search

ebekker / ACMESharp

An ACME client library and PowerShell client for the .NET platform (Let's Encrypt)
https://pkisharp.github.io/ACMESharp-docs/
1.21k stars 185 forks source link

Complete-ACMEChallenge : unresolved site for given site reference #132

Open b9chris opened 8 years ago

b9chris commented 8 years ago

Love the ACMESharp tool, thanks for putting this together!

I think there's an opportunity to expand on the checks/error-reporting in the above error's flow. In my case I was able to put a SAN cert together for 12 sites - perfect for IIS 7.5 and Win Server 2008 R2. But 3 sites refused to validate, each with the above error. Here's what it looks like in action:

> New-ACMEIdentifier -Dns playingforchangeday.org -Alias dns16

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier     : playingforchangeday.org
Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/8JLYcRKUjFZdthHn6K6omV6BfqG_5HgCHMiuMfJj2JU
Status         : pending
Expires        : 5/5/2016 4:38:18 PM
Challenges     : {, , }
Combinations   : {0, 1, 2}

> Complete-ACMEChallenge dns16 -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'playingforchangeday.org' }

Complete-ACMEChallenge : unresolved site for given site reference
At line:1 char:1
+ Complete-ACMEChallenge dns16 -ChallengeType http-01 -Handler iis -HandlerParamet ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Complete-ACMEChallenge], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,ACMESharp.POSH.CompleteChallenge

Looking at the C#, the error message is saying the simplest thing it can about what happened: The Challenge returned no validated sites.

In my case the cause was a 404 on the .well-known/... file and in another a 503, because of the way those sites happen to be Routed in their MVC configs. It would be helpful to expand the code to check for this (check for the file and check for HTTP error or not), and either provide instructions on fixing it, or just fix it automatically and retry.

I took the manual steps and noticed the above 404/503s. Putting this Web.Config in the acme-challenge dir for each site fixed that:

https://github.com/Lone-Coder/letsencrypt-win-simple/issues/37

Good move? Happy to submit the pull request.

grzech1983 commented 8 years ago

On my end only solution for MVC apps was to rename Global.asax and web.config, perform verification and rename files to their original names. I've tried various things like virtual directories, some web.config inheritance removal addons and nothing helped.

ebekker commented 8 years ago

@b9chris, good suggestion, contributions are always welcome!

b9chris commented 7 years ago

Haven't had side project time to code this yet, but want to mention a curious related problem.

EFF recommends securing your site with HTTPS, they recommend LetsEncrypt because it's free. They then recommend HSTS, which will lock browsers out that try to visit on HTTP.

LetsEncrypt expires somewhat rapidly, relative to other typical certs (1-3 years). And when you go to rotate it at 60 days, if you don't do so fast enough, the HTTPS cert is expired, HSTS is locking web visits to the site out, and the only way LetsEncrypt knows how to verify the site is over HTTP... so you're just eternally in this unresolved site reference loop.

I periodically have to go kill off HTTPS redirects entirely to get myself out of this loop. But surely this is a problem multiple people are experiencing... thoughts on how to better prevent this trap?