Cannot add letsencrypt certificate for ftp, pop and smtp

A

arjena

Verified User
Joined
May 26, 2013
Messages
54
I am starting to move stuf over from one server to another. On the both servers I'm running DA. As a test I moved the two least important domains from one server to the other. I only moved the contents for one of the domains, for the other I only moved the domain-name and set up everything from scratch. On both domains I set up ssl with letsencrypt without any problems.
A couple of weeks ago I added two new domains to my new server. Today I tried to add ssl to these domains (DNS is well resolved by now). Just out of curiosity I first tried to use a wildcard, this resulted in the error: DNS challenge test fail for _acme-challenge-test.xxxxxx.nl IN TXT "pre-check", retrying...
Since I really don't have any subdomains yet I just used the top-domain plus the pre-defined set of subdomains, mail, pop, ftp, smtp, www. However, only the top domain, www and mail will get through the check. When I try to add ftp in the set I get: Error: http://ftp.xxxxx.nl/.well-known/acme-challenge/letsencrypt_1589927937 is not reachable. Not really a surprise, since for all I know ftp.domain.nl is not reachable via http... I get the same error for pop and smtp.
What can be going wrong? I did this before but never encountered this problem (I still have 9 domains waiting to be moved on my old server, all have ssl on all subdomains, including pop and ftp). DNS setting on the newly added domains are identical to the two older domains that don't have problems with ftp or smtp subdomains.
PS: I just tried the wildcard option on one of the older domains and there were no errors... It feels like a permissions problem, but I don't know where to start looking.
 
Thanks Brent,

Did that some time ago. But I guess that if that was the cause of my problems, the other domains would not work either.
Attached are screenshots of the DNS settings from two of my domains. Kade85.nl works just fine, anjabrakenhoff.nl refuses the wildcard option and only lets me add a certificate for the top-domain, www and mail.
In the kade85.nl (one of the domains where the wildcard letsencrypt works fine) list I noticed something odd. There is an entry for "_acme-challenge-test" (I guess I can remove that since it is only used during the certificate process). In the anjabrakenhoff.nl DNS this entry is not there, but is added while the certificate process is busy. After the process has failed the entry is gone again.
I tried manually adding this entry and then run the wildcard process, but still no dice. After the process failed the manually added entry is gone.
Screenshot 2020-05-20 at 09.56.40.png

Screenshot 2020-05-20 at 09.55.00.png

Screenshot 2020-05-20 at 09.40.12.png
 
I found the cause of your problem for not being able to create wildcard DNS (and maybe other ssl stuff issues).

You forgot to point anjabrakenhoff.nl to the correct nameservers ns1 and ns2.wutz.nl with the registrar or something went wrong there.

Code: 
dig -t NS anjabrakenhoff.nl
anjabrakenhoff.nl.      3599    IN      NS      ns3.openprovider.eu.
anjabrakenhoff.nl.      3599    IN      NS      ns1.openprovider.nl.
anjabrakenhoff.nl.      3599    IN      NS      ns2.openprovider.be.

When I do the same for kade58.nl they point to ns1 and ns2.wutz.nl which seems more correct to me if they are on the same server.

Unless you do want to use external DNS, but than indeed wildcard will not work. But the A records on the external DNS should be correct too. Which is not the case, for example ftp.anjabrakenhoff.nl doesn't point to any ip.

So to me it seems the solution is to adjust the nameservers for anjabrakenhoff.nl at your registrar.
 
That's weird, the domain names are all registered with the same registrar who is also the provider for my VPS. I'll contact them, see what they can do. All settings in Directadmin point to ns1 and ns2.wutz.nl. Nothing I can do myself I guess...
Thanks for finding this for me,

Bedaank,

Arjen
 
I've had that once with a registrar of mine too, for some reason their DNS server didn't respond, so they kicked it and then all things went well.
Your settings in DA look fine, but if your registrar does not point to your dns server, nothing you can do indeed, except contacting them.

Geere gedoon!

Richard
 
You must log in or register to reply here.
Back
Top