aloopkin
commented
3 years ago Can you provide the error logs please ?
Open esculpepper opened 3 years ago
aloopkin
commented
3 years ago Can you provide the error logs please ?
esculpepper
commented
3 years ago Here are four logs. I ran the process as the special user just a few moments ago. The event log entries are from today and 12/4. The IIS log shows a successful verification of the challenge, but the Wincertes log is showing otherwise.
aloopkin
commented
3 years ago From the logs it seems your IIS website is answering incorrect content to Let's Encrypt. In other words, there's an IIS configuration issue when serving the .well-known/acme-challenge directory.
Quickest way to solve it is to deactivate IIS binding on port 80 and use standalone mode to enroll with WinCertes.
esculpepper
commented
3 years ago I do have one other question regarding this issue. Could the behavior I am seeing be attributed to the IIS configuration for all websites on this server, where all websites are listening to all IP addresses with SNI enabled, rather than a single IP address per site?
When attempting to request certificates for separate websites running on IIS 10 (Windows Server 2016 Standard), the request fails, and a corresponding System log entry is recorded (Event ID 10016). I viewed the two registry keys below and they are owned by TrustedInstaller. I have not modified the ownership of those registry keys.
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user DOMAIN\SpecialAdminUser SID (SID-NUMBER-HERE) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
The first certificate I request is generated and assigned properly with or without the --extra=0 switch. Any subsequent requests using --extra=1 or --extra=2 are failing.
I have created a special user to run this command, and that user is added to the local administrators group via group policy. This user has full permissions to the inetpub\site directories where I will be generating the Lets Encrypt certificates.
I checked the registry keys under HKLM\Software\WinCertes, and those keys are populated. I watch the site.well-known\acme-challenge\ folder during execution, and the web.config and key is generated and removed.
Immediately following, there is an error, or failed message which briefly appears in the window before it closes. I have not been successful in capturing that text as of yet. This is when the System log captures the Event ID 10016 DistributedCOM error.
I have been able to create a file within the .well-known\acme-challenge\ folder and access it from outside our firewall. One of the two sites requires login credentials in order to access, the other does not.
My question is, has anyone seen this or had this happen to them when attempting to request more than one certificate on an IIS web server?