Unable to create a certificate using autonomous mode.

[Traste]

Describe the bug Unable to create a certificate using autonomous mode behind firewall.

To Reproduce Steps to reproduce the behavior: Running on Windows 10 Professional 64bit in CMD as administrator. On IP 192.168.0.235 Port 80 open on External IP and pointing to internal IP 192.168.0.235. External IP 193.123.12.234 strumpfban.de A-Record points to 193.123.12.234

Expected behavior A certificate created (

Screenshots or Logs Output from WinCertes (debug): WinCertes.exe -e admin@strumpfban.de -d strumpfban.de -a -s https://acme-staging-v02.api.letsencrypt.org/directory [DEBUG] PFX password will be: [redacted] [DEBUG] Current certificate expiration date is: [DEBUG] Started Listener on port 80 [DEBUG] Failed to register and validate order with CA: Could not validate challenge https://acme-staging-v02.api.letsencrypt.org/acme/challenge/[redacted]-[redacted]-[redacted]/[redacted] Failed to register and validate order with CA: Could not validate challenge https://acme-staging-v02.api.letsencrypt.org/acme/challenge/[redacted]/[redacted] [DEBUG] Just stopped the Listener on port 80

Output from URL https://acme-staging-v02.api.letsencrypt.org/acme/challenge/[redacted]/[redacted]: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://strumpfban.de/.well-known/acme-challenge/ Timeout during connect (likely firewall problem)", "status": 400 }, "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/[redacted]-[redacted]-[redacted]/[redacted]", "token": "[redacted]", "validationRecord": [ { "url": "http://strumpfban.de/.well-known/acme-challenge/[redacted]", "hostname": "strumpfban.de", "port": "80", "addressesResolved": [ "193.123.12.234" ], "addressUsed": "193.123.12.234" } ] }

ncat output when testing to access http://strumpfban.de with a browser from another external (not behind the same firewall) client. IE: ncat is listening on the same machines as i am running WinCertes, but not at the same time, in order to verify that external http requests are reaching the machine on port 0.0.0.0:80.

C:\Users\bjorn>ncat -l -p 80 -v -v Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::80 Ncat: Listening on 0.0.0.0:80 Ncat: Connection from 95.34.6.82. Ncat: Connection from 95.34.6.82:36349. GET / HTTP/1.1 Host: strumpfban.de Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 DNT: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: sv-SE,sv;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6,zh;q=0.5,es;q=0.4

Desktop (please complete the following information):

• OS: Windows 10 Professional 64bit
• Version 10.0.17134.407

Additional context Add any other context about the problem here.

[aloopkin]

Which version of .NET Framework are you using?

[Traste]

.Net framework version 4.7.03056

Additional update: I went in and enabled/installed IIS components "Web Management Tools" and World Wide Web Services" and then stopped the default website. After that I ran the WinCertes tool again using the exact same command line and it appear to have worked.

Output: C:\Program Files\WinCertes>WinCertes.exe -e admin@strumpfban.de -d strumpfban.de -a -s https://acme-staging-v02.api.letsencrypt.org/directory [DEBUG] PFX password will be: [redacted] [DEBUG] Current certificate expiration date is: [DEBUG] Started Listener on port 80 [DEBUG] Processing the serving of content: [redacted]-[redacted].[redacted]-[redacted] [DEBUG] Processing the serving of content: [redacted]-[redacted].[redacted]-[redacted] [DEBUG] Processing the serving of content: [redacted]-[redacted].[redacted]-[redacted] [DEBUG] Generated orders and validated challenges for domains: strumpfban.de Generated orders and validated challenges for domains: strumpfban.de [DEBUG] Just stopped the Listener on port 80 [DEBUG] Retrieved certificate from the CA. The certificate is in [redacted]-[redacted]-[redacted]-[redacted]-[redacted].pfx Retrieved certificate from the CA. The certificate is in [redacted]-[redacted]-[redacted]-[redacted]-[redacted].pfx [DEBUG] Stored certificate with DN CN=strumpfban.de into Windows Personal Local Machine store Stored certificate with DN CN=strumpfban.de into Windows Personal Local Machine store [DEBUG] Removed file from filesystem: C:\ProgramData\WinCertes[redacted]-[redacted]-[redacted]-[redacted]-[redacted].pfx Removed file from filesystem: C:\ProgramData\WinCertes[redacted]-[redacted]-[redacted]-[redacted]-[redacted].pfx

I guess the problem was either me, thinking that "autonomous mode" would not require IIS installed or that the installation of those component also installed some other component that WinCertes needed to work properly.

[aloopkin]

That's very strange: on one of my test machines, i don't have IIS installed, and the autonomous mode works. Did you try to deactivate fully the firewall on your machine?

[Traste]

No changes were made to the Windows firewall since i could verify with NCat that HTTP requests were passed through correctly. I suspect that installing and enabling IIS may well add rules, but i don't see that that would make a difference if i can reach an NCat listener on port 80 from the internet already. I initially had a suspicion that WinCertes did not bind to the correct IP (Ie. only the internal or loopback) and was hoping to see that info in the debug output, but it didn't show specifically in the debug output ... although if that had been the case, that would not make sense either based on how it is supposed to work.

As mentioned, with IIS option installed, it worked fine.

[aloopkin]

WinCertes listens on all interfaces by default. This is why i suspect rules where added to the firewall during IIS install. On my test machine, the Windows Firewall is completely deactivated.