NetTalk Central

NetTalk Web Server => Web Server - Ask For Help => Topic started by: Poul Jensen on January 25, 2025, 11:01:16 PM

Title: LE error: Unable to get certificate - Challenge was invalid
Post by: Poul Jensen on January 25, 2025, 11:01:16 PM

Hi

Trying to use Letsencrypt but it fails with this message:
Unable to get certificate - Challenge was invalid

Debugview log:

Code: [Select]

[ 1/26/25- 7:37:36]  Setting Folders for Domain [mobil1.domain.org]
[ 1/26/25- 7:37:36]  Created C:\pstellar7\MariSoft\certificates\mobil1.domain.org.csr.der
[ 1/26/25- 7:37:36]  Setting Folders for Domain [mobil1.domain.org]
[ 1/26/25- 7:37:36]  C:\pstellar7\MariSoft\certificates\mobil1.domain.org.crt does not exist
[ 1/26/25- 7:37:36]  Time to update the certificate mobil1.domain.org
[ 1/26/25- 7:37:40]  Registering Account MarisoftWeb1 at  https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
[ 1/26/25- 7:37:41]  Authorize Request mobil1.domain.org
[ 1/26/25- 7:37:43]  Get Authorize mobil1.domain.org
[ 1/26/25- 7:37:44]  HTTP Challenge will be used
[ 1/26/25- 7:37:44]  Challenge Token Saved C:\pstellar7\MariSoft\web\.well-known\acme-challenge\LcML2B1oQ1Dia0N1kH0gxnNjdgRJbpVeiQf1n7q0UtI
[ 1/26/25- 7:37:44]  LE Server will now fetch http://mobil1.domain.org:80/.well-known/acme-challenge/LcML2B1oQ1Dia0N1kH0gxnNjdgRJbpVeiQf1n7q0UtI
[ 1/26/25- 7:37:44]  Notify Server Challenge is Ready: https://acme-staging-v02.api.letsencrypt.org/acme/chall/181883304/15838799894/c_rB6g
[ 1/26/25- 7:37:45]  Checking Status
[ 1/26/25- 7:37:46]  Get Authorize mobil1.domain.org
[ 1/26/25- 7:37:47]  Status: "invalid"
[ 1/26/25- 7:37:47]  Unable to get certificate - Challenge was invalid
[ 1/26/25- 7:37:47]  Hostname resolved to: 192.236.999.230

What should I be looking at?

This is NT 14.29

/Poul

Title: Re: LE error: Unable to get certificate - Challenge was invalid
Post by: rjolda on January 26, 2025, 03:41:51 AM

HI Poul,
I ran into this because my cable provider blocks port 80.  Thus when LetsEncrypt went to port 80 to retrieve the message to prove that this is the machine for the certificate, it failed the challenge.  SO, port 80 was the problem for me.  Bruce has another method for using DNS instead of direct challenge but you have to use a DNS provider which allows you to change some of the parameters. Bruce has them listed.  In my case, I just bought a SSL certificate from GoDaddy - that was the easiest solution in my particular case.
Ron

Title: Re: LE error: Unable to get certificate - Challenge was invalid
Post by: Poul Jensen on January 26, 2025, 11:25:14 AM

Hi Ron,

Thanks - you got me on the right track.
Port 80 was not blocked, but the IIS was grabbing it :-)

Stopping IIS made it all work as expected.

Cheers
/Poul