Letsencrypt renew issue for server

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,554
Location
Maastricht
I got this message today in the DA ticket system:
Code:
Getting challenge for mydomain.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.mydomain.nl from acme-server...
new-authz error: HTTP/1.1 100 Continue
Expires: Wed, 02 Aug 2017 22:15:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 500 Internal Server Error
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 176
Expires: Wed, 02 Aug 2017 22:15:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 02 Aug 2017 22:15:42 GMT
Connection: close

<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference #179.49184a17.1501712142.4be1650
</BODY></HTML>. Exiting...
<br>

So I tried a little bit different and got this result:
Code:
Cannot Execute Your Request

Details

Getting challenge for mydomain.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.mydomain.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for mydomain.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/mydomain.nl.key.new"
Generating RSA private key, 4096 bit long modulus
......................++
...................................................................++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail": "Error creating new cert :: authorizations for these names not found or expired: server.mydomain.nl"

I don't understand what's going wrong.
DA 1.51.4
Letsencrypt 1.0.12
Apache 2.4.27
 
Last edited:
I wanted to try ikkeben but there was no such issue before I posted my message.

You added some links but...

1st link is posted -after- my post.
2nd link is from myself. :)
3rd link is even from today so also after my post.

The last thread you added has a completely different error notice "dont have permission to view the ticket". Which does not correspond with my error, except for the renewal error notice. Next to that Tom stated in fact the renewal took place succesfully which is not the case on my server. So in my opinion that is a different issue.

The other 3 are similar and could be added to my post, which only a moderator can do.

Edit: I pointed DA support to this thread.
 
Last edited:
I wanted to try ikkeben but there was no such issue before I posted my message.

You added some links but...

1st link is posted -after- my post.
2nd link is from myself. :)
3rd link is even from today so also after my post.

The last thread you added has a completely different error notice "dont have permission to view the ticket". Which does not correspond with my error, except for the renewal error notice. Next to that Tom stated in fact the renewal took place succesfully which is not the case on my server. So in my opinion that is a different issue.

The other 3 are similar and could be added to my post, which only a moderator can do.

Edit: I pointed DA support to this thread.

No sorry i trying to say for the other posts to get wen they have som in common all pointed to eachother because makes no sens, so not at your adress ( therefore the "sorry richard" in my txt, i don't know wich is different to for readers who find 1 topic maybe helpfull if though problems to check.

So no offence only pointing out.

I hope someone or DA support has find a solution YET?
 
Oh no problem ikkeben, no sorry needed (I might have misunderstand the reason a bit, sorry) and no offence taken.
It's a good thing of you to state at the other threads it's better to collect and post over here, gathering the same issue together, which is better for a total solution.

I wrote an email to DA support pointing to this thread and asking for help. So I hope it will be fixed soon.
Normally they answer here in the thread if I ask ans answer pointing to a thread.
 
I've just tested it with a sample domain on our test box, and didn't run into any issues.
The way I triggered it was to set the file:
Code:
/usr/local/directadmin/data/users/user/domains/domain.com.cert.creation_time
to ~61 days ago, eg:
Code:
1496621023
and then manually trigger the task.queue:
Code:
cd /usr/local/directadmin
echo "action=rewrite&value=letsencrypt" >> data/task.queue; ./dataskq d3100
service httpd restart
but as often happens when I try things, they work fine.

1) As for your case, the "500 Internal Server Error" from their end might actually be a temporary issue on their site.. or might also be how they indicate you've hit a rate-limit.
I googled that and ended up here:
https://community.letsencrypt.org/t...l-server-error-while-trying-to-set-up/20115/8

Which indicates that it could be a rate limit of some sort... not 100% sure. If that is the case, then try again later.

2) Googling of this error
Code:
[COLOR=#333333]Error creating new cert :: authorizations for these names not found or expired[/COLOR]
pointed me here:
https://community.letsencrypt.org/t...e-names-not-found-or-expired-with-ngrok/36856

which would indicate that the LetsEncrypt servers don't know what the request is... perhaps hasn't been renewed soon enough, perhaps the drop values after a certain period... or maybe new values were added to the san_conf after the original request, so when the renewal happened, it's asking to renew things that are not there. So changes in the san_config mid-cert might be rejected by LE.
If that is the case, then just start that cert over again, with a fresh request, the same way you did it the first time, but with whichever values you need now.

3) If a subdomain or pointer is deleted mid-cert, then I have already added changes to DA to exclude them from the san_config before the next renewal:
https://www.directadmin.com/features.php?id=2005
so trying the DA pre-release binaries would be needed if you want to see if that helps.

John
 
3) If a subdomain or pointer is deleted mid-cert, then I have already added changes to DA to exclude them from the san_config before the next renewal:
https://www.directadmin.com/features.php?id=2005
so trying the DA pre-release binaries would be needed if you want to see if that helps.

John

( renew, change, ad cert manualy, then the old still stayd to renew to somehow at Letsencrypt)
Some users here in Forum has such issues here in forum, so could be that, lets hope it is. ;)
 
Last edited:
The issue is with the main domain.
If that is the case, then just start that cert over again, with a fresh request, the same way you did it the first time, but with whichever values you need now.
That is what I tried and then the error mentioned in the second part I quoted. I don't have a rate limit, renewal is tried once a day for that domain.

I can see if I can do it the way you did. And report back here.
 
Nope, not working with the manual thing.

I now tried option 2. Revert back to the server's main certificate (before I just re-created without reverting first).
Wait a couple of minutes and then create a new certificate. That seemed to do the trick.

Thank you!
 
Back
Top