Problem on creating new SSL with LetsEncrypt in DirectAdmin

mbsmt

Verified User
Joined
Jul 24, 2013
Messages
175
Location
Mashhad, Iran
Hi guys. I wanted to add new LetsEncrypt SSL to one account in DA, but I got the this error:
Code:
Cannot Execute Your Request

Details

Getting challenge for parniagroup.com from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account registration error. Response: HTTP/1.1 100 Continue 
Expires: Wed, 03 Aug 2016 08:08:26 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 

HTTP/1.1 400 Bad Request 
Server: nginx 
Content-Type: application/problem+json 
Content-Length: 265 
Boulder-Request-Id: vdS0ublv2yTS3g8BkAW4mjM9f-HCiYV6DgYrfCkaLqI 
Replay-Nonce: QUnGB2x_ZY1sJRrGG3MgS9fwtegzDawR8xj1uJ4E50o 
Expires: Wed, 03 Aug 2016 08:08:27 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
Date: Wed, 03 Aug 2016 08:08:27 GMT 
Connection: close 

{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
"status": 400
}.

I had not such problem before. May you help me please?
 
They have changed their license agreement and that broke the Let's Encrypt client used in DA. Please use CustomBuild 2.0 (at least rev. 1572) to update letsencrypt.sh script:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Alternatively, "./build update_versions" can be used as well. The newest version of CustomBuild 2.0 is only available on files1.directadmin.com and files2.directadmin.com fileservers at the moment, other mirrors might take up to 24 hours to update.

To download the file manually (without CustomBuild), just execute:
Code:
wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh
 
They have changed their license agreement and that broke the Let's Encrypt client used in DA. Please use CustomBuild 2.0 (at least rev. 1572) to update letsencrypt.sh script:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Alternatively, "./build update_versions" can be used as well. The newest version of CustomBuild 2.0 is only available on files1.directadmin.com and files2.directadmin.com fileservers at the moment, other mirrors might take up to 24 hours to update.

To download the file manually (without CustomBuild), just execute:
Code:
wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh

Thank you smtalk. It solved my problem.
Just as a suggestion, I think DA must add a ./build rewrite_confs behind of adding new SSL certificates. Because whenever I add a new one, I got invalid SSL error. When I run this command on my VPS, all problems get solved.
 
Thank you smtalk. It solved my problem.
Just as a suggestion, I think DA must add a ./build rewrite_confs behind of adding new SSL certificates. Because whenever I add a new one, I got invalid SSL error. When I run this command on my VPS, all problems get solved.

No, please never do that. I have some custom code that get overwritten. So I need to know that this only happen when I manually run ./build rewrite_confs so I can put my code back.
 
error

I get this error when requesting certificate

{
"type": "urn:acme:error:unauthorized",
"detail": "Must agree to subscriber agreement before any further actions",
"status": 403
}. Exiting...

I have update cb2.0 1572
 
Still not working

This is the content of the error
Getting challenge for computer-c.com.ar from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account is already registered.
Getting challenge for computer-c.com.ar from acme-server...
new-authz error: HTTP/1.1 100 Continue
Expires: Thu, 04 Aug 2016 13:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 403 Forbidden
Server: nginx
Content-Type: application/problem+json
Content-Length: 137
Boulder-Request-Id: 0CTWoztuHTfcD0Taws_yrQrjbR5NS-aRmVeZNx44jh4
Boulder-Requester: 2894051
Replay-Nonce: gpDrzdN8SwxKhYbZOmHGoXp6K1-Q7ynF3HviJldA8Ho
Expires: Thu, 04 Aug 2016 13:31:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 04 Aug 2016 13:31:25 GMT
Connection: close

{
"type": "urn:acme:error:unauthorized",
"detail": "Must agree to subscriber agreement before any further actions",
"status": 403
}. Exiting...
 
I'd suggest opening a ticket in tickets.directadmin.com with root password attached as encrypted data.
 
Have you manually check the script?

Code:
cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="

If the output is wrong (or empty) try to follow the solution i've posted using this:
Code:
LETSENCRYPT_LICENSE=`curl -I https://acme-v01.api.letsencrypt.org/terms 2>/dev/null | grep \"Location:\" | cut -d\  -f2`
sed -i "s/LICENSE=.*/LICENSE=\"$LETSENCRYPT_LICENSE\"/" /usr/local/directadmin/scripts/letsencrypt.sh

And try again.

@smtalk: I can see that CB don't fix the issue, my LICENSE is empty and i'm running rev 1572 ;)

Edit: Apparently the first time you run ./build letsencrypt it doesn't fix the issue, the second time it does:
Code:
>cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
LICENSE=""
>./build version
2.0.0 (rev: 1572)
>./build letsencrypt
cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
Downloading             letsencrypt.sh...
--2016-08-04 16:28:14--  http://files11.directadmin.com/services/custombuild/all/letsencrypt.sh
Resolving files11.directadmin.com... 93.63.162.59
Connecting to files11.directadmin.com|93.63.162.59|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 18114 (18K) [text/plain]
Saving to: `/usr/local/directadmin/custombuild/letsencrypt.sh'

100%[========================================================================================================================================================================>] 18,114      --.-K/s   in 0s

2016-08-04 16:28:18 (180 MB/s) - `/usr/local/directadmin/custombuild/letsencrypt.sh' saved [18114/18114]

Let's encrypt client 1.0.0 has been installed.
>cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

Regards
 
@SeLLeRoNe, For me it worked the first time. But I did run ./build update first, maybe you did not?
 
Yep, quite sure, actually is the first release so it was quite mandatory to run the update first :D

Anyway, it's a mistery and now is working.. so.. nevermind :D

Regards
 
Found the issue to be that the old User letsencrypt.key file is essentially the signature, approving the policies.
So when we update to a newer certificate, where they've updated their policies, we must re-sign to approve the new policies...
This basically just means we need to delete the old letsencrypt.key file, and the letsnecrypt.sh file will generate a new one.

I've added a workaround here:
https://help.directadmin.com/item.php?id=640

We might need to update the letsencrypt.sh recognize this error, delete the letsencrypt.key, and try again.
For now though, just delete the old letsencrypt.key.

John
 
@John, Please implement automatically deletion of letsencrypt.key. On shared hosting we have many customers that each have many domains that all use Let's Encrypt. We do not have overview for wich customers and domains that is using Let's Encrypt. I expect a lot of support tickets because of this, if the problem is not fixed by automatically delete the old letsencrypt.key
 
Updated to 1.0.1.
I've simply done a very basic mtime check on the letsencrypt.key file.
If it's mtime is older than 1470383674 (sometime on August 5th), it will be removed, and re-generation will happen automatically.
This way, if they come out with a newer agreement again, we just bump up this number.

It's on files1 if anyone wants it now:
Code:
wget -O /usr/local/directadmin/scripts/letsencrypt.sh http://files1.directadmin.com/services/all/letsencrypt.sh
John
 
I'm trying to create a SSL certificate for the Directadmin

> letsencrypt.sh request <servername> 4096

Code:
Connection: close

{
  "type": "urn:acme:error:invalidEmail",
  "detail": "DNS problem: NXDOMAIN looking up MX for <servername>",
  "status": 400
}.

There is a MX record in DNS available.


After trying it several times I get the following error:


Code:
Setting up certificate for a hostname: <servername>
Getting challenge for <servername> from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: No valid IP addresses found for <servername>. Exiting...

There is an IP address connected to <servername>, and <servername> is reachable via Internet browser.

How can I solve these issues?

Have set the parameter in directadmin.conf: letsencrypt=1
The version of letsencrypt.sh is 1.0.1
 
Sorry for bumping, but this is happening to me now two. I updated Let's Encrypt plugin to 1.0.4 (./build letsencrypt) and in the .sh file, it's LICENSE=https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf

"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
"status": 400
}.
 
@riderxxx
I've only looked first time at lestencrypt today.
I've set letsencrypt=1 option in the directadmin.conf and restarted DirectAdmin.
Then updated letsencrypt.sh to Let's Encrypt Client 1.0.4
Then ran
Code:
 ./letsencrypt.sh request my.servername.com  4096

(my.servername.com must be equal to the servername variable in directadmin.conf)

Through these steps the Let's Encrypt Client is not breaking again, the certificate for my hostname is setup properly and in my web browser https://my.servername.com:2222 shows a secure connection verified by Let's Encrypt CA :)
 
Last edited:
Back
Top