We are unable to issue an SSL certificate on directadmin.domain.com

S

Serversupportstaff

Verified User
Joined
Jul 29, 2020
Messages
12
Directadmin.domain.com is used to access the control panel for the users just like domain.com:2222. Directadmin.domain.com acts as a separate account and as a main domain with the username DirectAdmin. The A record is pointed to our server but since this is a subdomain, there is no NS record. When renewing the SSL certificates, we are facing the following error. The domain domain.com is not added to the DirectAdmin panel so the main domain is directadmin.domain.com itself. We use Cloudflare to mask the main domain records. Is it necessary for the subdomain to have an NS record to issue an SSL certificate when it is used as the main domain? A sample of the error is given below.
2023/04/24 14:30:34 [INFO] [directadmin.comain.com] acme: Obtaining SAN certificate
2023/04/24 14:30:34 [INFO] [directadmin.comain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/222130902807
2023/04/24 14:30:34 [INFO] [directadmin.comain.com] acme: Could not find solver for: tls-alpn-01
2023/04/24 14:30:34 [INFO] [directadmin.comain.com] acme: use http-01 solver
2023/04/24 14:30:34 [INFO] [directadmin.comain.comm] acme: Trying to solve HTTP-01
2023/04/24 14:30:40 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/222130902807
2023/04/24 14:30:40 Could not obtain certificates:
error: one or more domains had a problem:
[directadmin.comain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://directadmin.comain.com/: "



"
Certificate generation failed.
Click to expand...
Thanks and regards.
 
you have added subdomain as new domain instead as subdomain ?
Than you can simply add directadmin as A record in your domain.com DNS or did I miss something here ?
 
Active8 said:
you have added subdomain as new domain instead as subdomain ?
Than you can simply add directadmin as A record in your domain.com DNS or did I miss something here ?
Click to expand...
The subdomain directadmin.domain.com is pointed to our server using A record and created a separate account for it. When we try to issue lets-encrypt, we are getting the above error. Directadmin.domain.com itself is the main domain for the account DirectAdmin. We are the admin and we need to issue SSL for directadmin.domain.com. But directadmin.domain.com is not added as a subdomain for domain.com but as a separate account where there are ftp.directadmin.domain.com, www.directadmin.domain.com mail.directadmin.domain.com, etc. directadmin.domain.com only has an A record, not an NS record.
 
So you did add directadmin (not directadmin.domain.com) A IP in your DNS record of the main domain ? that is not clear for me.
Your error is that LE cant find directadmin.domain.com record in your DNS setting (I assume)
 
Thank you for the response. Yes. There is an A record for directadmin.domain.com to point it to our server but no NS record. And then directadmin.domain.com is used as the main domain for the user "directadmin". The A record is active globally too. Domain.com is not added in our directadmin. Just directadmin.domain.com is added.
 
Those are lots of subdomains there :)

Cant do any DNS check on your (sub) domains, only main domain returns cloud flare records which are not useable to trouble shoot now.

Not Found!​

bad zone: Could not get name servers for 'darwin.dnshostnetwork.com'.

Not Found!​

bad zone: Could not get name servers for 'directadmin.darwin.dnshostnetwork.com'


I am sorry maybe other users on the forum have some ideas what is here going on.
Still believing that there are some misconfigured records in your DNS...
 
This was my query too. Is this error happening because there are no NS records for the subdomain? Because it is acting as a main domain?
 
Looks like it is now, especially since you have created it as a seperate account. Normally we only do that for the hostname.
 
Dear Richard,

darwin.dnshostnetwork.com is our hostname. We use directadmin.darwin.dnshostnetwork.com to only access the directadmin corntol panel just like how we use darwin.dnshostnetwork.com:2222. You can directly access the login link from directadmin.darwin.dnshostnetwork.com without using port 2222. Is there a way to issue SSL on directadmin.darwin.dnshostnetwork.com?

Thanks and regards.
 
Serversupportstaff said:
We use directadmin.darwin.dnshostnetwork.com
Click to expand...
I think that might be causing the issue, that you are using a subdomain of your hostname, instead of a subdomain of your domain name, but I'm not 100% sure.

Normally, if you have created a seperate DNS entry for your hostname, one could create a subdomain for that, but since the hostname is in fact not a domain name (but theoretically kind of a subdomain already) you are creating a sub.sub domain on a record on a non existing domain.
IMHO it will not be possible to get an ssl certificate for that.

You could try to (if you have not already):
1.) remove the hostname from your domain and create a seperate dns entry for it as if it was a real domain and create the subdomain there and then try to create a wildcard certificate for that if possible.
2.) User another name within your domain name for the redirection, for example use direcatdmin.dnshostnetwork.com for the login without the port. That's falling within your domain name so that should not be an issue to get an SSL certificate for that. Depending on how the customisation works to get rid of the port. I never used that.
3.) Ask somebody with big knowledge about customisations, like ticket support, or @zEitEr for example.
 
If you redirect requests for your domain to DirectAdmin: 80/443 => 2222, then all validation requests from Letsencrypt to /.well-known/acme-challenge/ are also forwarded to DirectAdmin. That's the issue. You should disable forwarding requests for this URL in your webserver.
 
You must log in or register to reply here.
Back
Top