7

I am hosting an Ubraco CMS app in Azure. After following the instructions in this blog post, I am receiving the following error when I try to request and install a LetsEncrypt certificate using the Azure Let'sEncrypt site extension:

System.Exception: The Lets Encrypt ACME server was probably unable to reach http://domain.com/.well-known/acme-challenge/token

I have verified that all of my app settings are correct, my extension was installed properly, and that there don't seem to be any network issues. What could be causing this issue?

Jerreck
  • 2,930
  • 3
  • 24
  • 42

3 Answers3

5

Turns out the problem has to do with the fact that the ACME challenge files are extensionless and the Umbraco pipeline tries to route all extensionless requests to a document within the CMS using OWIN.

James Dibble has written an excellent guide for how to create an OWIN configuration file to intercept any requests to "/.well-known" and serve up the ACME challenge files instead:

https://www.jdibble.co.uk/blog/using-letsencrypt-with-umbraco

You can find the gist of his code here:

https://gist.github.com/dibble-james/f47b0cba3494381588482c7f185861bf

One thing that was left out of his tutorial was that I also had to install the Microsoft.Owin.StaticFiles package. I also didn't know what he meant by "update the owin:appStartup app setting in your web.config," because I've never used OWIN before. If you just copypasta his code, then you'll want to change your setting from this:

<add key="owin:appStartup" value="UmbracoDefaultOwinStartup" />

To this:

<add key="owin:appStartup" value="Startup" />

Here's a detailed article as to why:

http://www.asp.net/aspnet/overview/owin-and-katana/owin-startup-class-detection

Jerreck
  • 2,930
  • 3
  • 24
  • 42
  • Any idea how I can add this to an Azure webapp? – Manuel Hernandez Oct 27 '16 at 14:39
  • The Owin Startup Class Detection article does a great job of showing how to create and configure a Startup.cs file. The article from jdibble.co.uk explains what you need to do to get this work with Umbraco. My answer adds a couple of things that James Dibble's article didn't clarify for me. If you have a specific question, let me know and we can chat about it. – Jerreck Oct 27 '16 at 14:48
  • I really recommend Timothys answer - Umbraco has a configuration option, that makes it ignore certain paths. – Hauge Nov 19 '19 at 15:27
5

In the web.config file for the site, add ~/.well-known to the umbracoReservedPaths element and Let's Encrypt will be able to access the verification url.

<add key="umbracoReservedPaths" value="~/umbraco,~/.well-known" />
Timothy Lee Russell
  • 3,719
  • 1
  • 35
  • 43
  • 1
    I tried several of the other solutions, but this one solved the specific issue for me. Good catch. I tried allowing files without extensions, tried the owin example below, also the rewrite fuel, and more. But only this worked. – Jakob Hviid PhD Jul 13 '20 at 18:25
4

I just write the verification file as an index.html in the required folder and have the following rewrite rule so it serves the html file:

    <rule name="AcmeChallenge" patternSyntax="Wildcard">
      <match url=".well-known/acme-challenge*" />
      <action type="Rewrite" url="{R:0}/index.html" />
    </rule>
sebastiaan
  • 5,870
  • 5
  • 38
  • 68
  • Ah, that's what you were talking about in the comments! I was wondering how routing to the html file helped anything. – Jerreck Aug 09 '16 at 17:06