Validation of the required challenges did not complete successfully -Cannot follow HTTP 303 redirects

Question
1

Hello

I use CTW for some time. Everything went well. SInce beginning of April I get on renewal errors.

The certificate is requested for 4 subdomains on IIS. Challenge type is http-01.

For 3 subdomains the challenge response is OK, but for the last subomaind it fails.

The 4 challenge files are created on the IIS. But only 3 files persist. The failing challenge is deleted.

Excerpt of log file below. Shortened because of more than 5 links…

Do you have any hint what went wrong?

Thank you very much

Michael

BTW.

its the same problem for other websites on that server

-----------LOG
2021-04-09 16:28:23.793 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://www.centro-espanol.org/.well-known/acme-challenge/dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ with content dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ.l-C6n0t2QZ4UA_bZIb4Us7Xx-BJG1OFHZCCDlJMHhxk

2021-04-09 16:28:23.793 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.

2021-04-09 16:28:24.029 +02:00 [INF] Using website path C:\iis_web\centro25

2021-04-09 16:28:24.029 +02:00 [INF] Checking URL is accessible: http://www.centro-espanol.org/.well-known/acme-challenge/dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ [proxyAPI: True, timeout: 5000ms]

2021-04-09 16:28:27.896 +02:00 [INF] URL is accessible. Check passed.

2021-04-09 16:28:27.896 +02:00 [INF] Requesting Validation: WWWLINK

2021-04-09 16:28:27.902 +02:00 [INF] Attempting Challenge Response Validation for Domain: WWWLINK

2021-04-09 16:28:27.903 +02:00 [INF] Registering and Validating www.centro-espanol.net

2021-04-09 16:28:27.903 +02:00 [INF] Checking automated challenge response for Domain: WWWLINK

2021-04-09 16:28:28.457 +02:00 [WRN] Challenge response validation still pending. Re-checking [10]…

2021-04-09 16:28:30.698 +02:00 [WRN] Challenge response validation still pending. Re-checking [9]…

2021-04-09 16:28:33.153 +02:00 [WRN] Challenge response validation still pending. Re-checking [8]…

2021-04-09 16:28:36.425 +02:00 [WRN] Challenge response validation still pending. Re-checking [7]…

2021-04-09 16:28:39.749 +02:00 [WRN] Challenge response validation still pending. Re-checking [6]…

2021-04-09 16:28:44.065 +02:00 [INF] Fetching https://www.centro-espanol.net/.well-known/acme-challenge/3_84g8oJR_GULexNrTwIa8F9ElddcZi4QXaZR_PK-aE: Cannot follow HTTP 303 redirects

2021-04-09 16:28:47.824 +02:00 [INF] Validation of the required challenges did not complete successfully. Fetching https://www.centro-espanol.net/.well-known/acme-challenge/3_84g8oJR_GULexNrTwIa8F9ElddcZi4QXaZR_PK-aE: Cannot follow HTTP 303 redirects

2

Hi, so by default Certify should use a built in http challenge server instead of using IIS. If this is not working then it will fallback to using IIS. The 303 error is probably something in your website web.config which is causing an invalid redirect.

Can you check if there is a ‘Certify.exe’ process running (not CertifySSLManagerService) as if there is that would indicate a stuck process that needs stopped. A server reboot may help.

I assume you have not intentionally disabled the http challenge server process (via Settings).

3

Hi Thanks for your help!
Server was restarted twice.
Certify.exe is running when a certificate is requested. When the certificate process is stoppped, the certify.exe vanishes. In the settings “Enable Http Challenge Server” is checked.
The funny thing is, that the certificate validation seems to pass for 3 subdomains but the last subdomain fails. Same thing for other websites. Always the last subdomain fails with 303 error.
MIchael
log:
2021-04-12 09:07:00●109 +02:00 [INF] ---- Beginning Request [centro25_Neu] ----

2021-04-12 09:07:00●133 +02:00 [INF] Certify/5●3●5●0 (Windows; Microsoft Windows NT 10●0●14393●0)

2021-04-12 09:07:00●510 +02:00 [INF] Beginning Certificate Request Process: centro25_Neu using ACME Provider:Certes

2021-04-12 09:07:00●511 +02:00 [INF] Requested identifiers to include on certificate: www●centro-espanol●net;centro-espanol●net;centro-espanol●org;www●centro-espanol●org

2021-04-12 09:07:00●527 +02:00 [INF] Beginning certificate order for requested domains

2021-04-12 09:07:01●289 +02:00 [INF] BeginCertificateOrder: creating/retrieving order● Retries remaining:2

2021-04-12 09:07:02●565 +02:00 [INF] Created ACME Order: URLsacme-v02●api●letsencrypt●org/acme/order/45202384/9015837490

2021-04-12 09:07:02●905 +02:00 [INF] Fetching Authorizations●

2021-04-12 09:07:04●178 +02:00 [INF] Got http-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752266/zf0fgQ

2021-04-12 09:07:04●814 +02:00 [INF] Got dns-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752266/upyjDw

2021-04-12 09:07:05●843 +02:00 [INF] Got http-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752270/jltrgw

2021-04-12 09:07:06●620 +02:00 [INF] Got dns-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752270/CY6IzQ

2021-04-12 09:07:07●599 +02:00 [INF] Got http-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752278/s-j6ZA

2021-04-12 09:07:08●206 +02:00 [INF] Got dns-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12187752278/jYZqBQ

2021-04-12 09:07:09●310 +02:00 [INF] Got http-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12273392030/GqyECw

2021-04-12 09:07:09●924 +02:00 [INF] Got dns-01 challenge URLsacme-v02●api●letsencrypt●org/acme/chall-v3/12273392030/fwehLQ

2021-04-12 09:07:12●447 +02:00 [INF] Http Challenge Server process available●

2021-04-12 09:07:12●447 +02:00 [INF] Attempting Domain Validation: www●centro-espanol●net

2021-04-12 09:07:12●447 +02:00 [INF] Registering and Validating www●centro-espanol●net

2021-04-12 09:07:12●447 +02:00 [INF] Performing automated challenge responses (www●centro-espanol●net)

2021-04-12 09:07:12●461 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: URLwww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w with content KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w●l-C6n0t2QZ4UA_bZIb4Us7Xx-BJG1OFHZCCDlJMHhxk

2021-04-12 09:07:12●461 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued●

2021-04-12 09:07:12●506 +02:00 [INF] Using website path C:\iis_web\centro25

2021-04-12 09:07:12●525 +02:00 [INF] Checking URL is accessible: URLwww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w [proxyAPI: True, timeout: 5000ms]

2021-04-12 09:07:16●049 +02:00 [INF] URL is accessible● Check passed●

2021-04-12 09:07:16●049 +02:00 [INF] Requesting Validation: www●centro-espanol●net

2021-04-12 09:07:16●059 +02:00 [INF] Http Challenge Server process available●

2021-04-12 09:07:16●059 +02:00 [INF] Attempting Domain Validation: centro-espanol●net

2021-04-12 09:07:16●059 +02:00 [INF] Registering and Validating centro-espanol●net

2021-04-12 09:07:16●059 +02:00 [INF] Performing automated challenge responses (centro-espanol●net)

2021-04-12 09:07:16●059 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: URLcentro-espanol●net/●well-known/acme-challenge/1B-bJnTibo5Li2zMJeGQMqk83ftqGJtfnBZaM602Qxo with content 1B-bJnTibo5Li2zMJeGQMqk83ftqGJtfnBZaM602Qxo●l-C6n0t2QZ4UA_bZIb4Us7Xx-BJG1OFHZCCDlJMHhxk

2021-04-12 09:07:16●061 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued●

2021-04-12 09:07:16●098 +02:00 [INF] Using website path C:\iis_web\centro25

2021-04-12 09:07:16●102 +02:00 [INF] Checking URL is accessible: URLcentro-espanol●net/●well-known/acme-challenge/1B-bJnTibo5Li2zMJeGQMqk83ftqGJtfnBZaM602Qxo [proxyAPI: True, timeout: 5000ms]

2021-04-12 09:07:18●743 +02:00 [INF] URL is accessible● Check passed●

2021-04-12 09:07:18●744 +02:00 [INF] Requesting Validation: centro-espanol●net

2021-04-12 09:07:18●748 +02:00 [INF] Http Challenge Server process available●

2021-04-12 09:07:18●748 +02:00 [INF] Attempting Domain Validation: centro-espanol●org

2021-04-12 09:07:18●748 +02:00 [INF] Registering and Validating centro-espanol●org

2021-04-12 09:07:18●748 +02:00 [INF] Performing automated challenge responses (centro-espanol●org)

2021-04-12 09:07:18●748 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: URLcentro-espanol●org/●well-known/acme-challenge/2K0AUxIgZKnuwiAgQ3rx8t2rY9gXXbct8oUPukDjZ2w with content 2K0AUxIgZKnuwiAgQ3rx8t2rY9gXXbct8oUPukDjZ2w●l-C6n0t2QZ4UA_bZIb4Us7Xx-BJG1OFHZCCDlJMHhxk

2021-04-12 09:07:18●748 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued●

2021-04-12 09:07:18●780 +02:00 [INF] Using website path C:\iis_web\centro25

2021-04-12 09:07:18●785 +02:00 [INF] Checking URL is accessible: URLcentro-espanol●org/●well-known/acme-challenge/2K0AUxIgZKnuwiAgQ3rx8t2rY9gXXbct8oUPukDjZ2w [proxyAPI: True, timeout: 5000ms]

2021-04-12 09:07:21●378 +02:00 [INF] URL is accessible● Check passed●

2021-04-12 09:07:21●379 +02:00 [INF] Requesting Validation: centro-espanol●org

2021-04-12 09:07:21●382 +02:00 [INF] Http Challenge Server process available●

2021-04-12 09:07:21●382 +02:00 [INF] Attempting Domain Validation: www●centro-espanol●org

2021-04-12 09:07:21●383 +02:00 [INF] Registering and Validating www●centro-espanol●org

2021-04-12 09:07:21●383 +02:00 [INF] Performing automated challenge responses (www●centro-espanol●org)

2021-04-12 09:07:21●383 +02:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: URLwww●centro-espanol●org/●well-known/acme-challenge/dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ with content dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ●l-C6n0t2QZ4UA_bZIb4Us7Xx-BJG1OFHZCCDlJMHhxk

2021-04-12 09:07:21●383 +02:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued●

2021-04-12 09:07:21●417 +02:00 [INF] Using website path C:\iis_web\centro25

2021-04-12 09:07:21●424 +02:00 [INF] Checking URL is accessible: URLwww●centro-espanol●org/●well-known/acme-challenge/dW1aRsm8LskujvaWPrqPseYi5WTY21aFmtzmVoU7MZQ [proxyAPI: True, timeout: 5000ms]

2021-04-12 09:07:23●916 +02:00 [INF] URL is accessible● Check passed●

2021-04-12 09:07:23●917 +02:00 [INF] Requesting Validation: www●centro-espanol●org

2021-04-12 09:07:23●946 +02:00 [INF] Attempting Challenge Response Validation for Domain: www●centro-espanol●net

2021-04-12 09:07:23●947 +02:00 [INF] Registering and Validating www●centro-espanol●net

2021-04-12 09:07:23●947 +02:00 [INF] Checking automated challenge response for Domain: www●centro-espanol●net

2021-04-12 09:07:24●426 +02:00 [WRN] Challenge response validation still pending● Re-checking [10]●●

2021-04-12 09:07:26●256 +02:00 [INF] Fetching URLswww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w: Cannot follow HTTP 303 redirects

2021-04-12 09:07:28●327 +02:00 [INF] Validation of the required challenges did not complete successfully● Fetching URLswww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w: Cannot follow HTTP 303 redirects

2021-04-12 09:07:28●327 +02:00 [INF] Validation of the required challenges did not complete successfully● Fetching URLswww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w: Cannot follow HTTP 303 redirects

2021-04-12 09:07:28●327 +02:00 [INF] Validation of the required challenges did not complete successfully● Fetching URLswww●centro-espanol●net/●well-known/acme-challenge/KN5kOzGlk38guzBvoXlqJo-DGtxT3WeblWG8VzU7K-w: Cannot follow HTTP 303 redirects

4

Thanks, so the Certify challenge server seems to be working correctly as it can resolve the challenge response itself, however when Let’s Encrypt tried to resolve the URL (such as http://centro-espanol.org/.well-known/acme-challenge/2K0AUxIgZKnuwiAgQ3rx8t2rY9gXXbct8oUPukDjZ2w) it got an http redirect (303). from IIS. This shouldn’t happen if this is the Certify server that’s responding.

Are you load balancing internally or otherwise proxying the requests via another server or could your public DNS settings be wrong? It just seems as if the server that responded (78.94.117.234) was not the same server that Certify is running on and it then got passed to IIS to handle. You should also reconsider using an http 303 direct and consider 301 or 302 instead as it looks like Let’s Encrypt doesn’t handled 303 (so it can’t then fallback to using IIS for http validation).

1 Like
5

Hello Christopher
Thanks to your explanation I was able to resolve it:
I use IIS Module “URL rewrite” to redirect from http to https.
The default redirection type is 303 if you create a new rule in IIS Module “URL rewrite”. I changed it to 301 (permanent) and now certify accepts the redirection. The policy of certify seems to have changed.
Before I did not take any notice of the redirection type…
Thanks a lot!
Have a good day
MIchael

6

Thanks Michael but as I say, this is Let’s Encrypt that’s failing to follow the redirect. Let’s Encrypt are the actual Certificate Authority (they validate your domain and issue trusted certificates), Certify just handles the certificate order steps and API communication for you.

The issue wasn’t entirely solved as the app shouldn’t have to fallback to using IIS at all, however I’m glad this is working for you now.