when I click “Renew All” button to renew a certificate after the due date, this error is produced:
> 2020-06-24 12:04:32.982 -04:00 [INF] Invalid response from http://domain.cl/.well-known/acme-challenge/ZwDjwhWT2eZfflOiXlLk5h6vhppQ-NgOGcVLsBMKno0 [204.93.169.214]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
> 2020-06-24 12:04:34.206 -04:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://domain.cl/.well-known/acme-challenge/ZwDjwhWT2eZfflOiXlLk5h6vhppQ-NgOGcVLsBMKno0 [204.93.169.214]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
My web server is: IIS 10
The operating system my web server runs on is: Windows Server 2019
It means that Certify was unable to place/serve the challenge files that Let’s Encrypt wanted.
You might want to check that the Site Root Directory in Certify is properly set or blank to automatically guess. You may need to use the options there to configure your web.config.
Alternately you can go to Certify’s settings and enable the HTTP challenge server. It will temporarily stand in front of IIS and intercept requests to /.well-known/ and let others pass to IIS.
Let’s Encrypt requires port 80 be open for http-01 challenges. You may redirect a port 80 request to HTTPS/443 and an invalid certificate but if port 80 is completely rejected, it is impossible to use http-01 challenges.
Your DNS entries for www and non-www do not resolve to the same IP address. This is why only one of the config checks pass. If you add both to your certificate, Let’s Encrypt will check that you own both using the same method which means Certify needs to respond to both.
I have made both DNS to point to the same IP and now the test is successful.
Now, when trying to renew, the problem is other.
This is the message:
2020-06-24 15:01:07.621 -04:00 [INF] Checking automated challenge response for Domain: domain.cl
2020-06-24 15:01:09.305 -04:00 [INF] Invalid response from https://www.domain.cl/.well-known/acme-challenge/LhVv89QN0oURnZXgfE0oBB_hUunTedEfxOd5Pnpy5pY [13.68.169.75]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
2020-06-24 15:01:10.378 -04:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from https://www.domain.cl/.well-known/acme-challenge/LhVv89QN0oURnZXgfE0oBB_hUunTedEfxOd5Pnpy5pY [13.68.169.75]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
2020-06-24 15:01:10.378 -04:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from https://www.domain.cl/.well-known/acme-challenge/LhVv89QN0oURnZXgfE0oBB_hUunTedEfxOd5Pnpy5pY [13.68.169.75]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http"
Now, since certificate has expired, any https connections are rejected. In this case, is the only solution to delete the certiticate and request a new one?
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).
According to the error log, the web server is not responding with the contents of the challenge file but with an HTML document of some sort.
Finally, I have deleted and create a new certificate. Now it is working. Although, I am wondering whether when this new one is about to expire, I will have the same problem.
My personal guess is that it took this long for Let’s Encrypt’s DNS cache to expire. It looks like you have a 4 hour TTL on your DNS entries… so it took 0-4 hours for both domains to resolve to the same IP.
When you said you changed your DNS before, I did not see a change because of caching. Now I see them as the same IP, which would explain the recent success.
Hi, so the problem was that the server responding to the initial domain validation was not the server running Certify. As @jljtgr pointed out if your domains are pointing to two different IPs then one of them isn’t the one running Certify.
By default Certify spins up a temporary validation server on port 80, in front of IIS (using http.sys) - so you literally don’t even need IIS installed to perform the http valiation of your domain, but Certify needs to be running on the server that your domain points to.
In order for domain validation to fallback to IIS (as you are seeing in your first error) you would either have had to have disabled the built in http-challenge server or you would have to be running something else that blocked port 80 (not IIS), or most likely the domain pointed to a different server.
If you recently updated/moved DNS then the problem would be that the DNS changes hadn’t finished propagating.
To test your renewal, set the renewal interval under Settings to a low number of days (like 5) then wait 5 days and review. You should review again after 30 days (because Let’s Encrypt caches validation).
I think though the initial request failure has caused you to be nervous about the renewal, but the root cause appears to have been incorrect DNS configuration for your host names.
