starred/win-acme-win-acme
1
0
Fork 0
mirror of https://github.com/win-acme/win-acme.git synced 2026-04-27 03:55:56 +03:00
Code Issues Projects Packages Wiki Activity
Page: Validation issues
Pages
A specified logon session does not exist Advanced logging Advanced usage Apache 2.4 basic usage Application Logging Application Settings Azure DNS validation Basic usage CSR Plugins Command Line Arguments Command line Create a SAN certificate Custom plugins DNS validation plugins Development Enhancement voting Example Scripts HTTP Validation Plugins HTTPS Binding With Specific IP Home How To Run How to Compile From Source Code IIS 7.5 and Lower Install script Installation plugins Issues and workarounds Load balancing Microsoft Exchange Microsoft Remote Desktop Server Migration to v1.9.5 Migration to v1.9.9 Migration to v2.0.0 Missing Certificate Chain Plugins Renewal Management Store plugins Target plugins Task Scheduler Uninstall instructions Upgrades Validation issues Validation plugins web_config.xml
21 Validation issues
Wouter Tinus edited this page 2019-02-20 15:59:38 +01:00
Table of Contents

Validation is an important aspect of the ACME and Let's Encrypt, but there are many subtle ways that it can fail. This page is meant for people who run into problems to help figure out what the issue might be.

Testing

Run wacs.exe with the --test and --verbose parameters to watch your validation unfold in 'slow motion'. This will run against the Let's Encrypt staging server so you don't risk running into any rate limits.

General issues

DNSSEC

Let's Encrypt will validate your DNSSEC configuration. If there is anything suspicious about it, your browser might not complain, but you will not be able to get a certificate. A useful tool to check your (provider's) DNSSEC configuration from the perspective of a strict external observer is the Unbound DNS checker.

CAA records

Let's Encrypt will check for the existence and validity of a CAA record for your domain. You may have to add a record like example.com. CAA 0 issue "letsencrypt.org".

Protocols and cipher suites

Tools like IISCrypto are often used configure the cipher suites of Windows systems according to the latest best practices. Changing these settings always brings some risk of breaking compatibility between two parties though. Too restrictive cipher suites have been known to hamper the ability to communicate with the ACME API endpoint and its validation servers. If that happens try more conservative settings.

HTTP-01 validation issues

Firewall

HTTP validation happens on port 80, so it will have to open on your firewall(s). Let's Encrypt doesn't disclose IP address range(s) for their validation servers, meaning port 80 will have to be accessible from any origin, at least for the duration of the validation.

IPv6 configuration

Let's Encrypt will check IPv6 access to your site if AAAA records are configured. Many browsers and networks don't use IPv6 yet or automatically fallback to IPv4 when an error occurs, so it might not be immediately obvious that your site is unreachable on IPv6. You can test it here.

FileSystem plugin IIS issues

Note that it's recommended to use the default SelfHosting validation plugin in combination with IIS. The FileSystem validation is great of other web servers such as Apache, but using it in combination with IIS leads to many potentials issues, described in the following sections.

CMS modules

Your CMS might intercept the request and redirect the user to an (error) page. The solution is to configure your CMS to allow unlimited access to the /.well-known/acme-challenge/ path.

Problems with httpHanders

IIS might not be configured to serve static extensionless files.

  1. In IIS manager go to the /.well-known/acme-challenge/ folder of the site (you may have to create it). Don't do this at the root of the server or the website, because it might break your application(s).
  2. Choose Handler Mappings -> View Ordered List.
  3. Move the StaticFile mapping above the ExtensionlessUrlHandler mappings.

Screenshot from above: http://i.stack.imgur.com/nkvrL.png:

Move StaticFile mapping

Anonymous authentication

Your website might require Windows authentication, client certificates or other authentication methods. Enable anonymous authentication to the /.well-known/acme-challenge/ path to allow access from the ACME server.

Require SSL

Your website might be configured to exclusively accept SSL traffic, while the validation request comes in on port 80. Disable the "Require SSL" setting for the /.well-known/acme-challenge/ path to fix that.

IP Address and Domain Restrictions

Your website might use IP Address and Domain Restrictions to provide extra security. The ACME server will have to bypass though. Let's Encrypt does not publicize a list of IP addresses that they can use for validation, so this features needs to be disabled for the /.well-known/acme-challenge/ path.

URL Rewrite

If you are using URL Rewrite the validation request might get caught up in that, so you have to make exceptions for the /.well-known/acme-challenge/ path.

DNS-01 validation issues

Name server synchronisation

Let's Encrypt may query all of your name servers, so you they will have to be in sync before submitting the challenge. When building a custom script, make sure it pauses long enough for that to happen.

Please refer to https://pkisharp.github.io/win-acme/ for up-to-date documentation.