Validation Error using http-01 validation (SelfHosting)

[GarveScott-Lodge]

I have a dozen or so certificates successfully installed on my server. However I can't get one new domain to validate. I've a feeling I must have done something which has changed the validation method for this one domain in Win ACME but I can't work out what. I'm supplying the log for the failed domain, and also an example of a log for one which has worked OK today.

The working log includes the line SelfHosting plugin serving file /.well-known/acme-challenge/Rqd....

The failed log doesn't. What do I need to change?

---

Failed validation.

[DBUG] Scanning IIS site bindings for hosts [INFO] Target generated using plugin IISBinding: www.certfails.org [DBUG] Scanning IIS site bindings for hosts [VERB] Checking [IISBinding] www.certfails.org [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order [WARN] First chance error calling into ACME server, retrying with new nonce... [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3002812265 [INFO] Authorize identifier: www.certfails.org [INFO] Authorizing www.certfails.org using http-01 validation (SelfHosting) [DBUG] Submitting challenge answer [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3002812265/ycUJjQ [DBUG] Refreshing authorization [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3002812265/ycUJjQ [EROR] { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://www.certfails.org/.well-known/acme-challenge/s-cszAU-VbEd42K7v7ISEfHn2V03HQHEd6Mc5nRoFek [2a07:7800::138]: \" <meta charset=\\"UTF-8\\"> <meta name=\\"viewport\\" content=\\"width=device-width, initial-scale=1.0\\"> <meta http-equiv=\\"\"", "status": 403 } [EROR] Authorization result: invalid [EROR] Create certificate failed: Authorization failed

Working validation

[DBUG] Scanning IIS site bindings for hosts [INFO] Target generated using plugin IISBinding: www.certworksok.org [DBUG] Scanning IIS site bindings for hosts [VERB] Checking [IISBinding] www.certworksok.org [DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce [DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3002983098 [INFO] Authorize identifier: www.certworksok.org [INFO] Authorizing www.certworksok.org using http-01 validation (SelfHosting) [DBUG] Submitting challenge answer [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3002983098/Ru3OJw [DBUG] Refreshing authorization [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/RqdP8CedDrim5QJHN4kk2nVus3cJJwZ8VAhGx1XmWgg [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/RqdP8CedDrim5QJHN4kk2nVus3cJJwZ8VAhGx1XmWgg [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/RqdP8CedDrim5QJHN4kk2nVus3cJJwZ8VAhGx1XmWgg [VERB] SelfHosting plugin serving file /.well-known/acme-challenge/RqdP8CedDrim5QJHN4kk2nVus3cJJwZ8VAhGx1XmWgg [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3002983098/Ru3OJw [INFO] Authorization result: valid [WARN] Found 6 files older than 120 days in the CertificatePath [DBUG] RSAKeyBits: 3072 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/64275922/2440704468 [INFO] Requesting certificate [IISBinding] www.certworksok.org [DBUG] Certificate store: WebHosting [INFO] Store with CertificateStore... [INFO] Installing certificate in the certificate store [DBUG] Opened certificate store WebHosting [INFO] Adding certificate [IISBinding] www.certworksok.org 2020/2/25 9:57:28 to store WebHosting [VERB] CN=www.certworksok.org - CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US (C5B4A330763AA82DF03421DF18B5ED920F05B419) [VERB] CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US - CN=DST Root CA X3, O=Digital Signature Trust Co. (E6A3B45B062D509B3382282D196EFE97D5956CCB) to CA store [VERB] CN=DST Root CA X3, O=Digital Signature Trust Co. - CN=DST Root CA X3, O=Digital Signature Trust Co. (DAC9024F54D8F6DF94935FB1732638CA6AD77C13) to AuthRoot store [DBUG] Closing certificate stores [DBUG] Scanning IIS site bindings for hosts [INFO] Installing with IIS... [INFO] Adding new https binding *:443:www.certworksok.org [INFO] Committing 1 https binding changes to IIS [INFO] Adding renewal for [IISBinding] www.certworksok.org [INFO] Next renewal scheduled at 2020/4/20 10:57:28

[GarveScott-Lodge]

I've tried using Filesystem validation instead. The .well-known directory does get created but I'm getting the same 403 response.

I've checked that the DNS has propagated OK for the domain and it looks fine on https://dnschecker.org

Is there any way I can check if the ACME server has incorrect DNS info?

---

[DBUG] Scanning IIS site bindings for hosts [VERB] Checking [IISBinding] www.certfails.org [DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2 [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory [DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce [DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2 [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/3004402490 [INFO] Authorize identifier: www.certfails.org [INFO] Authorizing www.certfails.org using http-01 validation (FileSystem) [VERB] Writing file to C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known\acme-challenge\ihyfZCYhM9qsrSy_mU8J5SU4a8-1PZ_XRI5dlhn3kD4 [DBUG] Writing web.config [VERB] Writing file to C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known\acme-challenge\web.config [INFO] Answer should now be browsable at http://www.certfails.org/.well-known/acme-challenge/ihyfZCYhM9qsrSy_mU8J5SU4a8-1PZ_XRI5dlhn3kD4 [INFO] Preliminary validation looks good, but ACME will be more thorough... [DBUG] Submitting challenge answer [DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3004402490/EfS0eQ [DBUG] Refreshing authorization [DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/3004402490/EfS0eQ [EROR] { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://www.certfails.org/.well-known/acme-challenge/ihyfZCYhM9qsrSy_mU8J5SU4a8-1PZ_XRI5dlhn3kD4 [2a07:7800::138]: \" <meta charset=\\"UTF-8\\"> <meta name=\\"viewport\\" content=\\"width=device-width, initial-scale=1.0\\"> <meta http-equiv=\\"\"", "status": 403 } [EROR] Authorization result: invalid [DBUG] Deleting web.config [VERB] Deleting file C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known\acme-challenge\web.config [DBUG] Deleting answer [VERB] Deleting file C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known\acme-challenge\ihyfZCYhM9qsrSy_mU8J5SU4a8-1PZ_XRI5dlhn3kD4 [VERB] Deleting folder C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known\acme-challenge [DBUG] Additional files or folders exist in C:\inetpub\wwwroot\spanglefish\www.certfails.org.well-known, not deleting. [EROR] Create certificate failed: Authorization failed

[GarveScott-Lodge]

Because I needed the cert now I've managed to validate it using a CNAME record. Presumably that shows that the ACME server is correctly accessing the domain's DNS, (at least for the _acme-challenge subdomain) so I've no idea why I'm getting the 403 message returned.

[WouterTinus]

It looks like your AAAA record (IPv6) is still pointing to the old server, or otherwise misconfigured.

[GarveScott-Lodge]

Thanks! It's more than possible that the registrar sets up default IPv6 records. I'll check and delete then in the morning and report back. :-)

On Tue, 25 Feb 2020, 20:22 Wouter Tinus, notifications@github.com wrote:

It looks like your AAAA record (IPv6) is still pointing to the old server, or otherwise misconfigured.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/win-acme/win-acme/issues/1420?email_source=notifications&email_token=AIXWFMOMACG6YTHNJJ5IBQ3REV4YLA5CNFSM4K3D2HH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM5LNBQ#issuecomment-591050374, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIXWFMN2VDKOIQEVKZCF3ILREV4YLANCNFSM4K3D2HHQ .

[GarveScott-Lodge]

Thanks Wouter, that indeed was the problem. In this case it was a newly registered domain. The registrar created default IPv4 and IPv6 addresses. I updated the IPv4 addresses but ignored the IPv6 ones.

So whilst most browsers/ISPs seem to give precedence to the IPv4 (A) settings, Win ACME gives precedence to the IPv6 (AAAA) ones, trying them first.

Now that I've deleted the AAAA records everything works as expected. Thanks. :-)