Results 1 to 7 of 7

Thread: Error while renewing let's encrypt certificate

  1. #1
    Join Date
    Sep 2004
    Posts
    151

    Error while renewing let's encrypt certificate

    3 domains out of 12 running on 1 particular server are experiencing errors during certificate renewal.

    Code:
    /usr/local/directadmin/scripts/letsencrypt.sh request domain.tld
    Requesting new certificate order...
    Processing authorization for ftp.domain.tld...
    Challenge is valid.
    Processing authorization for mail.domain.tld...
    Challenge is valid.
    Processing authorization for pop.domain.tld...
    Challenge is valid.
    Processing authorization for smtp.domain.tld...
    Challenge is valid.
    Processing authorization for domain.tld...
    Waiting for domain verification...
    Trying again...
    1..2..3..4..5..
    Challenge status: invalid. Challenge error: "type": "http-01",  "status": "invalid",  "error": {    "type": "urn:ietf:params:acme:error:connection",    "detail": "Fetching https://domain.tld/.well-known/acme-challenge/8eztp5ZiPNMS3SVm9o9Sf1PmhDAxE1lhj65f4Ckk_c8: Timeout during connect (likely firewall problem)",    "status": 400  . Exiting...
    There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.

    Code:
    # pwd
    /var/www/html/.well-known/acme-challenge
    # ls -lsa
    total 4
    0 drwxr-xr-x. 2 webapps webapps 57 May  7 13:03 .
    0 drwxr-xr-x. 3 webapps webapps 45 Dec 17 12:38 ..
    4 -rw-r--r--  1 webapps webapps 88 May  7 13:03 jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
    [root@packparcel acme-challenge]# cat jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
    jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs.MwDgf5ju8-epkPrRfghpxVRxO_Z00uOCIY_2txtExR0
    The request shows up as 301 in the log file:
    Code:
    domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:34 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
    domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:55 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
    Note: obviously domain.tld isn't the actual domain.
    Code:
    --------------------------------------------------------------------------
               I am dyslexic of Brog. You will be ass laminated.
    --------------------------------------------------------------------------

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,069
    Hello,

    Can it be so that you use custom rewrite rules (to redirect requests) added into custom HTTPd.conf either for Apache or NGINX?
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  3. #3
    Join Date
    Sep 2004
    Posts
    151
    This is not the case. No customization has been done to any config file.
    Code:
    --------------------------------------------------------------------------
               I am dyslexic of Brog. You will be ass laminated.
    --------------------------------------------------------------------------

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,069
    Hiding domains are not helpful at all.

    If for any reason you can not publish your real domain names, you should better either search the forums for similar threads, or open a ticket with directadmin support.
    Regards, Alex G.

    - You can hire me on www.poralix.com to work on your server
    - Follow and like @Poralix on Facebook

  5. #5
    Your apache logs show return code 301... that's a redirect, not what LetsEncrypt is expecting.

    Try debugging with this:
    https://help.directadmin.com/item.php?id=646

    Your site might have an .htaccess file that's stealing the /.well-known/acme-challenge path, and redirecting it somewhere.
    We're not able to see where without knowing the real domain name, but that might help you track it down.

    John

  6. #6
    Join Date
    Sep 2004
    Posts
    151
    Thnx for the reply.

    I did check for a redirect in an .htaccess. There wasn't one on any one of the sites. And unchecking "Force SSL with https redirect" also didn't have the desired effect. I will try the debugging tomorrow.
    Code:
    --------------------------------------------------------------------------
               I am dyslexic of Brog. You will be ass laminated.
    --------------------------------------------------------------------------

  7. #7
    Join Date
    Sep 2004
    Posts
    151
    It seems I didn't deactive "Force SSL with https redirect" after all. The problem has been resolved now.
    Code:
    --------------------------------------------------------------------------
               I am dyslexic of Brog. You will be ass laminated.
    --------------------------------------------------------------------------

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •