-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extensionless Static Files are Very Painful to Configure Under IIS #15
Comments
Also, adding the mime type and messing with the mappings could easily create a security hole or botch up a web app. So I think we'd really want to avoid it. |
Unfortunately, the ACME server side of this is out of my control -- for that you'll need to plead your case to the team defining the ACME specification. However, I will say that the extension issue has already come up: ietf-wg-acme/acme#9 So you may want to weigh in there and give the Windows perspective of this issue. |
It looks like one alternative is to put a local <?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".*" mimeType="text/json" />
</staticContent>
</system.webServer>
</configuration> I haven't tried this out to see if it works in the default or common case, so I'll have to check it out, but this looks promising. |
This is the preferred way. I can confirm it works. |
I'm closing this ticket out as it's not really an issue that we have much control over, all we can do is try to satisfy the ACME spec. Also, the local web.config solution is working confirmed by @lennybacon and myself, and I'm rolling that as a standard feature of one of the other enhancements. |
I'll add the web.config to the windows client. That's easy enough for the mime-type. The second part where StaticFile needs to be ordered higher was needed on my systems. Maybe because I've been using ASP.net MVC on them. I had to find and follow this: http://stackoverflow.com/questions/11473632/extensionless-image-file-not-visible-in-iis7-5 It can be done in a web.config as well but it dumps out all of the handlers (there's like a hundred) to define a new sort order, which isn't a very good solution. |
I placed the web.config in place on my azure website, but unfortunatily it does not work? Put the staticContent mimemap both in my root web.config as well as in the folder containing the authorization file. It gives me a 404 |
Unfortunately, I'm not familiar with Azure Websites (I assume you're talking about the PaaS offering?). Is there anything they put into the handler/module stack that would intercept and override? Maybe there is some info about supporting extensionless files in general on that platform? |
For me the ".*" did not work. I found another solution, by putting in "." (with asterisk) and as mimeType "text/html". |
Had to move StaticFile above Extensionless handlers so in the end for my iis this was the config that made things work
|
You only need the StaticFile handler in the directory so its more straightforward and you can just clear all the other handlers <?xml version = "1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".*" mimeType="text/plain" />
</staticContent>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
</handlers>
</system.webServer>
</configuration> |
Hello Community, I tried your Web.config Files but the Files didnt work... to i have to reorder the Static File or not? Wich is the right Folder for the Web.config File? this: C:\inetpub\wwwroot.well-known\acme-challenge Best Regards Jojo |
You put them in the root of your website. Can you be more specific on what is not working? Get Outlook for iOS On Thu, Oct 27, 2016 at 4:55 PM +0200, "jojoeleven" notifications@github.com wrote: Hello Community, I tried your Web.config Files but the Files didnt work... to i have to reorder the Static File or not? Wich is the right Folder for the Web.config File? this: C:\inetpub\wwwroot.well-known\acme-challenge Best Regards Jojo — |
I use the Default Web Site of IIS for Exchange 2016 OWA. If i open the Web Site in Explorer i see the wwwroot folder. There is already a web.config file... should i overwrite it or schould i just add the code? Best Regards |
Just add the bit for the redirection.... 2016-10-28 7:59 GMT+02:00 jojoeleven notifications@github.com:
|
Authorization Result: invalid The ACME server was probably unable to reach http://my domain/.well-known/acme-challenge/6b5X1Y_fpYlYkzeAG93S8 Check in a browser to see if the answer file is being served correctly. This could be caused by IIS not being setup to handle extensionless static
Can someone post steps |
I tried every solution suggested in here.
Still just 404s. |
Same here |
I can even browse to the file and I still get 'configuration checks failed' message. |
The leading dots are not going away, that's a convention that was not started by ACME. The |
Bottom line is, regardless of standards, while the leading dots are there letsencrypt is not fully compatible with IIS. Certify and win-simple do not work. But, I found a workaround that does not involve Mime or Handlers or installing software. There are other steps within these steps, but I am assuming IIS and mmc knowledge. |
So I'm puzzled -- using sslforfree.com you still do all the same exact steps as with ACMESharp, that is using the If you're more comfortable with manual setup, you should use the |
Honestly, I don't know what the difference is either, but the challenge worked and the win-simple challenge did not. Neither worked with ASP enabled. |
I also had similar issues using win-simple, the following web.config placed in the .well-known/acme-challenge folder worked for me, eventhough it was ASP.NET MVC site, which has those issues with ExtensionlessUrlHandler. The only difference i see to other suggested solutions is that this gives "everyone" (the star) permissions to access the folder, but win-simple even generates that by itself. Oddly enough, after this has been run successfully once, i can delete the web.config file from the folder, and subsequent runs work without issue.
|
I had to use steps outlined by 'tpcr' ... thank you! |
I was having so many issues getting this to work on a fresh Server 2016 install. FWIW this Stackoverflow comment fixed all the issues I was having: https://stackoverflow.com/a/12867753/1956355 |
Does this work on a Windows 7 or Windows 10 machine running IIS 6? I'm trying to work through this to get a cert for emby running. |
I found that temporarily disabling my rewrite rule that forced the site to port 443 allowed the check to go through. |
Don't be like me on a new Windows Server 2016 box with IIS! I was wondering why for ages I couldnt do this, despite the correct settings in web.config. For anyone else, go to the server root, then under management, click "Feature Delegation" and then make sure to set "Handler Mappings" from "Read Only" to "Read/Write" It worked straight away after that! |
@wilhil Thank you so much man! You absolutely saved me from going insane over this. |
On my Windows Server 2012 R2 server (IIS 8.5) deleting the web.config file ACMESharp keeps creating in the c:\inetpub\wwwroot.well-known\acme-challenge results in me being able to browse to the file and see "Extensionless File Config Test - OK" The problem is as soon as the test creates the web.config file in the folder, I get HTTP 500 errors and ACEMSharp throws "Config checks failed to verify.." error. I've tried every combination of things mentioned above but at the end of the day, the web.config file it creates is the problem. How can I break out of this loop? |
Thanks Wilhil, it worked for me after changing from read only to read/write. |
I had the same issue with my existing website. When I removed the web.config in the root of my website, it worked. So I just changed the following in .well-known\acme-challenge\web.config
To
It worked after that. |
Extensionless Static Files are disabled in IIS and are extremely tricky to enable.
Here's the error message I put into the client to try to help:
Most likely this was caused by IIS not being setup to handle extensionless
static files. Here's how to fix that:
(like this http://i.stack.imgur.com/nkvrL.png)
This problem defeats the entire point of lets encrypt being super easy to use.
Can we maybe save the http-01 answer out to a .txt file and have the ACME server check for it there as a second try? Is there someway to tell the server an extension or can the servers just be changed to request the answer at a .txt file extension?
The text was updated successfully, but these errors were encountered: