Hi
I have set IIS WWW Service in the firewall to allow ONLY SSL https incoming connections.
I’ve notive that certify is looking for the challenge file in http://example.com/.well-known/acme-challenge/{secret} and not https://example.com/.well-known/acme-challenge/{secret}
When I disable firewall setting for secure inbound connections only, I can then manyually renew certificates and then enable firewall setting again.
Can you add a setting where I can sellect https verification when certificates are already loaded and the site is already https.
Thanks
Hi,
Certify uses the Let’s Encrypt certificate authority to acquire certificates, so validation is per their requirements. Let’s Encrypt http validation requires http over port 80 - redirects are supported but they are not necessary.
Certify has a built-in port 80 validation server that spins up temporarily during validation. There is no need to run any port 80 http bindings in IIS.
As an alternative you can use DNS validation.
You could also add Pre and Post request Tasks to disable and re-enable port 80 firewall rules but there is no security benefit to doing that if you are not running a port 80 service normally.
Hi,
OK I’ve enabled DNS Validation Checks.
Must I disbaled http chalenge server or leave enabled.
Will this resolve the issue when I allow only https inbound connections
Hi, yes if you use DNS validation to get your certificate then you don’t need port 80 open at all. You can leave the http challenge server option enabled, it will never be used anyway if you are using DNS validation.
Hi
Ok thanks I will monitor this to see how it works next time round.
Thanks
To validate your current settings you can just click ‘Request Certificate’ which will force a new certificate to be requested rather than waiting for the renewal. If the renewal fails then you have until the existing certificate expires to figure out what the problem is, if it succeeds then you know you can just leave it to renew automatically from now on.