine name in your browser you should be able to access that unless you have different public/private DNS.

Validation involves create a text file at http://<yourdomain.com>/.well-known/acme-challenge/ which Let’s Encrypt then checks for - if that file is not accessible for any reason then validation fails (this was working in the validation you mentioned above). You can test it by browsing to the test files we create at http://<yourdomain.com>/.well-known/acme-challenge/configcheck

The other option is to use DNS validation (available in the v4 Alpha test version of Certify) but even then it can only do public domains/hostnames.

If you want to share more specific details about the exact configuration you have (including your domains and sharing your log files) you can email me at: apps at webprofusion.com