I am hosting an Ubraco CMS app in Azure. After following the instructions in this blog post, I am receiving the following error when I try to request and install a LetsEncrypt certificate using the Azure Let'sEncrypt site extension:
System.Exception: The Lets Encrypt ACME server was probably unable to reach http://domain.com/.well-known/acme-challenge/token
I have verified that all of my app settings are correct, my extension was installed properly, and that there don't seem to be any network issues. What could be causing this issue?
The extension will place a randomly generated token in a file on your web server and Let's Encrypt CA will attempt to retrieve that document over http. If you set Azure Web App to https only, that validation request will get denied by Azure Web App infra and you are going to see failure in renewal/creation.
Let's Encrypt extension is using http-01 mechanism in ACME to validate your ownership of the domain. The extension will place a randomly generated token in a file on your web server and Let's Encrypt CA will attempt to retrieve that document over http.
You can issue certificates from Let's Encrypt freely by simply adding the settings of supported DNS providers. This application automates the issuance and renewal of ACME SSL/TLS certificates. The certificates are stored inside Azure Key Vault.
As of August 2020, Azure CDN /… Integration with Key Vault makes it easy to use Let's Encrypt certificates with services such as Application Gateway and Azure Front Door. You can create all the resources you need from the Deploy to Azure button just like the App Service version.
Turns out the problem has to do with the fact that the ACME challenge files are extensionless and the Umbraco pipeline tries to route all extensionless requests to a document within the CMS using OWIN.
James Dibble has written an excellent guide for how to create an OWIN configuration file to intercept any requests to "/.well-known" and serve up the ACME challenge files instead:
https://www.jdibble.co.uk/blog/using-letsencrypt-with-umbraco
You can find the gist of his code here:
https://gist.github.com/dibble-james/f47b0cba3494381588482c7f185861bf
One thing that was left out of his tutorial was that I also had to install the Microsoft.Owin.StaticFiles package. I also didn't know what he meant by "update the owin:appStartup app setting in your web.config," because I've never used OWIN before. If you just copypasta his code, then you'll want to change your setting from this:
<add key="owin:appStartup" value="UmbracoDefaultOwinStartup" />
To this:
<add key="owin:appStartup" value="Startup" />
Here's a detailed article as to why:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-startup-class-detection
In the web.config file for the site, add ~/.well-known to the umbracoReservedPaths element and Let's Encrypt will be able to access the verification url.
<add key="umbracoReservedPaths" value="~/umbraco,~/.well-known" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With