Trouble with Letsencrypt

M

Mattie

Verified User
Joined
Jun 1, 2008
Messages
123
So: I really like the new letsencrypt feature but I'm having trouble setting it up correctly.

I have a server with hostname "vps.hostname.nl"
I have a domain "(www.)hostname.nl"
I have dns entries like "mail.hostname.nl", "smtp.hostname.nl"

I've generated a SSL cert through DA for "(www.)hostname.nl" and this works great, however I'm having trouble getting the correct certificate for my email server.

So far I did:

Code: 
root@vps:/usr/local/directadmin/scripts# ./letsencrypt.sh request mail.hostname.nl 4096 "" /var/www/html
Domain does not exist on the system. Unable to find mail.hostname.nl in /etc/virtual/domainowners. Exiting...

Editting the hostname.nl.san_config file
Code: 
[ SAN ]
subjectAltName=DNS:hostname.nl, DNS:www.hostname.nl, DNS:mail.hostname.nl, DNS:vps.hostname.nl, DNS:ftp.hostname.nl

But this resulted in:
Code: 
root@vps:/usr/local/directadmin/scripts# ./letsencrypt.sh renew hostname.nl 4096
Getting challenge for hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://mail.hostname.nl/.well-known/acme-challenge/G1ehsT-6M9[..]T5Q [ip.ip.ip.ip]: 404. Exiting...

I've also tried:
Code: 
root@vps:/usr/local/directadmin/scripts# ./letsencrypt.sh request vps.hostname.nl 4096
Setting up certificate for a hostname: vps.hostname.nl
Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
...
Account has been registered.
Getting challenge for vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for ftp.vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for pop.vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for smtp.vps.hostname.nl from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for vps.hostname.nl...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
..
DirectAdmin certificate has been setup.
Setting up cert for Exim...
Setting up cert for WWW server...
Setting up cert for FTP server...
The services will be retarted in about 1 minute via the dataskq.
Certificate for vps.hostname.nl has been created successfully!

But this creates certificates for "mail.vps.hostname.nl" and I dont use it with "vps" in the hostname

What am I missing here? I can of course create a certificate manually with the script from letsencrypt but it would be great if the autorenew works!

edit:
directadmin.conf has set:
servername=vps.hostname.nl
letsencrypt=2 (did also try with 1)
force_hostname=hostname.nl

edit2:
Updated my 'old' certificate (also free startssl) so i have a year to figure this out.
I understand that for example the mail server uses the "server certificate", what I don't understand is how to request that. My website is happy running letsencrypt but I cannot try anything right now guess I did to many requests to letsencrypt for now :p
 
Last edited:
I ran into similar issues trying to get a LE cert for mydomain.com mail.mydomain.com www.mydomain.com etc

The problem is DirectAdmin does not setup mail.mydomain.com as a vhost alias in the user's httpd.conf so the LE server cannot authenticate ownership by checking the url mail.mydomain.com/.well-known/acme-challenge/<challengekey>

So I believe a temporary fix would be to add mail.mydomain.com to the <VirtualHost> section of /usr/local/directadmin/data/users/myuser/httpd.conf

However, this file gets over-written by DA so the other way is to create a sub-domain called mail inside DA. It is a bit of a pain so I feel DA should automatically add the standard subs like mail smtp pop to httpd.conf if LE is enabled.
 
zEitEr said:
Hello,

With letsencrypt=1 that should not be an issue as alias is used /var/www/html/.well-known/acme-challenge/, and with this any domain can be validated with and/or without corresponding virtual host in apache/nginx.

Related: http://forum.directadmin.com/showthread.php?t=52723&page=3&p=270613#post270613
Click to expand...

After experimenting with the LE client a bit more, I also realized this approach made more sense and switched to using webroot. So will definitely recommend anybody trying it out to do so.

As the documentation from LE is a bit vague and made me wary about using webroot at first, note that using the --webroot option with the LE client only creates and clears the temp challenge files, it doesn't try to change any httpd config.
 
Hi,

With some similar approach I'm playing around with LE too. Just found out DA is supporting this, although it is still in Bèta. When I create a certificate for www.example.com everything registers well, ending up with a working certificate. However, I have several users (including myself) who want to use more subdomains in the certificate. I created those subdomains in DA, so they actually exist. In DA I start creating the LE certificate by filling in the form and I enter the following for common name:

www.mydomain.com, sub01.mydomain.com, sub02.mydomain.com

This seemed to work, although I did not really expect it :) However, during the last steps all went wrong, see below. When I look in /usr/local/directadmin/data/users/myuser/domains/ and I do see a mydomain.com.key.new and a valid mydomain.com.san_config file. Anyone got a clue what could be the problem?
I recently updated my whole server using CB2, so all modules are up to date.

Some directadmin.conf settings:
letsencrypt=1
enable_ssl_sni=1

No. of IP's on the server: 1


Cannot perform request

Details

Getting challenge for mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for sub01.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for sub02.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for sub01.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for sub02.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for mydomain.com...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/myuser/domains/mydomain.com.key.new"
Generating RSA private key, 4096 bit long modulus
.............................++
....++
e is 65537 (0x10001)
Error Loading request extension section SAN
139977885054792:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537:
139977885054792:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=DNS:mydomain.com, sub01.mydomain.com, sub02.mydomain.com, DNS:www.mydomain.com, sub01.mydomain.com, sub02.mydomain.com
/usr/local/directadmin/data/users/myuser/domains/mydomain.com.csr: No such file or directory
139977472169800:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/usr/local/directadmin/data/users/myuser/domains/mydomain.com.csr','r')
139977472169800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail":"Error unmarshaling certificate request"

Regards,
Danny
 
Last edited:
Please check /usr/local/directadmin/data/users/myuser/domains/mydomain.com.san_config file. I's likely that it's missing or have incorect [SAN] configuration. As far as I see, you have sub01.mydomain.com, sub02.mydomain.com added incorrectly. They must have DNS: in front of their names, like DNS:sub01.mydomain.com, DNS:sub02.mydomain.com.
 
I must agree, I also think it goes wrong there:

[ SAN ]
subjectAltName=DNS:mydomain.com, sub01.mydomain.com, sub02.mydomain.com, DNS:www.mydomain.com, sub01.mydomain.com, sub02.mydomain.com


But that creates the next question: how to request a certificate from within DA using multiple subdomains? If I enter: DNS:www.mydomain.com, DNS:sub01.mydomain.com, DNS:sub02.mydomain.com I get an error:
Cannot Execute Your Request

Details

Name must only contain letters, spaces and/or periods


However, when I enter: www.mydomain.com sub01.mydomain.com sub02.mydomain.com

The repsonse is:
Cannot Execute Your Request

Details

Getting challenge for dlights.nl from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: DNS problem: query timed out looking up A for mydomain.com. Exiting...

Any ideas on this?
 
It must have DNS: in front of the domain in subjectAltName line, domains should be comma separated.
 
Hi Martynas,

I understand DNS: has to be in front and the comma separated part. However, this is in the .san_config file.

What I would like to know is how to do this in the DA webinterface. None of my customers are allowed to use shell, let alone they would get the rights to enter /usr/local/directadmin/data/users/myuser/domains/. So every user who wants to include several subdomains in one certificate will have bad luck? Luckily for me there aren't many customers who want this, but there are a few...

So what I have tried are the following examples:

www.mydomain.com sub01.mydomain.com sub02.mydomain.com
www.mydomain.com, sub01.mydomain.com, sub02.mydomain.com
DNS:www.mydomain.com, DNS:sub01.mydomain.com, DNS:sub02.mydomain.com

To avoid mistakes: I enter it here:

letsencrypt_requestform.jpg
 
Do not enter it as a common name, it's not supported. You should just edit the san_config file, that's it :)
 
Code:
Right, I was afraid you would say that... :cool:
Any ideas if that will become possible in the future?


But please help me out with the next step.. I can manualy create such a san_config file when needed, so that won't be a problem. I searched around and found a variarity of solutions. I followed the steps below and it seems to work:

I do the following:
Code: 
root@server:~# cd /usr/local/directadmin/data/users/myuser/domains/
root@server:~# vim mydomain.com.san_config

Create/update the following san_config:
Code: 
[ req ]
default_bits            = 4096
default_keyfile         = keyfile.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
prompt                  = no
output_password         = bogus

[ req_distinguished_name ]
C                       = NL
ST                      = ST
L                       = L
O                       = O
OU                      = OU
CN                      = mydomain.com
emailAddress            = [email protected]

[ req_attributes ]
[ SAN ]
subjectAltName=DNS:mydomain.com, DNS:www.mydomain.com, DNS:sub01.mydomain.com, DNS:sub02.mydomain.com

Followed by:
Code: 
root@server:~# /usr/local/directadmin/scripts/letsencrypt.sh request mydomain.com 4096 "" /var/www/html/

After waiting a few moments I finally get a confirmation the certificate has been created succesfully and in DA I activate the already pasted key and enable SSL. After a minute or so my browser confirms a valid certificate exists.
I would say this is it and DA will reactivate this certificate every 85 days, am I right?

It's hard to find a decent manual for this... :p
 
Yes, DA will use your san_config file for the renewal :)
 
I just started working on this again after the letsencrypt auto-renew overwrote my working cerfiticate :p

Again I'm stuck

I can either get
mail.vps.domain.nl
OR
(www).domain.nl

but not
mail.domain.nl

I've used the same commands as in my first post (and sorry for the late reply btw) but so far still no luck. Tried with letsencrypt=1 and =2, I even created a DA subdomain for mail.domain.nl but nothing.

Any suggestions on how to debug this? If only to see what it is doing in what directory.
 
I seem to be getting close, it tells me the challenge is valid now for mail.domain.nl but it does not yet update the exim certificate file. Yes I can do that by hand ofc but it should do it automatic.
 
You must log in or register to reply here.
Back
Top