Validation file is not uploaded in the 'acme-challenge' directory

hoven002 · September 17, 2020, 9:33pm

Hi,

I am requesting a certifcate via http-01. The test is going good, but when I do the real thing and request the certificate I get an error. It stating that there is a invalid response. He is looking for the validation file in the directory …/.well-known/acme-challenge/ but when I go there certify didn’t upload this file to this destination. Other websites don’t have this issue.

What can be the problem?

Regards,
Kenneth

jljtgr · September 17, 2020, 11:47pm

I’m pretty sure that the validation file is deleted when it’s done being used… even in failure. You might want to watch it while it’s actually happening instead of after.

Anyways, you can try telling https://letsdebug.net your domain that you’re having trouble with to see if it was a firewall issue or anything else external. The Certify test is internal and can’t tell if something outside your computer is blocking things.

Without knowing your domain or seeing the log files that Certify outputs, we can’t tell you your problem. If you post logs, make sure to enclose them in code blocks, like this:
```
log text
```

webprofusion · September 18, 2020, 6:19am

It also seems like you are not using the built in http challenge server - why would that be? Serving http challenge responses via IIS (or other web servers) is a fallback if you can’t use the default challenge server (which inserts an http listener in the http.sys pipeline before IIS listening for /.well-known/acme-challenge). If you are using a different server (like Apache or nginx) then you will indeed be falling back to file system/web server validation.

The most common issue with http validation is you are blocking port 80 either at the windows firewall or the cloud vm firewall.

webprofusion · September 18, 2020, 6:28am

Also if you examine your logs you will see that by default we do both a local test (http://yourdomain) and remote proxied http test via the certifytheweb.com api unless you have disabled Enable proxy API for domain config checks under Settings. So the log should show if the proxied http test was successful or not.

When we fallback to file system validation you should find that /well-known/acme-challenge/configcheck file has been created for your website and ideally you should be able to access that at http://yourdomain/.well-known/acme-challenge/configcheck. The path we use to write the file is determine automatically based on which IIS site is selected in the dropdown or the Authorization > http-01 > Site Root Directory setting which should point to the root path of your website.

If you can share your domain it does help but otherwise you should also check that the server you are setting up is definitely the server which will be responding for that domain (i.e. there are no stray IPv6 records or multiple IPs).

hoven002 · September 18, 2020, 7:46am

Hi jljtgr,

Thanks for the url https://letsdebug.net. This site gives the following result:

As you said the validation file is being placed when requesting the certificate but is deleted right after it. The url www.cinbalans.nl has one subdomain that is redirecting to another webserver (shop.cinbalans.nl). So I think this is the issue I’m having. What can I do that the certificate is being issued in this situation?

Logfile of my last attempt:

2020-09-18 07:16:51.128 +02:00 [INF] ---- Beginning Request [www.cinbalans.nl] ----
2020-09-18 07:16:51.133 +02:00 [INF] Certify/5.1.7.0 (Windows; Microsoft Windows NT 6.2.9200.0) 
2020-09-18 07:16:51.162 +02:00 [INF] Beginning Certificate Request Process: www.cinbalans.nl using ACME Provider:Certes
2020-09-18 07:16:51.165 +02:00 [INF] Requested domains to include on certificate: www.cinbalans.nl;cinbalans.nl
2020-09-18 07:16:51.165 +02:00 [INF] Beginning certificate order for requested domains
2020-09-18 07:16:51.190 +02:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2020-09-18 07:16:53.143 +02:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/48032717/5244565111
2020-09-18 07:16:53.444 +02:00 [INF] Fetching Authorizations.
2020-09-18 07:16:54.920 +02:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/6915104323/8k1aug
2020-09-18 07:16:56.400 +02:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/7296508951/omCHgA
2020-09-18 07:16:56.991 +02:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/7296508951/eoDH6g
2020-09-18 07:16:56.991 +02:00 [INF] Attempting Domain Validation: www.cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Registering and Validating www.cinbalans.nl 
2020-09-18 07:16:56.992 +02:00 [INF] Authorization already valid for domain: www.cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Attempting Domain Validation: cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Registering and Validating cinbalans.nl 
2020-09-18 07:16:56.992 +02:00 [INF] Performing automated challenge responses (cinbalans.nl)
2020-09-18 07:16:56.992 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk with content Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk.SG2UB9a9dlembOWOVjUJBbf6TE42r6brpHzO8I0QSH0
2020-09-18 07:16:56.992 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-09-18 07:16:57.102 +02:00 [INF] Using website path C:\Websites\www.cinbalans.nl
2020-09-18 07:16:57.110 +02:00 [INF] Checking URL is accessible: http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [proxyAPI: True, timeout: 5000ms]
2020-09-18 07:16:59.179 +02:00 [INF] URL is accessible. Check passed.
2020-09-18 07:16:59.180 +02:00 [INF] Requesting Validation: cinbalans.nl
2020-09-18 07:16:59.194 +02:00 [INF] Attempting Challenge Response Validation for Domain: www.cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Registering and Validating www.cinbalans.nl 
2020-09-18 07:16:59.195 +02:00 [INF] Domain already has current authorization, skipping verification: www.cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Attempting Challenge Response Validation for Domain: cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Registering and Validating cinbalans.nl 
2020-09-18 07:16:59.195 +02:00 [INF] Checking automated challenge response for Domain: cinbalans.nl
2020-09-18 07:16:59.639 +02:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2020-09-18 07:17:01.464 +02:00 [INF] Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.700 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.701 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.701 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:23:25.893 +02:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)

Regards,
Kenneth

hoven002 · September 18, 2020, 7:49am

Hi webprofusion,

Thank you for the answer. See also my reply to jljtgr.
Here is my log:

2020-09-18 07:16:51.128 +02:00 [INF] ---- Beginning Request [www.cinbalans.nl] ----
2020-09-18 07:16:51.133 +02:00 [INF] Certify/5.1.7.0 (Windows; Microsoft Windows NT 6.2.9200.0) 
2020-09-18 07:16:51.162 +02:00 [INF] Beginning Certificate Request Process: www.cinbalans.nl using ACME Provider:Certes
2020-09-18 07:16:51.165 +02:00 [INF] Requested domains to include on certificate: www.cinbalans.nl;cinbalans.nl
2020-09-18 07:16:51.165 +02:00 [INF] Beginning certificate order for requested domains
2020-09-18 07:16:51.190 +02:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2 
2020-09-18 07:16:53.143 +02:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/48032717/5244565111
2020-09-18 07:16:53.444 +02:00 [INF] Fetching Authorizations.
2020-09-18 07:16:54.920 +02:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/6915104323/8k1aug
2020-09-18 07:16:56.400 +02:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/7296508951/omCHgA
2020-09-18 07:16:56.991 +02:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/7296508951/eoDH6g
2020-09-18 07:16:56.991 +02:00 [INF] Attempting Domain Validation: www.cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Registering and Validating www.cinbalans.nl 
2020-09-18 07:16:56.992 +02:00 [INF] Authorization already valid for domain: www.cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Attempting Domain Validation: cinbalans.nl
2020-09-18 07:16:56.992 +02:00 [INF] Registering and Validating cinbalans.nl 
2020-09-18 07:16:56.992 +02:00 [INF] Performing automated challenge responses (cinbalans.nl)
2020-09-18 07:16:56.992 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk with content Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk.SG2UB9a9dlembOWOVjUJBbf6TE42r6brpHzO8I0QSH0
2020-09-18 07:16:56.992 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2020-09-18 07:16:57.102 +02:00 [INF] Using website path C:\Websites\www.cinbalans.nl
2020-09-18 07:16:57.110 +02:00 [INF] Checking URL is accessible: http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [proxyAPI: True, timeout: 5000ms]
2020-09-18 07:16:59.179 +02:00 [INF] URL is accessible. Check passed.
2020-09-18 07:16:59.180 +02:00 [INF] Requesting Validation: cinbalans.nl
2020-09-18 07:16:59.194 +02:00 [INF] Attempting Challenge Response Validation for Domain: www.cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Registering and Validating www.cinbalans.nl 
2020-09-18 07:16:59.195 +02:00 [INF] Domain already has current authorization, skipping verification: www.cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Attempting Challenge Response Validation for Domain: cinbalans.nl
2020-09-18 07:16:59.195 +02:00 [INF] Registering and Validating cinbalans.nl 
2020-09-18 07:16:59.195 +02:00 [INF] Checking automated challenge response for Domain: cinbalans.nl
2020-09-18 07:16:59.639 +02:00 [WRN] Challenge response validation still pending. Re-checking [10]..
2020-09-18 07:17:01.464 +02:00 [INF] Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.700 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.701 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:17:03.701 +02:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://cinbalans.nl/.well-known/acme-challenge/Em01QUJ-uxJ-1rH8blkQSxLp8N5sApbUWji3WvFLIPk [2a01:7c8:e100:1::50a0]: 404
2020-09-18 07:23:25.893 +02:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)

Regards,
Kenneth

webprofusion · September 18, 2020, 8:08am

Hi,
So the problem is that in your DNS for that domain you have an IPv6 AAAA record that points to an Apache web server. You should delete that from DNS unless you need it (in which case you should point it to the IPv6 address of your IIS webserver).

When Let’s Encrypt attempts to validation your domain over http it assumes that if you have an IPv6 AAAA record that you intend to use it, so it tries to access your webserver using that. The certify tests currently just use the default (usually IPv4) dns resolution, which is why this problem doesn’t get caught.

webprofusion · September 18, 2020, 8:11am

Note also that your log was pointing out that it was the IPv6 address that was returning a 404 error, but it takes some familiarity with the problem to see that.