Letsencrypt SSL in 1.5 not working

hank

New member
Joined
Feb 29, 2016
Messages
4
I reinstalled my directadmibn from scratch
updated to 1.5 and tried the ssl cert from lets encrypt but i keep getting the following error

Getting challenge for mywebsitename.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www. mywebsitename.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://www.mywebsitename.com/.well-known/acme-challenge/7EL5bRwHpeoxH6cdURaR7NynqCM7VuJ9Uzg0oTPsqSU [178.18.87.86]: 404. Exiting...

there are no files created in the acme-challenge/ folder

i did the custom build changes and added the .wellknown alias
Any ideas why this is not working?
 
Are you running CustomBuild 2.0? Is letsencrypt=1 set in directadmin.conf? I think that it might be an alias related problem, and I'd suggest opening a ticket in tickets.directadmin.com if you're unable to solve it by yourself.
 
I have custom build 2 installed
and enable_ssl_sni=1 with letsencrypt=1in directadmin.conf
 
i read something about wordpress install incompatibilities.

could that be it?
 
Your issue seems to be caused by an incorrect DNS configuration of the domain.
 
Your issue seems to be caused by an incorrect DNS configuration of the domain.

Same problem here. nginx/apache

When I rename the .well-known to well-known I can hit the url - however I can't with the . preceding it.

1.5 / CB 2 / All up to date.

Thoughts?
 
Same problem here. nginx/apache

When I rename the .well-known to well-known I can hit the url - however I can't with the . preceding it.

1.5 / CB 2 / All up to date.

Thoughts?

Same here. :( I thought it had been working / renewing previously but I may be mistaken. I am using WordPress sites which I saw may be related. Possibly .htaccess rules?
 
Same here. :( I thought it had been working / renewing previously but I may be mistaken. I am using WordPress sites which I saw may be related. Possibly .htaccess rules?

Looks like apache blocking access?

[Tue Mar 15 06:19:49.159102 2016] [autoindex:error] [pid 16418:tid 139691093210880] [client 219.89.124.151:33737] AH01276: Cannot serve directory /home/domain/domains/domainname.com/public_html/.well-known/: No matching DirectoryIndex (index.html,index.htm,index.shtml,index.php,index.php5,index.php4,index.php3,index.phtml,index.cgi,index.pl) found, and server-generated directory index forbidden by Options directive
 
/home/domain/domains/domainname.com/public_html/.well-known/ should never be accessed with letsencrypt=1 set in directadmin.conf.
 
What do we do next?

[root@host4 scripts]# ./letsencrypt.sh request domain.com
Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/LVc9b0WtLrFqGRM2JNGjx3LAAuToab8K3YwbHqVmvvk [206.111.111.111]: 404. Exiting...

Also, maybe a little off topic but it would be great to also request mail.domain.com in addition to @ and www so that we can offer our clients secure email as part of the cert package?
 
Same here with letsencrypt=2, the random key file seems not to be generated

When I check the folder acme-challenge, no key file is generated.
Ip address in the error message is correct so resolving seems to go ok.

Code:
Cannot Execute Your Request

Details

Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/bOgiuZnAfZ2bNcYOvVE8hKIhE-az1NwyGRAdh6ZhNZM [123.45.67.89]: 404. Exiting...
 
What do we do next?

[root@host4 scripts]# ./letsencrypt.sh request domain.com
Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/LVc9b0WtLrFqGRM2JNGjx3LAAuToab8K3YwbHqVmvvk [206.111.111.111]: 404. Exiting...

Also, maybe a little off topic but it would be great to also request mail.domain.com in addition to @ and www so that we can offer our clients secure email as part of the cert package?

Yeah, I'm getting frustrated too. Trying to use letsencrypt through the DirectAdmin control panel gives me the same error above - 404 error trying to connect to the acme-challenge.

However, if I run from the command line (./letsencrypt.sh request example.com 4096 "" /var/www/html) it works in terms of generating the certificate and claims to be successful but the lets encrypt certificate is not in place - instead it's trying to use the server certificate for the hosting domain, rather than the newly generated lets encrypt certificate.

So right now I have sites with invalid certificates and no idea how to fix them. Very frustrating when trying to follow the documentation provided and not getting expected results.
 
When I check the folder acme-challenge, no key file is generated.
Ip address in the error message is correct so resolving seems to go ok.

Code:
Cannot Execute Your Request

Details

Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/bOgiuZnAfZ2bNcYOvVE8hKIhE-az1NwyGRAdh6ZhNZM [123.45.67.89]: 404. Exiting...

Seeing the exact same messages on my installation.
When looking for the .well-known directory on the linux filesystem I found it in /var/www/html/ and not in /home/<usesr>/domains/<domain>/public_html/ where it should be.
That is exactly what is causing the error 404 on the challenge request. I suppose a bug somewhere in the letsencrypt support structure within DirectAdmin.
 
location of .wel-known challenge

hi, same issues here with the 1.50 install.
Interestingly the challenge files are accessible from the internet though not from the correct domain.
They are placed in /var/www/html/ instead of the public_html directory under the domain itself where they are accessible by the challenge server from LetsEncrypt.
Seems there is a "bug" somewhere where the backend is using the incorrect path for the domain's webroot directory.
 
hi, same issues here with the 1.50 install.
Interestingly the challenge files are accessible from the internet though not from the correct domain.
They are placed in /var/www/html/ instead of the public_html directory under the domain itself where they are accessible by the challenge server from LetsEncrypt.
Seems there is a "bug" somewhere where the backend is using the incorrect path for the domain's webroot directory.

Make sure you have letsencrypt=2 set in the output of:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt=

DA pre-release binaries might provide you more information about your issue when generating the cert.
 
Make sure you have letsencrypt=2 set in the output of:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt=

DA pre-release binaries might provide you more information about your issue when generating the cert.

Ah, didn't know there were more possibilities for the letsencrypt= option then either 0 or 1, will certainly try it.
 
So right now I have sites with invalid certificates and no idea how to fix them. Very frustrating when trying to follow the documentation provided and not getting expected results.

Following up on my previous thread here as I was still having issues.

I had some assistance from Martynas (thank you) who pointed out that I hadn't run "./build rewrite_confs" after changing letsencrypt= value in the directadmin conf.

So if anyone else is getting invalid challenge errors try running ./build update && ./build rewrite_confs in /usr/local/directadmin/scripts/
 
Following up on my previous thread here as I was still having issues.

I had some assistance from Martynas (thank you) who pointed out that I hadn't run "./build rewrite_confs" after changing letsencrypt= value in the directadmin conf.

So if anyone else is getting invalid challenge errors try running ./build update && ./build rewrite_confs in /usr/local/directadmin/scripts/

shouldn't that be in
/usr/local/directadmin/custombuild
 
I found that it works well with Apache, not with Nginx-Apache as setup like in https://forum.directadmin.com/showthread.php?t=49438
It this a bug or am I doing something wrong? The challenge failed for the domain without www.

Same thing for LetsEncrypt renewals. Had to reverse to Apache only (without Nginx proxy) to get this going again.
 
Last edited:
Today it was time for an automatic renewal on a server that I left on nginx+apache.
I got this Message System message:
Code:
Subject: Error during automated certificate renewal for www.domain.com

Getting challenge for www.domain.com from acme-server...
/usr/local/directadmin/scripts/letsencrypt.sh: line 319: /var/www/html/.well-known/acme-challenge/: Is a directory
/usr/local/directadmin/scripts/letsencrypt.sh: line 322: [: -ne: unary operator expected
Waiting for domain verification...
rm: cannot remove `/var/www/html/.well-known/acme-challenge/': Is a directory
Challenge is . Details: . Exiting...
<br>

(replaced the real domain with www.domain.com)
 
Back
Top