Tests pass, renewal fails


#1

Hi,

I’m trying to renew a certificate but it’s failing. Running the test function returns that all tests pass but when running the renewal it fails.

Validation of the required challenges did not complete successfully. Fetching http://forums.griffinendurance.com/.well-known/acme-challenge/lCP0XEbw3G9bwgeC0utNQKv6hqAkjGIIrL7bL3iQcjA: Timeout during connect (likely firewall problem)

Since requesting the first cert I’ve enabled “Require SSL” with HTST and a 403.3 redirect to the HTTPS site forcing the use of HTTPS instead of HTTP however the validation seems to only work for HTTP. I’ve tried converting the .well-known directory to its own application and removing the SSL requirement but it still fails. Is there a way to look for the validation file over HTTPS? Since the certificate hasn’t yet expired it shouldn’t produce any errors?

Any other suggestions on how to deal with this issue would also be greatly appreciated. I use DNS validation for another domain’s wildcard but this domain belongs to a friend and doesn’t use a DNS service for which I can validate the cert request.

Thanks in advance!


#2

Hi, so are you using the latest v4?

Your forum/content management system is overriding the handling of the /.well-known/ path (so Let’s Encrypt will check that path and get a 404 or in your case a ‘Route not found’.

With v4 there is a built in http challenge server which tries to answer /.well-known/acme-challenge http challenges itself, avoiding the complexity of configuring IIS applications - this is optional and can be toggled in Settings. If you have IIS on port 80 that should be fine, but if you have another piece of software (such as nginx or apache) this won’t work as they will hold onto port 80 instead. In that case you need the .well-known folder content to work. Your software may have a way to not handle certain static folders, so you should look into that in case you can just add an exception for ./well-known.

If you put a file (like test.txt) in /.well-known/acme-challenge/ you should then be trying to get that file to be broweseable. To achieve that we try a few different web.configs in that folder to try to determine a config that works for you, you may need to modify the web.config to get something that works in your case. Once you can browse to test.txt try removing the .txt extension and browsing to the file again, once you have that working (extensionless text file in ./well-known/acme-challenge) you’re good to go.


#3

Thanks for the reply, the forum software does indeed catch the 404 error when the test file isn’t in place but when it is the file is served correctly.

I don’t know how or why, but during an auto-refresh yesterday the certificate was successfully renewed so I would consider this case closed; though I have no idea what the cause of the failure was or subsequently the remedy that fixed it. Perhaps it was just an intermittent error?

Just for reference, I do indeed only run IIS on the server, port 80 is active, however I’ve selected the ‘Require SSL’ option which will return a HTTP 403.4 error when someone tries to browse the site via HTTP. IIS however handles the error with a redirect to the HTTPS version of the site, essentially invisibly forcing users into SSL regardless of the URL entered. I’ve also configured the URL Rewrite module to enforce HSTS

Anyway, thank you for the help!


#4

Cool, glad it’s working for you. I think there could be an occasional timing issue between running ‘Test’ (which spins up the http challenge server, thus skipping IIS entirely) then running Request Certificate soon after (so the challenge server is still running but may quit just before it’s asked to do real validation). If the challenge server is not available then it will fall back to normal http validation via IIS. Will investigate.