Let's Encrypt error for one domain and also an error for the server certificate

activate

Verified User
Joined
May 30, 2017
Messages
38
Location
Terneuzen, Netherlands
Hi all,

When trying to request a certificate for a domain on one of our servers I am getting this back:

Details

Requesting new certificate order...
Processing authorization for www.domain.tld...
Challenge is valid.
Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://domain.tld/.well-known/acme-challenge/fEvA8fgj1QNUwt6N7FB7ymg4aawx0KU54pUNOoM2bHg: "\u003c!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp"", "status": 403 . Exiting...


I don't have that when I renew a certificate for another domain on the same server.

However when I want to renew the server certificate with:

./letsencrypt.sh request `hostname` 4096

this is the response:

Setting up certificate for a hostname: my.server.tld
Requesting new certificate order...
new-order error: HTTP/1.1 100 Continue
Expires: Thu, 01 Nov 2018 13:00:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 133
Boulder-Requester: 34752975
Replay-Nonce: JmEru6J98TTQ3j9UgNqP10eGwJNRvmQ14C4CJhS3j8w
Expires: Thu, 01 Nov 2018 13:00:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 01 Nov 2018 13:00:44 GMT
Connection: close

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "NewOrder request did not specify any identifiers",
"status": 400
}. Exiting...

So far I have updated the LE script and searched the forum but did not find anything relevant.
The admin email is also set.

Out of my servers this server is the only one unable to complete the request for the server certificate.

Hopefully someone can shed some light on my issue.

Kind regards,

AcTiVaTe
 
Do you have a correct set of domains in /usr/local/directadmin/conf/ca.san_config ?
 
Yes, I just checked that and I apparently had a small mistake when saving the file.

I accidentely removed the first letter of subjectAltName changing it to ubjectAltName :/

So the server certificate part is resolved.

However the problem with that one specific domain has not...
Most of our domains are also registered by us and set to our own nameservers.
This domain is merely pointed to our servers.

Can that be an issue perhaps? I'm trying to apply my normal Sherlock Holmes method to this but I am failing...

P.S. The /.well-known/acme-challenge alias in /etc/httpd/conf/extra/httpd-alias.conf is set up.
 
Well,

I just tried to 'outsmart' the LE script by adding the domain on the SAN list for the server.
But when trying to request that I get the same error as when I try it on client level.

Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://domain.tld/.well-known/acme-challenge/uxiypg7zkpLFVmSZRFX1s2y8kwCtyzA92xuz-UvmTPw: "\u003c!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp"", "status": 403 . Exiting...

:(
 
I'd suggest creating a ticket at tickets.directadmin.com with the real domain name, we could assist you further there.
 
FYI, I went hunting in the ticket and the issue in the previous ticket was caused by a custom mod_security install. If you use mod_security, be sure to install/control it through CustomBuild, (try the comodo rules).
 
Back
Top