Powershell script on http-01 challenge returns always invalid state

[dawe78]

Yesterday I wrote a script for registering Certificates using ACMESharp. After I installed and tested the script as described in the Quick start, I was able to create and successfully export a certificate.

Today I wanted to modify the script for creating certificates for more than one domain in a loop, eg for creating domain.com and www.domain.com in one step. Since I modified the script, I get an timeout error while processing the Submit-ACMEChallenge Step. I went back to the original script - same error.....

What I did: New-ACMEIdentifier -Dns mydomain.com -Alias mydomain -Label "My Domain" -> success, state pending Complete-ACMEChallenge mydomain -ChallengeType http-01 -Handler iis -HandlerParameters @{ WebSiteRef = 'myDomainNameInIIS' } -> success, state pending; Website-Root got a new entry .well-known\acme-challenge, containing a web.config-File and two textfiles with a code Submit-ACMEChallenge mydomain -ChallengeType http-01 -> success, state still pending

Now I update the state (Update-ACMEIdentifier mydomain -ChallengeType http-01).Challenges | Where-Object {$_.Type -eq "http-01"}

Response always invalid: ChallengePart : ACMESharp.Messages.ChallengePart Challenge : ACMESharp.ACME.HttpChallenge Type : http-01 Uri : https://acme-v01.api.letsencrypt.org/acme/challenge/haacqIj[..] Token : ocY1zd[...] Status : invalid OldChallengeAnswer : [, ] ChallengeAnswerMessage : HandlerName : iis HandlerHandleDate : 02.10.2017 23:25:28 HandlerCleanUpDate : SubmitDate : 02.10.2017 23:25:38 SubmitResponse : {StatusCode, Headers, Links, RawContent...}

I copied the Uri any paste to browser. The message for the request

"Fetching http://mydomain.com/.well-known/acme-challenge/ocY1zd[...]: Timeout"

I copied this Uri and past to browser. I got following result ocY1zdVs[...].gdFx6E[...]

This result matches exactly to the token shown in above Acme-Url. But why do I get an invalid state?

I hope I can get some help solving the problem. Maybe I'm too tired now for finding a solution by myself.

Thanks to anybody who tries to help me!

[Kuryaki10]

I got exactly the same issue working over IIS. The url in "Fetching http://mydomain.com/.well-known/acme-challenge/xxxxxxxx: Timeout" is working ok (the file content loads on any web browser outside my network) but it keeps saying status: invalid. Btw, challenge type dns-01 works like a charm, but I need to validate my domains over http-01.

Thank you for any help.

[Marcus-L]

If you are having trouble with the http-01 challenge you could try the tls-sni-01 challenge via PR #295 using Certify the Web (which is using this fork of ACMESharp while the PR is in review). The tls-sni-01 challenge does not require access to the web.config or .well-known directory so may be less error-prone to use. In addition Certify supports multiple subject alternate names (SANs), and has some internal checks and debug logs to verify whether your DNS records are problematic (invalid DNSSEC or CAA records).

[ebekker]

It's possible the issue you're having is related to this issue discussed on the LE community forums.

Ultimately, the underlying issue is related to text casing. You can use the tool unboundtest.com to help diagnose if that is the case.