Problem on creating new SSL with LetsEncrypt in DirectAdmin

mbsmt · Aug 3, 2016

Hi guys. I wanted to add new LetsEncrypt SSL to one account in DA, but I got the this error:

Code:

Cannot Execute Your Request

Details

Getting challenge for parniagroup.com from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account registration error. Response: HTTP/1.1 100 Continue 
Expires: Wed, 03 Aug 2016 08:08:26 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 

HTTP/1.1 400 Bad Request 
Server: nginx 
Content-Type: application/problem+json 
Content-Length: 265 
Boulder-Request-Id: vdS0ublv2yTS3g8BkAW4mjM9f-HCiYV6DgYrfCkaLqI 
Replay-Nonce: QUnGB2x_ZY1sJRrGG3MgS9fwtegzDawR8xj1uJ4E50o 
Expires: Wed, 03 Aug 2016 08:08:27 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
Date: Wed, 03 Aug 2016 08:08:27 GMT 
Connection: close 

{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
"status": 400
}.

I had not such problem before. May you help me please?

smtalk · Aug 3, 2016

They have changed their license agreement and that broke the Let's Encrypt client used in DA. Please use CustomBuild 2.0 (at least rev. 1572) to update letsencrypt.sh script:

Code:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Alternatively, "./build update_versions" can be used as well. The newest version of CustomBuild 2.0 is only available on files1.directadmin.com and files2.directadmin.com fileservers at the moment, other mirrors might take up to 24 hours to update.

To download the file manually (without CustomBuild), just execute:

Code:

wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh

mbsmt · Aug 3, 2016

smtalk said:
They have changed their license agreement and that broke the Let's Encrypt client used in DA. Please use CustomBuild 2.0 (at least rev. 1572) to update letsencrypt.sh script:

Code:

cd /usr/local/directadmin/custombuild ./build update ./build letsencrypt

Alternatively, "./build update_versions" can be used as well. The newest version of CustomBuild 2.0 is only available on files1.directadmin.com and files2.directadmin.com fileservers at the moment, other mirrors might take up to 24 hours to update.

To download the file manually (without CustomBuild), just execute:

Code:

wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh

Thank you smtalk. It solved my problem.
Just as a suggestion, I think DA must add a ./build rewrite_confs behind of adding new SSL certificates. Because whenever I add a new one, I got invalid SSL error. When I run this command on my VPS, all problems get solved.

ErikM · Aug 3, 2016

Thank you, this helped for me too

ditto · Aug 3, 2016

mbsmt said:
Thank you smtalk. It solved my problem.
Just as a suggestion, I think DA must add a ./build rewrite_confs behind of adding new SSL certificates. Because whenever I add a new one, I got invalid SSL error. When I run this command on my VPS, all problems get solved.

No, please never do that. I have some custom code that get overwritten. So I need to know that this only happen when I manually run ./build rewrite_confs so I can put my code back.

trix.hosting · Aug 3, 2016

error

I get this error when requesting certificate

{
"type": "urn:acme:error:unauthorized",
"detail": "Must agree to subscriber agreement before any further actions",
"status": 403
}. Exiting...

I have update cb2.0 1572

ikkeben · Aug 3, 2016

trix.hosting said:
I get this error when requesting certificate

{
"type": "urn:acme:error:unauthorized",
"detail": "Must agree to subscriber agreement before any further actions",
"status": 403
}. Exiting...

I have update cb2.0 1572

If still not work look here for what is in the letsencrypt script file itself
http://forum.directadmin.com/showthread.php?t=53564&p=274596#post274596

trix.hosting · Aug 3, 2016

Not solving yet

ikkeben said:
If still not work look here for what is in the letsencrypt script file itself
http://forum.directadmin.com/showthread.php?t=53564&p=274596#post274596

Still with the same message, your sugestion just take me to the other post and loop again to this threath.

Any solution to the error?

trix.hosting · Aug 4, 2016

Still not working

I still have the sale error? Any further assistance?

trix.hosting · Aug 4, 2016

Still not working

This is the content of the error
Getting challenge for computer-c.com.ar from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account is already registered.
Getting challenge for computer-c.com.ar from acme-server...
new-authz error: HTTP/1.1 100 Continue
Expires: Thu, 04 Aug 2016 13:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 403 Forbidden
Server: nginx
Content-Type: application/problem+json
Content-Length: 137
Boulder-Request-Id: 0CTWoztuHTfcD0Taws_yrQrjbR5NS-aRmVeZNx44jh4
Boulder-Requester: 2894051
Replay-Nonce: gpDrzdN8SwxKhYbZOmHGoXp6K1-Q7ynF3HviJldA8Ho
Expires: Thu, 04 Aug 2016 13:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 04 Aug 2016 13:31:25 GMT
Connection: close

{
"type": "urn:acme:error:unauthorized",
"detail": "Must agree to subscriber agreement before any further actions",
"status": 403
}. Exiting...

smtalk · Aug 4, 2016

I'd suggest opening a ticket in tickets.directadmin.com with root password attached as encrypted data.

SeLLeRoNe · Aug 4, 2016

Have you manually check the script?

Code:

cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="

If the output is wrong (or empty) try to follow the solution i've posted using this:

Code:

LETSENCRYPT_LICENSE=`curl -I https://acme-v01.api.letsencrypt.org/terms 2>/dev/null | grep \"Location:\" | cut -d\  -f2`
sed -i "s/LICENSE=.*/LICENSE=\"$LETSENCRYPT_LICENSE\"/" /usr/local/directadmin/scripts/letsencrypt.sh

And try again.

@smtalk: I can see that CB don't fix the issue, my LICENSE is empty and i'm running rev 1572

Edit: Apparently the first time you run ./build letsencrypt it doesn't fix the issue, the second time it does:

Code:

>cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
LICENSE=""
>./build version
2.0.0 (rev: 1572)
>./build letsencrypt
cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
Downloading             letsencrypt.sh...
--2016-08-04 16:28:14--  http://files11.directadmin.com/services/custombuild/all/letsencrypt.sh
Resolving files11.directadmin.com... 93.63.162.59
Connecting to files11.directadmin.com|93.63.162.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18114 (18K) [text/plain]
Saving to: `/usr/local/directadmin/custombuild/letsencrypt.sh'

100%[========================================================================================================================================================================>] 18,114      --.-K/s   in 0s

2016-08-04 16:28:18 (180 MB/s) - `/usr/local/directadmin/custombuild/letsencrypt.sh' saved [18114/18114]

Let's encrypt client 1.0.0 has been installed.
>cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

Regards

ditto · Aug 4, 2016

@SeLLeRoNe, For me it worked the first time. But I did run ./build update first, maybe you did not?

SeLLeRoNe · Aug 5, 2016

Yep, quite sure, actually is the first release so it was quite mandatory to run the update first

Anyway, it's a mistery and now is working.. so.. nevermind

Regards

DirectAdmin Support · Aug 5, 2016

Found the issue to be that the old User letsencrypt.key file is essentially the signature, approving the policies.
So when we update to a newer certificate, where they've updated their policies, we must re-sign to approve the new policies...
This basically just means we need to delete the old letsencrypt.key file, and the letsnecrypt.sh file will generate a new one.

I've added a workaround here:
https://help.directadmin.com/item.php?id=640

We might need to update the letsencrypt.sh recognize this error, delete the letsencrypt.key, and try again.
For now though, just delete the old letsencrypt.key.

John

ditto · Aug 6, 2016

@John, Please implement automatically deletion of letsencrypt.key. On shared hosting we have many customers that each have many domains that all use Let's Encrypt. We do not have overview for wich customers and domains that is using Let's Encrypt. I expect a lot of support tickets because of this, if the problem is not fixed by automatically delete the old letsencrypt.key

DirectAdmin Support · Aug 6, 2016

Updated to 1.0.1.
I've simply done a very basic mtime check on the letsencrypt.key file.
If it's mtime is older than 1470383674 (sometime on August 5th), it will be removed, and re-generation will happen automatically.
This way, if they come out with a newer agreement again, we just bump up this number.

It's on files1 if anyone wants it now:

Code:

wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh

John

MauriceO · Aug 12, 2016

I'm trying to create a SSL certificate for the Directadmin

> letsencrypt.sh request <servername> 4096

Code:

Connection: close

{
  "type": "urn:acme:error:invalidEmail",
  "detail": "DNS problem: NXDOMAIN looking up MX for <servername>",
  "status": 400
}.

There is a MX record in DNS available.

After trying it several times I get the following error:

Code:

Setting up certificate for a hostname: <servername>
Getting challenge for <servername> from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: No valid IP addresses found for <servername>. Exiting...

There is an IP address connected to <servername>, and <servername> is reachable via Internet browser.

How can I solve these issues?

Have set the parameter in directadmin.conf: letsencrypt=1
The version of letsencrypt.sh is 1.0.1

riderxxx · Dec 24, 2016

Sorry for bumping, but this is happening to me now two. I updated Let's Encrypt plugin to 1.0.4 (./build letsencrypt) and in the .sh file, it's LICENSE=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
"status": 400
}.

piotrv · Dec 28, 2016

@riderxxx
I've only looked first time at lestencrypt today.
I've set letsencrypt=1 option in the directadmin.conf and restarted DirectAdmin.
Then updated letsencrypt.sh to Let's Encrypt Client 1.0.4
Then ran

Code:

 ./letsencrypt.sh request my.servername.com  4096

(my.servername.com must be equal to the servername variable in directadmin.conf)

Through these steps the Let's Encrypt Client is not breaking again, the certificate for my hostname is setup properly and in my web browser https://my.servername.com:2222 shows a secure connection verified by Let's Encrypt CA

Problem on creating new SSL with LetsEncrypt in DirectAdmin

Verified User

Administrator

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Verified User

Administrator

Super Moderator

Verified User

Super Moderator

Administrator

Verified User

Administrator

Verified User

Verified User

Verified User