Problems to validate domain / complete challenge

[goo...@ziqu.de]

Hi everyone,

first of all: Thank you, ebekker, for writing this PowerShell Module!

Much appreciated :-)

Disclaimer: Maybe I am not waiting long enough for the Challenge to validate and there is actually no Problem.

But since it should validate within minutes and the letsencrypt status page is all green, I guess it could not hurt to ask for help:

I am currently trying to use ACMESharp and am having some problems using the following setup:

Machine A: Used for ACMESharp. Windows Server 2008 R2 Standard. PowerShell 4.0. Module is located at: "C:\Users\(myaccount)\Documents\WindowsPowerShell\Modules\ACMESharp\ACMESharp.psd1".

Machine B: Used as a testing webserver. Windows Server 2012 R2 Standard. PowerShell 4.0. IIS 8.5 running.

Following the quick start guide and using the manual challenge method, I have tried the following steps:

   1 Import-Module ACMESharp

   2 Initialize-ACMEVault

   3 New-ACMERegistration -Contacts mailto:(me)@(mydomain) -AcceptTos

   4 New-ACMEIdentifier -Dns jd.jypd.de -Alias dns1

   5 Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual

# at this point I created the challenge file on machine B.

   6 Submit-ACMEChallenge dns1 -ChallengeType http-01

   7 Update-ACMEIdentifier dns1 -ChallengeType http-01

All commands run perfectly fine without errors. I can even see the validation bot in the IISlog, getting the file successfull, for example:

2016-02-02 22:28:16 5.9.54.181 GET /.well-known/acme-challenge/20cKDHvZ-A16dMyIOnEpNyFxliqABxDwL30-G0wRQus - 80 - 66.133.109.36 Mozilla/5.0+(compatible;+Let's+Encrypt+validation+server;++https://www.letsencrypt.org) - 200 0 0 161

But sadly the Challenge stays on "pending".

I first tried it with my default content type of "application/octet-stream". More than 24 hours later I guessed maybe it failed silently. Any further check with Update-ACMEIdentifier still had the status "pending".

Since i could not find a way to reset the Challenge / request another validation server check, i decided to start all over again.

I deleted "C:\Users\All Users\ACMESharp", just to be sure. (meaning I also re-registered at letsencrypt with the same email address again)

Using the mime type "text/json" suggested here: https://github.com/ebekker/ACMESharp/wiki/Troubleshooting I had no success either.

Also with mime type "text/plain" as suggested by the PowerShell cmdlet, when running "Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual", it didn't work.

Everytime the bot visited but the status never changed.

It currently ouputs the following text on "Update-ACMEIdentifier dns1 -ChallengeType http-01":

IdentifierPart : ACMESharp.Messages.IdentifierPart

IdentifierType : dns

Identifier     : jd.jypd.de

Uri            : https://acme-v01.api.letsencrypt.org/acme/authz/0lep6bP0u5RyMQS1nI0Xhjw46CNAXf1PJLC51RBOYP4

Status         : pending

Expires        : 09.02.2016 22:42:28

Challenges     : {, manual, }

Combinations   : {1, 0, 2}

The current Challenge was generated with the following output:

== Manual Challenge Handler - HTTP ==

  * Handle Time:      [02.02.2016 23:42:39]

  * Challenge Token:  [UP2kiEg4qgJP3P9YreZjKbdIiYwgGPhLYPwBsmKhBxI]

To complete this Challenge please create a new file

under the server that is responding to the hostname

and path given with the following characteristics:

  * HTTP URL:     [http://jd.jypd.de/.well-known/acme-challenge/UP2kiEg4qgJP3P9YreZjKbdIiYwgGPhLYPwBsmKhBxI]

  * File Path:    [.well-known/acme-challenge/UP2kiEg4qgJP3P9YreZjKbdIiYwgGPhLYPwBsmKhBxI]

  * File Content: [UP2kiEg4qgJP3P9YreZjKbdIiYwgGPhLYPwBsmKhBxI.yqhy9G4dbqrxOskEVaob17HY0ls7u2CVNypUy7Gw-z0]

  * MIME Type:    [text/plain]

------------------------------------

The file is still online if you want to check on the HTTP headers.

Here are the headers I get:

Accept-Ranges:bytes

Connection:close

Content-Length:87

Content-Type:text/plain

Date:Wed, 03 Feb 2016 01:09:25 GMT

ETag:"d80791eb5ed11:0"

Last-Modified:Tue, 02 Feb 2016 22:43:21 GMT

Server:Microsoft-IIS/8.5

Any Ideas are welcome! Maybe it is a general issue?

One thing i noticed was the output of the Update-ACMEIdentifier CMDlet was not the same during my different tries.

If I remember correctly, in one of the ealier runs, instead of

Challenges     : {, manual, }

it printed

Challenges     : {, , manual}

Both seem a bit odd to me...

Best regards,

Jan

PS: Server names and IPs are intended to be the original ones since it could help with troubleshooting. I am aware of the sideeffects of publishing this data :-)

[goo...@ziqu.de]

I think I have found the issue.

It was a kind of display issue after all.

The Challenge was solved/valid, but the displayed status was still "pending".

The status seems to be not updated correctly at all occurrences in the Vault.

I found at least 4 places which I guess should be updated. But only one of them was actually updated to "valid".

Is this a bug or wrong usage of the tool? Or maybe an error in the guide?

Here is a screenshot with some comments on the VAULT JSON:

Best Regards,

Jan

[Eugene Bekker]

Yes, unfortunately, I think this is a known and standing bug (#90) which I thought I had corrected a while back, but seemingly not.