The Lets Encrypt ACME server was probably unable to reach

Question

I have configured the Let’s Encrypt extensions in to Azure web app. When I trying to generate SSL certs for the custom domains, I’m getting below error:

The Lets Encrypt ACME server was probably unable to reach http://www.holzlauf.ch/.well-known/acme-challenge/hyDaCURuFoJGi9ASuJdNppayYcjIRpqp3vMLTKbA-hA view error report from Lets Encrypt at https://acme-staging.api.letsencrypt.org/acme/authz/YnGjTUHQa5upTAajCNPOLX_aLLlmRQiRP6uj3a0vAm8 for more information

source error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stacke trace

[Exception: The Lets Encrypt ACME server was probably unable to reach http://www.holzlauf.ch/.well-known/acme-challenge/hyDaCURuFoJGi9ASuJdNppayYcjIRpqp3vMLTKbA-hA view error report from Lets Encrypt at https://acme-staging.api.letsencrypt.org/acme/authz/YnGjTUHQa5upTAajCNPOLX_aLLlmRQiRP6uj3a0vAm8 for more information]
   LetsEncrypt.Azure.Core.Services.<Authorize>d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\BaseHttpAuthorizationChallengeProvider.cs:121
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +26
   LetsEncrypt.Azure.Core.Services.<Authorize>d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\BaseHttpAuthorizationChallengeProvider.cs:131
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   LetsEncrypt.Azure.Core.Services.<RequestCertificate>d__5.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\Services\AcmeService.cs:44
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   LetsEncrypt.Azure.Core.<RequestInternalAsync>d__16.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:231
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   LetsEncrypt.Azure.Core.<RequestAndInstallInternalAsync>d__17.MoveNext() in D:\a\1\s\LetsEncrypt.SiteExtension.Core\CertificateManager.cs:244
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   LetsEncrypt.SiteExtension.Controllers.<Install>d__7.MoveNext() in D:\a\1\s\LetsEncrypt-SiteExtension\Controllers\HomeController.cs:250
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +99
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   System.Web.Mvc.Async.TaskAsyncActionDescriptor.EndExecute(IAsyncResult asyncResult) +97
   System.Web.Mvc.Async.<>c__DisplayClass8_0.<BeginInvokeAsynchronousActionMethod>b__1(IAsyncResult asyncResult) +17
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
   System.Web.Mvc.Async.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0() +58
   System.Web.Mvc.Async.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2() +228
   System.Web.Mvc.Async.<>c__DisplayClass7_0.<BeginInvokeActionMethodWithFilters>b__1(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
   System.Web.Mvc.Async.<>c__DisplayClass3_6.<BeginInvokeAction>b__4() +35
   System.Web.Mvc.Async.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult) +100
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
   System.Web.Mvc.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState) +11
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +45
   System.Web.Mvc.<>c.<BeginExecute>b__151_2(IAsyncResult asyncResult, Controller controller) +13
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
   System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
   System.Web.Mvc.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) +28
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.CallHandlerExecutionStep.InvokeEndHandler(IAsyncResult ar) +152
   System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +126

Answer 1

This error means that letsencrypt can't verify that you actually own the domain that you are trying to create the cert for. It is trying to access the URL:

http://www.holzlauf.ch/.well-known/acme-challenge/hyDaCURuFoJGi9ASuJdNppayYcjIRpqp3vMLTKbA-hA

But, the letsencrypt server can't reach that location.

So, let's take a step back here. Generally, the way that letsencrypt works is that your certbot (or whatever acme client you are using) creates an endpoint accessible at http://www.example.com/.well-known/<some-hash> and then asks the server to access it. If the HTTP result is 200, then the Letsencrypt ACME server considers this a success and issues the cert. If the result is 400 or more, then this is a failure and an error like the one above is returned.

Exactly how the well-known location is created depends on which certbot plugin you are using. For example:

• the webroot plugin will place a file on your file system at a location where you specify in the config
• the nginx plugin will update your nginx config so that GETting the resource will return HTTP status code 200
• the DNS plugin will update your DNS records to prove in a similar way.

So, with all that in mind, I don't know exactly what the issue is here, but it looks like you haven't configured the plugin properly. Hopefully, though this gives you enough information to fix. And if it doesn't, please comment below and clarify which plugin you're using and what the configuration is.

---

EDIT

If you go here: https://acme-staging.api.letsencrypt.org/acme/authz/YnGjTUHQa5upTAajCNPOLX_aLLlmRQiRP6uj3a0vAm8

You can see a longer description of the error that you received.

The response is 403 Forbidden. This means that your webserver has prevented access to that URL. You need to make sure that your webserver (IIS, apache, nginx) allows access. The precise way to fix this is dependent on which DNS plugin you are using. See the docs for a list. Click on the link and follow the instructions.