Certificate renewal fails if hostname matches domainname?

T

tveenker

Verified User
Joined
Mar 5, 2023
Messages
21
Hi all,

I have a server on which I'm hosting some domains; initially one domain and later added more. I'm using Let's Encrypt for the SSL certificates.

Let's say the domains are domain1.com (this is also the server's hostname) and domain2.com etc.

Everything is working fine and I for all domains I get my desired multi-domain certificate:
domain1.com, domain1.org, mail.domain1.com, www.domain1.com
and domain2.com, mail.domain2.com, www.domain2.com

The certificate renewal for domain2 works without a problem. But for domain1 it works partly. I understand it's probably related to the fact that the server's hostname matches domain1. I don't know why that is a problem but apparently it is?

When DA has run the certificate renewal for domain1 the certificate files (domain1.key, domain1.crt) in /usr/local/directadmin/data/.lego/certificates have turned into single domain certificates:
openssl x509 -in /usr/local/directadmin/data/.lego/certificates/domain1.com.crt -text | grep DNS
Click to expand...
yields:
DNS:domain1.com
instead of the desired:
DNS:domain1.com, DNS:domain1.org, DNS:mail.domain1.com, DNS:www.domain1.com

It does update the related files in /usr/local/directadmin/conf/*, /etc/httpd/conf/ssl.*/* and /etc/exim.*, but obviously with the (unintended) single domain cert data. It does NOT update the files in /usr/local/directadmin/data/users/domain1/domains/.

When it failed a few months ago I did the following to get going again:
In DA "SSL Certificates": "Get automatic certificate from ACME Provider" (took several minutes).
Then manually:
cp -a /usr/local/directadmin/conf/cakey.pem /usr/local/directadmin/data/users/domain1/domains/domain1.com.key
cp -a /usr/local/directadmin/conf/cacert.pem /usr/local/directadmin/data/users/domain1/domains/domain1.com.cert
cp -a /usr/local/directadmin/conf/carootcert.pem /usr/local/directadmin/data/users/domain1/domains/domain1.com.cacert
cp -a /usr/local/directadmin/conf/cacert.pem.combined /usr/local/directadmin/data/users/domain1/domains/domain1.com.cert.combined
Click to expand...
Then restarted the server.

That worked in the end. But it is no proper solution of course. Now a few months later I'm back in the same situation.

So I think the real question is: How do I make the LE (multi-domain) certificate renewal work in the situation where the hostname matches the domain name?

Thanks,
Theo
 
tveenker said:
Let's say the domains are domain1.com (this is also the server's hostname) and domain2.com etc.
Click to expand...
Never ever use a domain name as hostname. The hostname should be a FQDN hostname, which means "something.domain.com" and if possible try to prevent using things as mail.domain.com as hostname as these records also exists in the domain name and could cause issues.

It's just not correct to use a non-fqdn hostname. Obey RFC's and you won't have this issue.
 
Thank you. I was afraid of this answer. Many years ago when I got the VPS my provider said it didn't matter whether I would name it something.domain.com or just domain.com. In my ignorance I chose wrongly.

I'll try to change the hostname and whatever's related and then see if I can get the proper certificates again.

Thanks,
Theo
 
tveenker said:
Many years ago when I got the VPS my provider said it didn't matter whether I would name it something.domain.com or just domain.com.
Click to expand...
This is true for personal usage. but it must using on the same certificate files, do not duplicate request.

In directadmin box, you have Webserver and Directadmin Service and these service have separate certificate files.

No matter you are on which the ports, But the certificate will only using "domain name", so this could cause the problem on Certificate validate process.
 
Richard G said:
Never ever use a domain name as hostname. The hostname should be a FQDN hostname, which means "something.domain.com" and if possible try to prevent using things as mail.domain.com as hostname as these records also exists in the domain name and could cause issues.

It's just not correct to use a non-fqdn hostname. Obey RFC's and you won't have this issue.
Click to expand...
I have changed the hostname to FQDN and update DNS settings. I can login to the server using the new name, so that seems to work.

I updated the hostname in DA Admin Level > Administrator Settings > Server's Hostname.
Now I checked /usr/local/directadmin/conf/directadmin.conf to be sure. I see servername is updated correctly, but force_hostname and ssl_redirect_host still refer to the old name. Should I just manually change these to the FQDN hostname?
 
tveenker said:
but force_hostname and ssl_redirect_host still refer to the old name.
Click to expand...
If you want customers to only use the hostname to login and not their own domain name, then you can change the force_hostname setting manually in directadmin.conf if you want. Don't forget to restart DA.

However, the ssl_redirect_host is not used anymore so you can just remove that line.

Just to be sure, you can use a seperate hostname entry and certificate. I've created a manual on to how to create and/or change hostname.
Some times the /etc/virtual and /etc/hostname are not updated (or not correctly) so it might be good to doublecheck just to be sure everything is fine now.
Richard G

Thread '[How-To] Create or change your server's hostname in Directadmin'

This is a guide on how to create a correct FQDN hostname on a sever or VPS.
I created this newly here in this section, for easier reference and it's also easier to find.

There is also another method, but the method described here is another method which is also still very usable.

Before you install Directadmin you can already take care the correct hostname is used bij Directadmin.

The domain mydomain.com is used her as example and 192.168.0.1 as example server ip. Ofcourse replace all examples with the domain or hostname your are using. So don't use 192.168.0.1 in the real situation...
  • Like
 
Thank you very much for the info. I did follow your howto as far as applicable. I managed to get a certificate for the hostname as well as certificates for the domains. I checked the cert files with openssl and all is well (single domain cert for the hostname, and multi-domain cert for the other domains). Everything (web-server and email) is still working. I hope it keeps working the coming days.
 
You must log in or register to reply here.
Back
Top