Letsencrypt – Certify the Web – TroubleShooting – acme-challenge ( HTTP) and iis mimetypes

Background

Post Let’s Encrypt installation received errors, let us troubleshoot one of them.

Legend

Here are earlier post(s) :-

  1. LetsEncrypt – Certify the Web ( v 4.012 )
    Link

Errors

Error – [INF] Validation of the required challenges did not complete successfully. Fetching http://%5Bfqdn%5D/.well-known/acme-challenge/: Timeout during connect (likely firewall problem)

Error – Image

TimeoutDuringConnect.20190120.0900PM.PNG

Error – Textual

2019-01-20 20:48:42.925 -08:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://%5Bfqdn%5D/.well-known/acme-challenge/: Timeout during connect (likely firewall problem)

TroubleShoot

Internet Information Server ( IIS)

Log Files

Log Files – Image

sc-status.20190120.0908pm

Log Files – Text


#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2019-01-21 04:48:16
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2019-01-21 04:48:16 127.0.0.1 GET /.well-known/acme-challenge/configcheck - 80 - 127.0.0.1 - - 404 3 64 15700
2019-01-21 04:48:23 127.0.0.1 GET /.well-known/acme-challenge/configcheck - 80 - 127.0.0.1 - - 404 3 50 2
2019-01-21 04:48:23 127.0.0.1 GET /.well-known/acme-challenge/configcheck - 80 - 127.0.0.1 - - 404 3 50 0 

Explanation

  1. An HTTP Get Request is issued against /.well-known/acme-challenge/configcheck
  2. The HTTP Server is responding with a 404.3 Error
  3. What is 404.3
    • Based on MSFT’s docs ( here )
      • This problem occurs if the following conditions are true:
        • The handler mapping for the requested file name extension is not configured.
        • The appropriate MIME type is not configured for the Web site or for the application.

Remediation

.well-known/acme-challenge

Mime Type

We have IIS configured to only deliver specific file types.

As part of the acme challenge, extension less files are created and the certificate authority sends a request to the FQDN hosts and request the file.

We have to configure IIS to expose this specific file type.

Web.config

Here is a sample web.config file that allows iis to expose extension-less (.) files.





    
        
            
        

    



2 thoughts on “Letsencrypt – Certify the Web – TroubleShooting – acme-challenge ( HTTP) and iis mimetypes

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s