Let's Encrypt wildcard certificates failing with version 2 letsencrypt script.

113345

Verified User
Joined
Mar 14, 2004
Messages
33
Location
The Netherlands
Since the upgrade from letsencrypt.sh from version 1.1.42 to 2.0.7 it is not possible anymore to get a renewal or request a new wildcard certificate.

Code:
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2020/08/02 01:14:22 [INFO] [***.nl, *.***.nl] acme: Obtaining SAN certificate
2020/08/02 01:14:25 [INFO] [*.***.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/************
2020/08/02 01:14:25 [INFO] [***.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/************
2020/08/02 01:14:25 [INFO] [*.***.nl] acme: authorization already valid; skipping challenge
2020/08/02 01:14:25 [INFO] [***.nl] acme: Could not find solver for: tls-alpn-01
2020/08/02 01:14:25 [INFO] [***.nl] acme: Could not find solver for: http-01
2020/08/02 01:14:25 [INFO] [***.nl] acme: use dns-01 solver
2020/08/02 01:14:25 [INFO] [***.nl] acme: Preparing to solve DNS-01
2020/08/02 01:14:25 [INFO] [***.nl] acme: Trying to solve DNS-01
2020/08/02 01:14:25 [INFO] [***.nl] acme: Checking DNS record propagation using [8.8.8.8:53]
2020/08/02 01:14:27 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]

The script gives about 24 lines with the following and then complains that the time limit was exceeded.
Code:
2020/08/02 01:14:35 [INFO] [***.nl] acme: Waiting for DNS record propagation.
2020/08/02 01:14:37 [INFO] [***.nl] acme: Waiting for DNS record propagation.

Code:
2020/08/02 01:15:27 [INFO] [***.nl] acme: Cleaning DNS-01 challenge
2020/08/02 01:15:28 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/************
2020/08/02 01:15:28 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/************
2020/08/02 01:15:28 Could not obtain certificates:
error: one or more domains had a problem:
[***.nl] time limit exceeded: last error: NS ns2.transip.eu. did not return the expected TXT record [fqdn: _acme-challenge.***.nl., value: ************]: 08ALHvWD7LJS************18CRedtX-V************
Certificate generation failed.

The v1.1.42 script has the possibility to use "DIG_SECONDS=120" (or another value) to have the script wait between dig lookups/tries to accommodate slow propagation.
See below for the output of that script.

Code:
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/************...
Processing authorization for ***.nl...
Challenge is valid.
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/************...
Processing authorization for ***.nl...
DNS challenge test fail for _acme-challenge.***.nl IN TXT "************", retrying...
Retry failed, trying again in 120s...
Retry failed, trying again in 120s...
Retry failed, trying again in 120s...
Retry failed, trying again in 120s...
Retry failed, trying again in 120s...
Retry failed, trying again in 120s...
Waiting for domain verification...
Challenge is valid.
Challenge is valid.
Generating 4096 bit RSA key for ***.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/******/domains/***.nl.key.new"
Generating RSA private key, 4096 bit long modulus
...........................................................................++
.........................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for ***.nl has been created successfully!

Is it possible to introduce the same parameter in the new v2 script?
 
Found the solution for my problem on the lego site: https://go-acme.github.io/lego/dns/exec/

Added the following environment variables in the top section of the v2 script:
Code:
export EXEC_PROPAGATION_TIMEOUT=900
export EXEC_POLLING_INTERVAL=60

This accommodates the slow propagation.

I have the same problem but this solution doesn't work for me... :(

@smtalk can you repair Let's Encrypt script? Because it's weird it doesn't work even with my server (DA) domain lol... before changes it all was working with 1.x version of script...
 
I have the same problem but this solution doesn't work for me... :(

@smtalk can you repair Let's Encrypt script? Because it's weird it doesn't work even with my server (DA) domain lol... before changes it all was working with 1.x version of script...

If your license includes support, I'd suggest opening a DA ticket for it and including access to the server.

Thank you!
 
If your license includes support, I'd suggest opening a DA ticket for it and including access to the server.

Thank you!
I don't have but... what was changed in 2.0.x version? it's weird it's not working if it was working with 1.1.x... there must something be broken in this newest version.... I have this problem on few servers and many domains now... :/
 
I'd suggest employing someone to debug it there or switch your license type to the one having support.

2.0.x was a major release, however, it was tested, and as you see on the forums, only a couple problems have been reported, none were bugs. If lower timeout is the problem, defaults can be changed, however, we've seen only a couple reports on that too, and no support tickets to investigate what's really happening there.
 
I'd suggest employing someone to debug it there or switch your license type to the one having support.

2.0.x was a major release, however, it was tested, and as you see on the forums, only a couple problems have been reported, none were bugs. If lower timeout is the problem, defaults can be changed, however, we've seen only a couple reports on that too, and no support tickets to investigate what's really happening there.
Yes, I figured it out now it's because of timeout... how to change this and where (which file)? :D I think it will work.
 
@ShinJii

Maybe this clarifies the placement of the variables:
Code:
#!/bin/sh
#VERSION=2.0.7
# This script is written by Martynas Bendorius and DirectAdmin
# It is used to create/renew let's encrypt certificate for a domain
# Official DirectAdmin webpage: http://www.directadmin.com

# ADD ENVARS
export EXEC_PROPAGATION_TIMEOUT=900
export EXEC_POLLING_INTERVAL=60

# Usage:
# ./letsencrypt.sh <domain> <key-size>
MYUID=`/usr/bin/id -u`
if [ "${MYUID}" != 0 ]; then
        echo "You require Root Access to run this script";
        exit 0
fi

LEGO=/usr/local/bin/lego
You have to redo this when the script is updated, I use a cron job to do that.
 
It's been replied by @113345 already, so, there is nothing to add there :)
Hm, ok. But why you changed this values? It was fine in 1.1.x versions... now 1 minute is too low for many people :p I think you should add this Timeout editable in custombuild options or something... :)



@ShinJii

Maybe this clarifies the placement of the variables:
Code:
#!/bin/sh
#VERSION=2.0.7
# This script is written by Martynas Bendorius and DirectAdmin
# It is used to create/renew let's encrypt certificate for a domain
# Official DirectAdmin webpage: http://www.directadmin.com

# ADD ENVARS
export EXEC_PROPAGATION_TIMEOUT=900
export EXEC_POLLING_INTERVAL=60

# Usage:
# ./letsencrypt.sh <domain> <key-size>
MYUID=`/usr/bin/id -u`
if [ "${MYUID}" != 0 ]; then
        echo "You require Root Access to run this script";
        exit 0
fi

LEGO=/usr/local/bin/lego
You have to redo this when the script is updated, I use a cron job to do that.

Can you show me how looks your cronjob? :D



I changed values to 15 minutes but still not working... why? It was always working with wildcards with interval 15 seconds and it was good after 3-5minutes.... now even 15 minutes is not fine... wtf?


Code:
2020/08/12 11:29:06 [INFO] [*.domain.pro] acme: Checking DNS record propagation using [8.8.8.8:53]
2020/08/12 11:30:06 [INFO] Wait for propagation [timeout: 15m0s, interval: 1m0s]
2020/08/12 11:30:06 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:31:06 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:32:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:33:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:34:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:35:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:36:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:37:07 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:38:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:39:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:40:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:41:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:42:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:43:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:44:08 [INFO] [*.domain.pro] acme: Waiting for DNS record propagation.
2020/08/12 11:45:08 [INFO] [*.domain.pro] acme: Cleaning DNS-01 challenge
2020/08/12 11:45:10 [INFO] retry due to: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxx :: urn:ietf:params:acme:error:badNonce :: JWS has an invalid anti-replay nonce: "xxx", url:
2020/08/12 11:45:10 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxx
2020/08/12 11:45:10 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxx
2020/08/12 11:45:11 Could not obtain certificates:
error: one or more domains had a problem:
[*.domain.pro] time limit exceeded: last error: NS sdns2.ovh.net. returned REFUSED for _acme-challenge.domain.pro.
Certificate generation failed.

@smtalk @113345
 
Last edited:
Domain is working... I have also other domains and them are working (even other server, not the same server) but can't generate certificates (wildcards...normal for selected subdomains etc. I can)... with letsencrypt 1.1.x I was able to generate certificates every time... I don't get it what changed? My DNS are the same since few years...
@Peter Laws @113345
 
The only major thing that changed is the external DNS services to generate the TXT record for wildcard certs....... This shouldn't matter, you need to use the RC of DA for this to work.....

I'm guessing your domain DNS is on the server so it should work, unless the script isn't generating the TXT record locally.
 
Ok I repaired one of DNSes... maybe OVH something changed or letsencrypt.. I don't know... but suddenly I had to add DNS Secondary in OVH Panel - I never did it and it was working till 1 month ago :D
I also added those lines to /etc/named.conf
Code:
allow-transfer { 213.251.188.141;}; // ip sdns2.ovh.net
notify yes;

And now my server's subdomain to directadmin doesn't work... lol - it is possible it's because of that allow-transfer above?? I don't understand it...
I did it also on other server but there server's subdomain is working fine... O_O
@113345 @Peter Laws


EDIT: I repaired Directadmin hostname... I don't know why but in /var/named/subdomain.db in records A instead of IP there was domain.com ...
 
Last edited:
my /etc/bind/named.conf.options is:
Code:
options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1
        listen-on { 127.0.0.1; ipv4; ipv4; };
        listen-on-v6 { any; };
        allow-query     { any; };
        allow-recursion { 127.0.0.1; localnets; };
        allow-transfer { none; };
};
That said, I use my own nameservers (hence 2 ipv4's in listen-on to listen on just those). 🤷‍♂️
 
I'm one of the lucky few where v2.0 also brings nothing but trouble haha. Is there a way to get the TXT record that is used for validating? Pre v2 I got this TXT record, I put it in my DNS provider and everything worked after 5 mins. Now I'm missing the TXT record and obviously it fails checking it... Using API from Transip (My DNS provider) is something I need to look into. But it feels so much work after updating to letsencrypt v2. Maybe it is possible to downgrade the letsencrypt version?
 
I'm one of the lucky few where v2.0 also brings nothing but trouble haha. Is there a way to get the TXT record that is used for validating? Pre v2 I got this TXT record, I put it in my DNS provider and everything worked after 5 mins. Now I'm missing the TXT record and obviously it fails checking it... Using API from Transip (My DNS provider) is something I need to look into. But it feels so much work after updating to letsencrypt v2. Maybe it is possible to downgrade the letsencrypt version?
Ok I've noticed the TXT was automatically put into the local DNS in directadmin. So I copied that TXT record to my DNS provider (twice, after each other, once for *.domain.com and once for domain.com) and it worked. But now, all my subdomains still give errors.

What command should I use on my server to have all my domains set up correctly? (I have 500+ subdomains so don't want to do it manually haha).

Some info:
My hostname (when logged in into admin - administration settings) is server.domain.com (where domain is my actual domain).
I've tried
Code:
./letsencrypt.sh request domain.com,*.domain.com
but thats what I've described above. Now all my subdomains show an error when visiting the https version, saying
NGINX:
NET::ERR_CERT_COMMON_NAME_INVALID

Subject: server.domain.com

Issuer: R3

Expires on: 22 jun. 2021

Current date: 24 mrt. 2021

And both Let's Encrypt and Google log -> verified

I've tried
Code:
./letsencrypt.sh request "server.domain.com,*.domain.com"
but that gives an error:
Code:
Setting up certificate for a hostname: server.domain.com
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2021/03/26 10:47:22 [INFO] [server.domain.com, *.domain.com] acme: Obtaining SAN certificate
2021/03/26 10:47:22 Could not obtain certificates:
    acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Error creating new order :: Domain name "server.domain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request., url:
Certificate generation failed.
 
Back
Top