Validation error

Conor · February 11, 2025, 9:14pm

Hay guys,
I’m trying to use certifytheweb to get SSL certificate for my domain
I have made all the steps in the proper way and at the time of generating the certificate I’m getting these errors:

Blockquote
2025-02-12 00:23:02.686 +04:00 [INF] [Progress] All Tests Completed OK
2025-02-12 00:27:55.149 +04:00 [INF] [Progress] All Tests Completed OK
2025-02-12 00:30:22.724 +04:00 [INF] ---- Beginning Request ----
2025-02-12 00:30:22.724 +04:00 [INF] Certify/6.1.2.0 (Windows; Microsoft Windows NT 6.3.9600.0)
2025-02-12 00:30:22.724 +04:00 [INF] Beginning certificate request process: using ACME provider Anvil
2025-02-12 00:30:22.724 +04:00 [INF] The selected Certificate Authority is: Let’s Encrypt
2025-02-12 00:30:22.724 +04:00 [INF] Requested identifiers to include on certificate:
2025-02-12 00:30:24.518 +04:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/2223137865/3557839445
2025-02-12 00:30:26.822 +04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall/2223137865/4745430115/Qhc25w
2025-02-12 00:30:27.400 +04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall/2223137865/4745430115/rQHOMg
2025-02-12 00:30:31.036 +04:00 [INF] Http Challenge Server process available.
2025-02-12 00:30:31.037 +04:00 [INF] Preparing automated challenge responses for:
2025-02-12 00:30:31.037 +04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: with content eIDMYCVZi4e5wAe_ihTd6ErHD-xFYxq7Pv199JQDs.dP8aPzeqk1k6-DhJjuqimglSk5DYeYZK3nGKjH9SWZg
2025-02-12 00:30:31.037 +04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2025-02-12 00:30:31.038 +04:00 [INF] Using website path [Auto]
2025-02-12 00:30:31.038 +04:00 [WRN] The website root path for
could not be determined. Fileysystem based http validation will not be possible.
2025-02-12 00:30:31.038 +04:00 [INF] Checking URL is accessible: [proxyAPI: True, timeout: 5000ms]
2025-02-12 00:30:35.568 +04:00 [INF] Checking URL is accessible: [proxyAPI: False, timeout: 5000ms]
2025-02-12 00:30:35.876 +04:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2025-02-12 00:30:35.876 +04:00 [INF] Resuming certificate request using CA: Let’s Encrypt
2025-02-12 00:30:35.876 +04:00 [INF] Attempting challenge response validation for:
2025-02-12 00:30:35.877 +04:00 [INF] [Progress] Checking automated challenge response for:
2025-02-12 00:30:35.877 +04:00 [INF] Submitting challenge for validation: /.well-known/acme-challenge/eIDMYCVZi4e5wAe_ihTd6ErHD-xFYxq7Pv199JQDs
2025-02-12 00:30:41.650 +04:00 [ERR] [Progress] Validation failed:
Response from Certificate Authority: : Invalid response from /.well-known/acme-challenge/eIDMYCVZi4e5wAe_ihTd6ErHD-xFYxq7Pv199JQDs: “<script type="text/javascript" src="/aes.js" >function toNumbers(d){var e=;d.replace(/(…)/g,func” [Forbidden :: urn:ietf:params:acme:error:unauthorized]
2025-02-12 00:30:41.879 +04:00 [INF] Performing Post-Request (Deployment) Tasks…
2025-02-12 00:30:41.912 +04:00 [INF] Task [Store Certificate] :: Task is not enabled and will be skipped.
2025-02-12 00:30:41.912 +04:00 [ERR] Store Certificate :: Task is not enabled and will be skipped.
Blockquote

I understand that the app is trying to do ownership verification (if I’m not mistaken) using “eIDMYCVZi4e5wAe_ihTd6ErHD-xFYxq7Pv199JQDs” file with content eIDMYCVZi4e5wAe_ihTd6ErHD-xFYxq7Pv199JQDs.dP8aPzeqk1k6-DhJjuqimglSk5DYeYZK3nGKjH9SWZg
which is located inside .well-known/acme-challenge/ folders
how can i fix this?
can i create the certificate manually and store locally then upload it my domain?
**sorry i had to remove all links as I’m a new user

Thank you

webprofusion · February 12, 2025, 1:00am

When you create your order with the Certificate Authority (CA), in this case Let’s Encrypt, they ask you (via the app) to prove you control the domain. The default domain validation method is http (TCP port 80) and so the app prepares a response using a built-in HTTP listener for the /.well-known/acme-challenge path and a fallback to IIS (if available, which doesn’t appear to be available here).

The part of the log quoted above shows that the certificate authority has checked your domain but instead of getting the http challenge response file it got a webpage with that content (usually a 404 not found type page, but in this case maybe not).

If something else is using port 80 (nginx, apache, or a custom web server etc) or something else responds to the http request (a firewall, router or some other proxy) then this http domain validation will fail.

The most common problem is that http request work internally but externally they are being blocked.

Without knowing your domain I can’t really diagnose more but check that :

Your domain points to your server (both IPv4 and IPv6 addresses if applicable).
External HTTP traffic can reach your server, even if you are not running an http server. The built-in http listener will then be able to respond.

Conor · February 12, 2025, 7:50am

Hi webprofusion
Thank you for reply i really appreciate it, just to add one thing: my site is hosted on nginx server and I’m using certifytheweb app on windows system.
this is the domain I’m using: demo.freehostlayers.com to test run the whole thing
i have checked port 80 and it’s open

webprofusion · February 12, 2025, 2:15pm

See the web root method of presenting http challenge responses with nginx: Using with Apache, nginx or Other Web Servers | Certify The Web Docs

Nginx itself will normally be using port 80 and because it’s not designed natively for Windows ot cannot share the http pipeline like IIS can, so our built in http challenge listener can’t work and you have to present the challenge responses via your website instead.

Conor · February 12, 2025, 5:51pm

Ok, if I use certify the web or similar app from Linux let’s say Ubuntu would it work?
Is there’s anyway I can prove domain control manually?

webprofusion · February 13, 2025, 2:05am

The typical tool used on linux is Certbot and that has integrated nginx support.

You can still use Certify Certificate Manager on Windows with nginx but you need to:

configure the webroot for your nginx site so that when the app creates the /.well-known/acme-challenge/ path that it’s accessible over http.
Add a Deployment Task to Deploy to nginx to get the certificate files you need
You need manually configure your nginx site to use the cert (and reload nginx).

The doc I linked to above explained all that so if you tried it you should be successful, but if it sounds a bit complicated I’d actually just suggest using IIS on Windows instead.

The alternative to http validation is DNS domain validation and with that you can prove your domain control manually or using automation against your DNS provider (if available).

Conor · February 15, 2025, 12:36pm

thank you webprofusion
how to configure my webroot to allow the access?
I dont have access over the nginx and of course i cannot reload it

webprofusion · February 17, 2025, 1:05am

Sorry our app is only really intended for use where you have administrative access to the system. I would suggest looking at different “ACME” clients for automated certificates, perhaps a different one will match your requirements. https://acmeclients.com