Community

Letsencrypt with Axigen + Windows Server

Good afternoon,

I´m trying to install Letsencrypt on a Windows server via Axigen CLI using the instructions here
lets-encrypt-support-p10649619

DNS is done and working - letsdebug.net/
When I try generating “Let´s Encrypt” certificate I get this error message from them:
Acme challenge state failed, perhaps webmail.acme.com cannot be accessed by the letsencrypt servers?

In there response web (via logs) I can see that they are trying to access a file under:
“/.well-known/acme-challenge/1234567890”

I can see that the generate create a folder + files under - C:\Program Files\Axigen Mail Server\letsencrypt
But nothing under:
C:\Program Files\Axigen Mail Server\webmail\default which they are trying to point at in the response web.

I´ve tried creating a test file under:
/.well-known/acme-challenge/1 (this doesn´t work getting OOOPS The requested url was not found on this server.)
/.well-known/acme-challeng/1 (this works)

So is there some kind of a limit of filedepth? And why isn´t the generate creating this folder + file for me?

Regards

Hello,

Thank you for your message.

First of all, please know that the well-known/acme-challenge folder cannot be manually created and is currently dynamically handled by the Axigen binary.

Based on the log message posted:

" Acme challenge state failed, perhaps webmail.acme.com cannot be accessed by the letsencrypt servers?"

we understand that the hostname you wanted to generate a certificate for was “webmail.acme.com” and we believe that this is where the problem occurred due to a typo.

In order to use the Axigen Let’sEncrypt feature, you first need to make sure of the below requirements:

  1. There is an A DNS record of the hostname that leads to the Axigen server’s IP
  2. The Axigen’s IP is able to be reached on port 80 by remote servers
  3. The Axigen’s IP is able to reach remote servers on port 80

The CLI command to generate the certificate must contain the full hostname that you want to have the certificate generated for.
For example:

<server-certs #> GENERATE letsencrypt hostname webmail.example.com terms yes

For detailed instruction in using the Let’s Encrypt feature, please check our online documentation page available at:

https://www.axigen.com/documentation/lets-encrypt-support-p10649619

Please keep us updated in this matter.
Thank you.

Hi Maxim and thanks for your reply,

  1. I´ll already created the DNS record and according to https://letsdebug.net/ everything passes
  2. Port 80 (HTTP) is open but is directed to the IIS which uses URL rewrite to point towards 443 (HTTPS) to Axigen
  3. Same as nr 2

Not sure what you mean with a typo, the hostname webmail.acme.com is just a sudo name, so I wont reveal the true hostname.

So should I stop using redirect on my IIS server and somehow open the Axigen on port 80?

Regards

Forgot to mention, I have several websites on that IIS which is on the same machine as the Axigen Mail Server

Regards

Hello,

If you like to keep the setup with IIS redirection than please redirect ports :80 and :443 from IIS to ports :80 and :443 from Axigen and let Axigen to perform the automatically redirection of HTTP to HTTPS (as it is clearly stated into the documentation)

To redirect all insecure connections you may edit the non-SSL listener (that by default is set on port 80) and under the SSL Settings tab )→ Secure login subcategory → Tick the " Redirect to secure login page " option box and click on " Save Configuration ".)

If am in your position I’ll totally avoid this setup (using IIS as a proxy) as it will be very hard to debug why Letsencrypt servers are not able to reach Axigen.

BR,
Ioan

Hi indreias, thanks for your help. Its working now!

Best regards,