Results 1 to 9 of 9

Thread: Letsencrypt renew issue for server

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,076

    Letsencrypt renew issue for server

    I got this message today in the DA ticket system:
    Code:
    Getting challenge for mydomain.nl from acme-server...
    Waiting for domain verification...
    Challenge is valid.
    Getting challenge for www.mydomain.nl from acme-server...
    new-authz error: HTTP/1.1 100 Continue
    Expires: Wed, 02 Aug 2017 22:15:42 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    
    HTTP/1.1 500 Internal Server Error
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 176
    Expires: Wed, 02 Aug 2017 22:15:42 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Wed, 02 Aug 2017 22:15:42 GMT
    Connection: close
    
    <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
    An error occurred while processing your request.<p>
    Reference #179.49184a17.1501712142.4be1650
    </BODY></HTML>. Exiting...
    <br>
    So I tried a little bit different and got this result:
    Code:
    Cannot Execute Your Request
    
    Details
    
    Getting challenge for mydomain.nl from acme-server...
    Waiting for domain verification...
    Challenge is valid.
    Getting challenge for www.mydomain.nl from acme-server...
    Waiting for domain verification...
    Challenge is valid.
    Generating 4096 bit RSA key for mydomain.nl...
    openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/mydomain.nl.key.new"
    Generating RSA private key, 4096 bit long modulus
    ......................++
    ...................................................................++
    e is 65537 (0x10001)
    Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
    "detail": "Error creating new cert :: authorizations for these names not found or expired: server.mydomain.nl"
    I don't understand what's going wrong.
    DA 1.51.4
    Letsencrypt 1.0.12
    Apache 2.4.27
    Greetings, Richard.

  2. #2
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    293
    Please keep al kind of same probs together maybe someone knows faster a solution then sorry richard i don't know but take/read latets 3 post about isseu.. . see also last added link by me
    http://forum.directadmin.com/showthread.php?t=55142
    http://forum.directadmin.com/showthread.php?t=55141
    http://forum.directadmin.com/showthread.php?t=55149
    http://forum.directadmin.com/showthread.php?t=55128
    Last edited by ikkeben; 08-04-2017 at 04:51 AM.
    DUTCH GERMAN, GERMAN DUTCH

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,076
    I wanted to try ikkeben but there was no such issue before I posted my message.

    You added some links but...

    1st link is posted -after- my post.
    2nd link is from myself.
    3rd link is even from today so also after my post.

    The last thread you added has a completely different error notice "dont have permission to view the ticket". Which does not correspond with my error, except for the renewal error notice. Next to that Tom stated in fact the renewal took place succesfully which is not the case on my server. So in my opinion that is a different issue.

    The other 3 are similar and could be added to my post, which only a moderator can do.

    Edit: I pointed DA support to this thread.
    Last edited by Richard G; 08-04-2017 at 06:14 AM.
    Greetings, Richard.

  4. #4
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    293
    Quote Originally Posted by Richard G View Post
    I wanted to try ikkeben but there was no such issue before I posted my message.

    You added some links but...

    1st link is posted -after- my post.
    2nd link is from myself.
    3rd link is even from today so also after my post.

    The last thread you added has a completely different error notice "dont have permission to view the ticket". Which does not correspond with my error, except for the renewal error notice. Next to that Tom stated in fact the renewal took place succesfully which is not the case on my server. So in my opinion that is a different issue.

    The other 3 are similar and could be added to my post, which only a moderator can do.

    Edit: I pointed DA support to this thread.
    No sorry i trying to say for the other posts to get wen they have som in common all pointed to eachother because makes no sens, so not at your adress ( therefore the "sorry richard" in my txt, i don't know wich is different to for readers who find 1 topic maybe helpfull if though problems to check.

    So no offence only pointing out.

    I hope someone or DA support has find a solution YET?
    DUTCH GERMAN, GERMAN DUTCH

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,076
    Oh no problem ikkeben, no sorry needed (I might have misunderstand the reason a bit, sorry) and no offence taken.
    It's a good thing of you to state at the other threads it's better to collect and post over here, gathering the same issue together, which is better for a total solution.

    I wrote an email to DA support pointing to this thread and asking for help. So I hope it will be fixed soon.
    Normally they answer here in the thread if I ask ans answer pointing to a thread.
    Greetings, Richard.

  6. #6
    I've just tested it with a sample domain on our test box, and didn't run into any issues.
    The way I triggered it was to set the file:
    Code:
    /usr/local/directadmin/data/users/user/domains/domain.com.cert.creation_time
    to ~61 days ago, eg:
    Code:
    1496621023
    and then manually trigger the task.queue:
    Code:
    cd /usr/local/directadmin
    echo "action=rewrite&value=letsencrypt" >> data/task.queue; ./dataskq d3100
    service httpd restart
    but as often happens when I try things, they work fine.

    1) As for your case, the "500 Internal Server Error" from their end might actually be a temporary issue on their site.. or might also be how they indicate you've hit a rate-limit.
    I googled that and ended up here:
    https://community.letsencrypt.org/t/...set-up/20115/8

    Which indicates that it could be a rate limit of some sort... not 100% sure. If that is the case, then try again later.

    2) Googling of this error
    Code:
    Error creating new cert :: authorizations for these names not found or expired
    pointed me here:
    https://community.letsencrypt.org/t/...th-ngrok/36856

    which would indicate that the LetsEncrypt servers don't know what the request is... perhaps hasn't been renewed soon enough, perhaps the drop values after a certain period... or maybe new values were added to the san_conf after the original request, so when the renewal happened, it's asking to renew things that are not there. So changes in the san_config mid-cert might be rejected by LE.
    If that is the case, then just start that cert over again, with a fresh request, the same way you did it the first time, but with whichever values you need now.

    3) If a subdomain or pointer is deleted mid-cert, then I have already added changes to DA to exclude them from the san_config before the next renewal:
    https://www.directadmin.com/features.php?id=2005
    so trying the DA pre-release binaries would be needed if you want to see if that helps.

    John

  7. #7
    Join Date
    May 2014
    Location
    Netherlands Germany
    Posts
    293
    Quote Originally Posted by DirectAdmin Support View Post

    3) If a subdomain or pointer is deleted mid-cert, then I have already added changes to DA to exclude them from the san_config before the next renewal:
    https://www.directadmin.com/features.php?id=2005
    so trying the DA pre-release binaries would be needed if you want to see if that helps.

    John
    ( renew, change, ad cert manualy, then the old still stayd to renew to somehow at Letsencrypt)
    Some users here in Forum has such issues here in forum, so could be that, lets hope it is.
    Last edited by ikkeben; 08-05-2017 at 03:34 AM.
    DUTCH GERMAN, GERMAN DUTCH

  8. #8
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,076
    The issue is with the main domain.
    If that is the case, then just start that cert over again, with a fresh request, the same way you did it the first time, but with whichever values you need now.
    That is what I tried and then the error mentioned in the second part I quoted. I don't have a rate limit, renewal is tried once a day for that domain.

    I can see if I can do it the way you did. And report back here.
    Greetings, Richard.

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,076
    Nope, not working with the manual thing.

    I now tried option 2. Revert back to the server's main certificate (before I just re-created without reverting first).
    Wait a couple of minutes and then create a new certificate. That seemed to do the trick.

    Thank you!
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •