New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IIS 8.5 403 - Forbidden: Access is denied for all sites after renewal #517

Closed
zeidmandevelopment opened this Issue Aug 14, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@zeidmandevelopment

zeidmandevelopment commented Aug 14, 2017

"403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied."

On ALL SSL sites after letsencrypt renewal process
Valid SSL certificates shown
Also affected existing non-letscencrypt sites.

Below is the output from command-prompt

C:\letsencrypt>letsencrypt --renew
The global logger has been configured
Let's Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting
ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt
Loading Signer from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt
Getting AcmeServerDirectory
Loading Registration from C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letse
Checking Renewals
Checking IIS www.zdservices.uk (C:\inetpub\wwwroot\ZDGateway) Renew After 7/13/2017
Renewing certificate for IIS www.zdservices.uk (C:\inetpub\wwwroot\ZDGateway) Renew After 7/13/2017
Authorizing Identifier www.zdservices.uk Using Challenge Type http-01
Writing challenge answer to C:\inetpub\wwwroot\ZDGateway.well-known/acme-challenge/WFGVE58yL31VQ9TBX1hTG-evRcX
Writing web.config to add extensionless mime type to C:\inetpub\wwwroot\ZDGateway.well-known\acme-challenge\we
Answer should now be browsable at http://www.zdservices.uk/.well-known/acme-challenge/WFGVE58yL31VQ9TBX1hTG-evR
Submitting answer
Authorization Result: valid
Deleting answer
Deleting web.config
Deleting C:\inetpub\wwwroot\ZDGateway.well-known/acme-challenge/
Deleting C:\inetpub\wwwroot\ZDGateway.well-known
Requesting Certificate: {dnsIdentifier}
Request Status: Created
Saving Certificate to C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencry
Saving Issuer Certificate to C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.le
Saving Certificate to C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencry
Installing Non-Central SSL Certificate in the certificate store
Opened Certificate Store WebHosting
Set private key exportable
Set private key exportable
Adding Certificate to Store
Closing Certificate Store
Installing Non-Central SSL Certificate in server software
Adding https Binding
No HTTP binding for www.zdservices.uk on ZDGateway
Committing binding changes to IIS
Opened Certificate Store WebHosting
Closing Certificate Store

@WouterTinus

This comment has been minimized.

Show comment
Hide comment
@WouterTinus

WouterTinus Aug 19, 2017

Member

Have you figured out what was causing the 403 error? Was something wrong with the bindings?

Member

WouterTinus commented Aug 19, 2017

Have you figured out what was causing the 403 error? Was something wrong with the bindings?

@zeidmandevelopment

This comment has been minimized.

Show comment
Hide comment
@zeidmandevelopment

zeidmandevelopment Aug 21, 2017

Thank you for asking.
Bindings were fine. Problem existed even after removing them and reapplying to other sites on the server.
Ended up removing IIS and components completely and then reinstalling - everything works fine now.
So was unable to pin point the cause and still concerned about future renewals.


Prior to this we had tried everything including: ...

"Had this happen to me now. All SSL sites (all SNI) provide the latest Let's Encrypt certificate. All settings are correct, all certs are fine, but everything's messed up. Version 1.8.8.1- Had to manually delete the IP binding that override everything with netsh http delete sslcert ipport=1.2.3.4:443 and things started working. I think the client should never add that kind of binding, since it's not even visible from IIS site management. And I would like to hear how this is a problem in IIS and not in the Let's Encrypt code."

This did not work for us and observed that running the win-simple executeable had generated 99+ empty bindings for no reason.


We would like to ensure a smooth and less time consuming process in future - so any light you can shed on this would be helpful.

zeidmandevelopment commented Aug 21, 2017

Thank you for asking.
Bindings were fine. Problem existed even after removing them and reapplying to other sites on the server.
Ended up removing IIS and components completely and then reinstalling - everything works fine now.
So was unable to pin point the cause and still concerned about future renewals.


Prior to this we had tried everything including: ...

"Had this happen to me now. All SSL sites (all SNI) provide the latest Let's Encrypt certificate. All settings are correct, all certs are fine, but everything's messed up. Version 1.8.8.1- Had to manually delete the IP binding that override everything with netsh http delete sslcert ipport=1.2.3.4:443 and things started working. I think the client should never add that kind of binding, since it's not even visible from IIS site management. And I would like to hear how this is a problem in IIS and not in the Let's Encrypt code."

This did not work for us and observed that running the win-simple executeable had generated 99+ empty bindings for no reason.


We would like to ensure a smooth and less time consuming process in future - so any light you can shed on this would be helpful.

@WouterTinus

This comment has been minimized.

Show comment
Hide comment
@WouterTinus

WouterTinus Aug 21, 2017

Member

I don't see anything strange in your program output, it looks like a perfectly normal and successful renewal. It's too bad that you haven't been able to figure out the root cause for the 403 errors. That might have helped us to figure out the exact cause.

What I can tell you is that v1.9.4 changed the way of renewing certificates in IIS. Instead of altering the binding, it removes the existing one and re-creates a new one with the same settings and the new thumbprint. According to some users that increases reliability (see #371). I would advise you to test renewals with the latest release and the --forcerenewal option, preferably in a test environment.

Member

WouterTinus commented Aug 21, 2017

I don't see anything strange in your program output, it looks like a perfectly normal and successful renewal. It's too bad that you haven't been able to figure out the root cause for the 403 errors. That might have helped us to figure out the exact cause.

What I can tell you is that v1.9.4 changed the way of renewing certificates in IIS. Instead of altering the binding, it removes the existing one and re-creates a new one with the same settings and the new thumbprint. According to some users that increases reliability (see #371). I would advise you to test renewals with the latest release and the --forcerenewal option, preferably in a test environment.

@ber5ien

This comment has been minimized.

Show comment
Hide comment
@ber5ien

ber5ien Aug 25, 2017

Do you have both http/https binding? http binding is required for it to work.
Do you have Windows Authentication enabled?
I frequency finding out that i need to exclude .well-done folder from Windows Authentication
Do you use WAF (Web Application Firewall) ?

ber5ien commented Aug 25, 2017

Do you have both http/https binding? http binding is required for it to work.
Do you have Windows Authentication enabled?
I frequency finding out that i need to exclude .well-done folder from Windows Authentication
Do you use WAF (Web Application Firewall) ?

@WouterTinus

This comment has been minimized.

Show comment
Hide comment
@WouterTinus

WouterTinus Oct 29, 2017

Member

Since there's no more activity on this issue I'm going to close it. Issue #94 can be used to report similar issues.

Member

WouterTinus commented Oct 29, 2017

Since there's no more activity on this issue I'm going to close it. Issue #94 can be used to report similar issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment