Renewing Let's Encrypt SSL and License Update

M

mjflint

Verified User
Joined
Jun 22, 2017
Messages
5
Hello Community,

I was able to successfully install Let's Encrypt SSL certificate and service on my hostname three months ago. Yesterday my certificate 90 day period expired and now the https://vps.mydomain.com url is giving a broken padlock error due to the expired certificate.

My plan was to execute the following within SSH on my Centos 6 VPS server:

cd /usr/local/directadmin/scripts
./letsencrypt.sh request vps.mydomain.com 4096

After executing these commands I was given the following error:

[root@vps scripts]# ./letsencrypt.sh request vps.mydomain.com 4096
Setting up certificate for a hostname: vps.mydomain.com
Getting challenge for vps.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.vps.mydomain.com from acme-server...
Error: http://www.vps.mydomain.com/.well-known/acme-challenge/letsencrypt_1498052888 is not reachable. Aborting the script.
dig output for www.vps.mydomain.com:
Please make sure /.well-known alias is setup in WWW server.​

Therefore, I searched within this forum and came to the following solution:

https://help.directadmin.com/item.php?id=646

I was able to successfully execute the acme challenge test and view the 'text' message in my web browser Chrome.

I would like to know if anyone is experiencing similar problems while working within the Centos 6 and DirectAdmin environment. I also have noticed that this 'alias error' is currently affecting the automatic license update of DirectAdmin. Now I have to manually update it before it expires a the end of the scheduled thirty day period.

I thank all of you for time and assistance.

Best regards,

mjflint
 
Hello,

If you use mod_security then you should disable it for at least time of a validation of your domain.
 
Disable mod_security

zEitEr said:
Hello,

If you use mod_security then you should disable it for at least time of a validation of your domain.
Click to expand...

Hello Alex,

Thank you for getting back to me and offering your solution. Please know that I executed as root:

httpd -l

Compiled in modules:
core.c
mod_authn_file.c
mod_authn_dbm.c
mod_authn_anon.c
mod_authn_dbd.c
mod_authn_socache.c
mod_authn_core.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_dbm.c
mod_authz_owner.c
mod_authz_dbd.c
mod_authz_core.c
mod_access_compat.c
mod_auth_basic.c
mod_auth_form.c
mod_auth_digest.c
mod_allowmethods.c
mod_file_cache.c
mod_cache.c
mod_cache_disk.c
mod_cache_socache.c
mod_socache_shmcb.c
mod_socache_dbm.c
mod_socache_memcache.c
mod_so.c
mod_watchdog.c
mod_macro.c
mod_dbd.c
mod_dumpio.c
mod_buffer.c
mod_ratelimit.c
mod_reqtimeout.c
mod_ext_filter.c
mod_request.c
mod_include.c
mod_filter.c
mod_substitute.c
mod_sed.c
mod_deflate.c
http_core.c
mod_mime.c
mod_log_config.c
mod_log_debug.c
mod_logio.c
mod_env.c
mod_expires.c
mod_headers.c
mod_unique_id.c
mod_setenvif.c
mod_version.c
mod_remoteip.c
mod_proxy.c
mod_proxy_connect.c
mod_proxy_ftp.c
mod_proxy_http.c
mod_proxy_fcgi.c
mod_proxy_scgi.c
mod_proxy_wstunnel.c
mod_proxy_ajp.c
mod_proxy_balancer.c
mod_proxy_express.c
mod_proxy_hcheck.c
mod_session.c
mod_session_cookie.c
mod_session_dbd.c
mod_slotmem_shm.c
mod_ssl.c
mod_lbmethod_byrequests.c
mod_lbmethod_bytraffic.c
mod_lbmethod_bybusyness.c
mod_lbmethod_heartbeat.c
mod_unixd.c
mod_dav.c
mod_status.c
mod_autoindex.c
mod_info.c
mod_suexec.c
mod_cgi.c
mod_dav_fs.c
mod_dav_lock.c
mod_vhost_alias.c
mod_negotiation.c
mod_dir.c
mod_actions.c
mod_speling.c
mod_userdir.c
mod_alias.c
mod_rewrite.c

I also referenced /etc/httpd/conf/httpd.conf and wasn't able to find anything related to AddModule mod_security.c. I went ahead and created a .htaccess in /var/www with the following code:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

After creating this .htaccess file I restarted Apache and tried renewing the Let's Encrypt certificate once again. Unfortunately, I am still left with the original error ' Please make sure /.well-known alias is setup in WWW server. '

I really appreciate your help and consideration.

Best regards,

mjflint
 
OK, it seems you have no public DNS record for www.vps.mydomain.com, so you should check it and either add an A-type record for www.vps.mydomain.com (with www) or remove it from /usr/local/directadmin/conf/ca.san_config and try again.

The same way you might need to remove other names from the file which can not be resolved into an IP address.
 
Thank you so much

zEitEr said:
OK, it seems you have no public DNS record for www.vps.mydomain.com, so you should check it and either add an A-type record for www.vps.mydomain.com (with www) or remove it from /usr/local/directadmin/conf/ca.san_config and try again.

The same way you might need to remove other names from the file which can not be resolved into an IP address.
Click to expand...

Hello Alex,

Removed the bad url's from the ca.san_config and now I have a fully locked SSL DirectAdmin site. I can't thank you enough!

Best regards,

mjflint
 
You must log in or register to reply here.
Back
Top