Timeout while validating order with CA (Could not validate HTTP challenge)

[franklinab]

When I'm trying to order a certificate, I always get a timeout error even if the challenge is generated and available by URL.

I've deactivated all Windows Firewall, I have a public domain registered for tests: https://atgates.ddns.net. I have just this domain for the default site with the same name "atgates.ddns.net".

Here is the commands ran:

C:\Program Files\WinCertes>WinCertes.exe -s https://acme-staging-v02.api.letsencrypt.org/directory -e franklin.bezerra@interalphatecnologia.com.br -d atgates.ddns.net -w="c:\inetpub\wwwroot\atgates" -b atgates.ddns.net -p [DEBUG] PFX password will be: ece3e4a2963d4fc4 [DEBUG] Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-staging-v02.api.letsencrypt.org/directory Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-staging-v02.api.letsencrypt.org/directory [DEBUG] Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf [DEBUG] Current certificate expiration date is: [DEBUG] Initiating HTTP Validation for atgates.ddns.net [DEBUG] Error while trying to register and validate order System.Exception: Could not validate HTTP challenge: Fetching http://atgates.ddns.net/.well-known/acme-challenge/8NVwgUhcskTL1FrFZoW8toz6gnrKnnguoCpp8-sodpo: Timeout during connect (likely firewall problem) em WinCertes.CertesWrapper.d16.MoveNext() na C:\Users\Alexandre Aufrere\source\repos\WinCertes\WinCertes\CertesWrapper.cs:linha 195 --- Fim do rastreamento de pilha do local anterior onde a exceção foi gerada --- em System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() em System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) em System.Runtime.CompilerServices.TaskAwaiter.GetResult() em WinCertes.CertesWrapper.d15.MoveNext() na C:\Users\Alexandre Aufrere\source\repos\WinCertes\WinCertes\CertesWrapper.cs:linha 157 [DEBUG] Failed to register and validate order with CA: Could not validate HTTP challenge: Fetching http://atgates.ddns.net/.well-known/acme-challenge/8NVwgUhcskTL1FrFZoW8toz6gnrKnnguoCpp8-sodpo: Timeout during connect (likely firewall problem) Failed to register and validate order with CA: Could not validate HTTP challenge: Fetching http://atgates.ddns.net/.well-known/acme-challenge/8NVwgUhcskTL1FrFZoW8toz6gnrKnnguoCpp8-sodpo: Timeout during connect (likely firewall problem)

C:\Program Files\WinCertes>WinCertes.exe --show Service URI: https://acme-staging-v02.api.letsencrypt.org/directory Account Email: franklin.bezerra@interalphatecnologia.com.br Registered: yes Auth. Mode: http-01 validation with external web server Web Root: c:\inetpub\wwwroot\atgates IIS Bind Name: atgates.ddns.net Import in CSP: yes PS Script File: none Renewal Delay: 30 days Task Scheduled: no Cert Enrolled: no

• OS: Windows 10 64bit with IIS 10

[aloopkin]

Apparently you need to open port 80 on your firewall.

LE server cannot reach it to validate the request, and indeed it is closed.

[franklinab]

Thank you @aloopkin. It was my mistake because I was testing inside my network and the problem was in the router firewall. Now the challenge can be reached.

However, now I'm getting the following error:

C:>"Program Files\WinCertes\WinCertes.exe" -s https://acme-staging-v02.api.letsencrypt.org/directory -e franklin.bezerra@interalphatecnologia.com.br -d toptalent.com.br -w="c:\inetpub\wwwroot\atgates" -b "atgates.ddns.net" -p [DEBUG] PFX password will be: 634ca56b278a4674 [DEBUG] Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-staging-v02.api.letsencrypt.org/directory Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-staging-v02.api.letsencrypt.org/directory [DEBUG] Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf [DEBUG] Current certificate expiration date is: [DEBUG] Initiating HTTP Validation for toptalent.com.br [DEBUG] Error while trying to register and validate order System.Exception: Could not validate HTTP challenge: Invalid response from http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 [38.26.30.138]: 500 em WinCertes.CertesWrapper.d16.MoveNext() na C:\Users\Alexandre Aufrere\source\repos\WinCertes\WinCertes\CertesWrapper.cs:linha 195 --- Fim do rastreamento de pilha do local anterior onde a exceção foi gerada --- em System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() em System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) em System.Runtime.CompilerServices.TaskAwaiter.GetResult() em WinCertes.CertesWrapper.d15.MoveNext() na C:\Users\Alexandre Aufrere\source\repos\WinCertes\WinCertes\CertesWrapper.cs:linha 157 [DEBUG] Failed to register and validate order with CA: Could not validate HTTP challenge: Invalid response from http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 [38.26.30.138]: 500 Failed to register and validate order with CA: Could not validate HTTP challenge: Invalid response from http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 [38.26.30.138]: 500

If you try to access http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 you will be able to read the file but got a 500 error.

For this acme-challenge I have the following web.config: <?xml version="1.0" encoding="UTF-8"?>

So, I've created a new challenge "acme-challenge1" and tried to change the mimeType from "application/octet-stream" to "text/plain" in the web.config as follow: <?xml version="1.0" encoding="UTF-8"?>

That way, I can read the file without error at http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4. The problem is that every time, the web.config is re-created with the mimeType "application/octet-stream".

Any suggestions how can I solve this?

[aloopkin]

Sorry but your message was cropped, and i didn't get everything.

Did you try to change the web.config at the root of the website, as suggested in WinCertes Readme.md ?

[franklinab]

Yes, even I have a web.config file at the root of the website, WinCertes application creates a new one inside the acme-challenge folder overwriting the default created.

Look: http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 -> causes an 500 error because there is a web.config with the mimeType "application/octet-stream"

http://toptalent.com.br/.well-known/acme-challenge1/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 -> I can read the file because there is a web.config with the mimeType "text/plain" configured manually.

[aloopkin]

i'm lost. from http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 i can download the challenge perfectly well....

[franklinab]

Yeah but if you try access by browser you'll download the challenge but the page will return a 500 error and I think this causes the error when ordering the certificate:

Failed to register and validate order with CA: Could not validate HTTP challenge: Invalid response from http://toptalent.com.br/.well-known/acme-challenge/qjsg9z_4zN41B5g1_OA-SkVrM6c_VVBHqPx69WzBgX4 [38.26.30.138]: 500

[aloopkin]

well, from my browser it's working as well...

[aloopkin]

just to test, can you remove the http binding for IIS and instead use the standalone mode of WinCertes (-a option) ?

[franklinab]

Now it's working. I've cleaned up my IIS, reinstalled WinCertes and remove all caches and temporary files. To finish the certificate auto generation here, I need help for the following scenario:

For example, let's say that I have 5 domains, all running only by HTTP (80 port) for the website called "atgates": atgates.ddns.net toptalent.com.br www.toptalent.com.br franklin.com.br www.franklin.com.br

How can I have 3 different certificates and bind the 5 domains for HTTP (port 443)?

• 1 certificate for atgates.ddns.net and bind "atgates.ddns.net:443"
• 1 certificate for toptalent.com.br and www.toptalent.com.br and bind "toptalent.com.br:443" and "www.toptalent.com.br:443"
• 1 certificate for franklin.com.br and www.franklin.com.br and bind "franklin.com.br:443" and "www.franklin.com.br"

I've tried the following commands but it didn't work. The last one overwrites the others. WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d atgates.ddns.net -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d toptalent.com.br -d www.toptalent.com.br -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d franklin.com.br -d www.franklin.com.br -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p

Is it possible?

[aloopkin]

For now WinCertes can manage up to 2 certificates, using the --extra option, e.g.: WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d atgates.ddns.net -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p WinCertes.exe --extra -e franklin.bezerra@interalphatecnologia.com.br -d toptalent.com.br -d www.toptalent.com.br -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p

Also why do you bind them to the same IIS site, but still want 3 different certificates ?

[franklinab]

For now WinCertes can manage up to 2 certificates, using the --extra option, e.g.: WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d atgates.ddns.net -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p WinCertes.exe --extra -e franklin.bezerra@interalphatecnologia.com.br -d toptalent.com.br -d www.toptalent.com.br -w="c:\inetpub\wwwroot\atgates" -b "atgates" -p

Also why do you bind them to the same IIS site, but still want 3 different certificates ?

Interesting... The problem is that I'm creating a multi-tenant application and the clients could point their domains to run within my application. Because I would have as many domains as clients, it's important that each client should have your own certificate.

The client "TopTalent", for example, shouldn't see Franklin's domain "franklin.com.br" together with "toptalent.com.br"

[aloopkin]

ok. next version will support multiple certs ( >2 ). It was planned for 1.3.0, but i didn't have the time to finish. it will work with an argument passed to extra, simply.

does the binding works the way you want, also? i would be surprised, frankly speaking...

[franklinab]

ok. next version will support multiple certs ( >2 ). It was planned for 1.3.0, but i didn't have the time to finish. it will work with an argument passed to extra, simply.

does the binding works the way you want, also? i would be surprised, frankly speaking...

This is great news! I'll wait for that.

About the binding, it didn't work as you expected.

[aloopkin]

i've added support for more extra certs, and hopefully fixed certificate binding. do you wish to test the beta version?

[franklinab]

Hi Alexandre! I hope you're doing well.

Certainly I do!

[aloopkin]

Here it is ! WinCertes-Debug.1.4.0beta1.msi.zip

to add more certs, add an integer to --extra, e.g. --extra=2, --extra=3

[franklinab]

So, I've tried but got an error when binding the HTTPS hosts:

C:\Users\Administrator>WinCertes.exe -e franklin.bezerra@interalphatecnologia.com.br -d toptalent.com.br -d www.toptalent.com.br -w="C:\inetpub\wwwroot\www.atgates.com" -b "www.atgates.com" -p

[DEBUG] PFX password will be: XXXXXXXXXXXXXXX [DEBUG] Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-v02.api.letsencrypt.org/directory Successfully registered account franklin.bezerra@interalphatecnologia.com.br with certificate authority https://acme-v02.api.letsencrypt.org/directory [DEBUG] Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf Please check the ACME Service ToS at: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf [DEBUG] Current certificate expiration date is: [DEBUG] Initiating HTTP Validation for toptalent.com.br [DEBUG] Initiating HTTP Validation for www.toptalent.com.br [DEBUG] Generated orders and validated challenges for domains: toptalent.com.br,www.toptalent.com.br Generated orders and validated challenges for domains: toptalent.com.br,www.toptalent.com.br [DEBUG] Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.pfx Retrieved certificate from the CA. The certificate is in C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.pfx [DEBUG] Stored certificate with DN CN=toptalent.com.br into Windows Personal Local Machine store Stored certificate with DN CN=toptalent.com.br into Windows Personal Local Machine store [DEBUG] Could not bind certificate to site www.atgates.com: Filename: Error: Cannot add duplicate collection entry of type 'binding' with combined key attributes 'protocol, bindingInformation' respectively set to 'https, *:443:'

System.Runtime.InteropServices.COMException (0x800700B7): Filename: Error: Cannot add duplicate collection entry of type 'binding' with combined key attributes 'protocol, bindingInformation' respectively set to 'https, *:443:'

   at Microsoft.Web.Administration.Interop.IAppHostElementCollection.AddElement(IAppHostElement pElement, Int32 cPosition)    at Microsoft.Web.Administration.ConfigurationElementCollectionBase`1.Add(T element)    at Microsoft.Web.Administration.BindingCollection.Add(Binding binding)    at WinCertes.Utils.BindCertificateForIISSite(X509Certificate2 certificate, String siteName) in C:\Users\Alcide Loopkin\Source\Repos\WinCertes\WinCertes\Utils.cs:line 150 Could not bind certificate to site www.atgates.com: Filename: Error: Cannot add duplicate collection entry of type 'binding' with combined key attributes 'protocol, bindingInformation' respectively set to 'https, *:443:'

[DEBUG] Scheduled Task "WinCertes - toptalentcombr00" created successfully Scheduled Task "WinCertes - toptalentcombr00" created successfully [DEBUG] Removed files from filesystem: C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.pfx, C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.cer, C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.key Removed files from filesystem: C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.pfx, C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.cer, C:\ProgramData\WinCertes\0285d6b3-894d-4b10-9912-XXXXXXXXXXXXXXX.key

I think the binding should be done for each domain added.

[aloopkin]

Thanks for the feedback! I think you're right regarding binding creation. I've tried to adapt it, and here's a new beta:

WinCertes-Debug.1.4.0beta2.msi.zip

[aloopkin]

hello @franklinab could you please check with the provided beta2 or beta3 (see #27 ) ? As far as i can tell, it seems to work as requested, but i'd like to be sure. thanks!

[franklinbezerra]

I'll try today with beta3, thanks.

[franklinbezerra]

@aloopkin it works perfectly! thank u!

[aloopkin]

Fix released as part of WinCertes 1.4.0