DirectAdmin 1.50.1 Release Candidate

Hi,

I was also having problems renewing a certificate. But since new certificates were working, i've been looking at the differences.

In my case I had put the following code in the Custom HTTPD values, so that all requests to that domain get redirected to https
Code: 
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

After removing this and running a manual renew from the command line it succeeded.

regards,
Stijn
 
As per my check in post #10:
https://forum.directadmin.com/showthread.php?t=53286&p=273464#post273464

If a location redirect is happening.... I'm thinking that challenge_check() function may not like it with this line code:
Code: 
    if ! ${CURL} -I -X GET http://${1}/.well-known/acme-challenge/letsencrypt_${TIMESTAMP} 2>/dev/null | grep -m1 -q 'HTTP.*200'; then
        echo 1
    else
       echo 0
    fi
where it's looking for the 200 return code... so try running that /usr/local/bin/curl call manually on the test.txt file to see what it does, eg:
Code: 
/usr/local/bin/curl -I -X GET http://[B]domain.com[/B]/.well-known/acme-challenge/test.txt
(after you've created that test.txt file)

Paste us the output from that call... specifically, all of the headers it generates. Need to know if
Code: 
HTTP/1.1 200 OK
is showing up anywhere in the output. If not, the grep won't match, so it will "echo 1", thus throw the challenge error.

John
 
Hi John,

Created the test file in well-known.

Doing curl with http redirect on http://domain1.com i get 302 found header
Doing curl to https://domain1.com i get a certificate error
Doing curl -k to https://domain1.com i get the desires 200 header

I searched the mighty internet :-)
And found that adding the -L option to curl allows it to follow the redirect.
/usr/local/bin/curl -I -L -X GET http://domain.com/.well-known/acme-challenge/test.txt
shows the certificate error
/usr/local/bin/curl -I -L -k -X GET http://domain.com/.well-known/acme-challenge/test.txt
Ignores the certificate error and show a 200 header.

I guess the certificate error is something I will need to look for myself i guess.
Altough the system is up to date, and other certificates don't give an error, only the Let's Encrypt certificates.

regards,
Stijn

edit:
Did some more testing. Qualys grade on Let's Encrypt sites where capped to B because a certificate was missing in the chain.
I found that under /usr/local/directadmin/data/users/user/domains/domain.com there are 2 certificate files.
The domain.com.cert (which is used in the user httpd.conf)
And domain.com.cert.combined (which I didn't find in any config file).

I changed httpd.conf to use .cert.combined instead of .cert
Now my grade is A and curl works perfectly (after adding the -L switch).
 
Last edited:
DirectAdmin Support said:
As per my check in post #10:
https://forum.directadmin.com/showthread.php?t=53286&p=273464#post273464

If a location redirect is happening.... I'm thinking that challenge_check() function may not like it with this line code:
Code: 
    if ! ${CURL} -I -X GET http://${1}/.well-known/acme-challenge/letsencrypt_${TIMESTAMP} 2>/dev/null | grep -m1 -q 'HTTP.*200'; then
        echo 1
    else
       echo 0
    fi
where it's looking for the 200 return code... so try running that /usr/local/bin/curl call manually on the test.txt file to see what it does, eg:
Code: 
/usr/local/bin/curl -I -X GET http://[B]domain.com[/B]/.well-known/acme-challenge/test.txt
(after you've created that test.txt file)

Paste us the output from that call... specifically, all of the headers it generates. Need to know if
Code: 
HTTP/1.1 200 OK
is showing up anywhere in the output. If not, the grep won't match, so it will "echo 1", thus throw the challenge error.

John
Click to expand...

Hi John, see my post here: http://forum.directadmin.com/showthread.php?t=53286&p=273483#post273483
Over http:// the header is 301, because of the fact I redirect to https://. Manually changing the challenge url to https:// does give a 200.

So seems legid that is the problem here. Is that check new? It used to work before the update.
 
I can confirm adding the '-L' parameter to the curl test is working like Kiekeboe100 just mentioned above.

So, to sum it up:

Fails, just 301 header and stops
/usr/local/bin/curl -I -X GET http://my.domain/.well-known/acme-challenge/test.txt
Click to expand...
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 13 Jun 2016 19:03:45 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://my.domain/.well-known/acme-challenge/test.txt
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Click to expand...

Works, header 200 after 301
/usr/local/bin/curl -I -L -X GET http://my.domain/.well-known/acme-challenge/test.txt
Click to expand...
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 13 Jun 2016 19:03:45 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://my.domain/.well-known/acme-challenge/test.txt
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 13 Jun 2016 19:03:46 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Sun, 12 Jun 2016 08:26:55 GMT
Connection: keep-alive
ETag: "575d1ccf-5"
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Click to expand...

I added the '-L' to the line John quoted before in letsencrypt.sh and my problem is solved for now.
 
Last edited:
ZipperZapper said:
I can confirm adding the '-L' parameter to the curl test is working like Kiekeboe100 just mentioned above.

So, to sum it up:

Fails, just 301 header and stops

Works, header 200 after 301

I added the '-L' to the line John quoted before in letsencrypt.sh and my problem is solved for now.
Click to expand...

We have this problem as well. After adding the '-L' parameter, it works good. Maybe DirectAdmin can add the '-L' parameter in /usr/local/directadmin/scripts/letsencrypt.sh?
 
Sorry, but were should i put the '-L' option to get this working?


Edit:
FOUND IT and working with the added '-L' parameter. Thanks

Regards

Alex
 
Last edited:
Hi, I'm trying to generate the certficate for my server (new.hostname.com).
This should trigger a 'special' case that would install the cert also for my server, but i'm getting this error:


Setting up certificate for a hostname: new.hostname.com
Getting challenge for new.hostname.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.new.hostname.com from acme-server...
Error: http://www.new.hostname.com/.well-known/acme-challenge/letsencrypt_xxxis not reachable. Aborting the script
Click to expand...

I only want the hostname, and not extra subdomains.. How can i do this?

Also, where can i find the generated certs and keys ?
 
You could manually create:
Code: 
/usr/local/directadmin/conf/ca.san_config
with the code
Code: 
[ req_distinguished_name ]
CN = new.hostname.com
[ req ]
distinguished_name = req_distinguished_name
[SAN]
subjectAltName=DNS:new.hostname.com
then call with the san_config option
Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh request your.hostname.com 4096 /usr/local/directadmin/conf/ca.san_config

Hostname cert/keys are copied to all service cert/key locations, eg:
Code: 
/etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/ssl.crt/server.ca
/etc/httpd/conf/ssl.key/server.key
/etc/exim.cert
/etc/exim.key
/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem
John
 
ZipperZapper said:
I can confirm adding the '-L' parameter to the curl test is working like Kiekeboe100 just mentioned above.

So, to sum it up:

Fails, just 301 header and stops



Works, header 200 after 301



I added the '-L' to the line John quoted before in letsencrypt.sh and my problem is solved for now.
Click to expand...


Hello
Unfortunately i have faced same problem.
Now, where should i put -L- parameter exactly?
 
When I test manually
Code: 
/usr/local/bin/curl -I -X GET http://www.poqueiraweb.com/.well-known/acme-challenge/test.txt; echo $?
I get
Code: 
curl: (2) Failed initialization 2
and
Code: 
/usr/bin/curl -I -X GET http://www.poqueiraweb.com/.well-known/acme-challenge/test.txt; echo $?
does work and produces
Code: 
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 22 Jul 2016 20:41:41 GMT
Content-Type: text/plain
Content-Length: 5
Connection: close
Last-Modified: Fri, 22 Jul 2016 20:04:26 GMT
ETag: "5-5383ef10ca5bb"
Accept-Ranges: bytes
Vary: User-Agent
from this post I understood I have two versions of curl http://forum.directadmin.com/showthread.php?t=52037 one from the standard centos repo and one from direct admin CB.
now how do I fix this the right way?
I got letscencrypt going by changing the location of curl to /usr/bin/curl in letsencrypt.sh but this will probably be overwritten in the next update of the script.
thanks, Joris
 
DirectAdmin Support said:
Simplest is just to grab the newer binaries, as the LetsEncrypt feature is constantly getting updated:
http://help.directadmin.com/item.php?id=408
Click to expand...

Here's my story:

1. I got the LE "certificate expiration notice"
2. A few days after that, I got a message from the "Message System" saying renewal failed (Error during automated certificate renewal for ...)
3. I searched this forum, found a fix for the LE script posted by Martynas
4. I made the change in the script, then waited for the auto-renewal to retry
5. The next morning, I got a message saying the renewal was succesful (Automated certificate renewal for ... has succeeded)
6. I was happy.

Unfortunately, now, nine days later, the certificate has expired nonetheless. The "has succeeded" had less impact than I had hoped for.

So I tried this:

7. Updated to the pre-release binaries per John's suggestion.
8. Tried to re-issue the certificate, to no avail: errors abound.

The only way to get the renewal to work, was to (temporarily) remove the redirect to https from the custom HTTPD config. This is an NGINX powered server.

I have to be honest, I'm quite disappointed.
 
DirectAdmin Support said:
Simplest is just to grab the newer binaries, as the LetsEncrypt feature is constantly getting updated:
http://help.directadmin.com/item.php?id=408
Click to expand...

Hi John,

Could you also add -k to the curl check? This disables the SSL validation which is required if the certificate already expired. This happened for us because -L was not yet present, so to fix it we needed -L and -k flag to pass the challenge_check() function.

Cheers!
 
./letsencrypt.sh request web4host.net 4096
Getting challenge for web4host.net from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.web4host.net from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for web4host.net...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/web4host.net.key.new"
Generating RSA private key, 4096 bit long modulus
..++
.................................++
e is 65537 (0x10001)
Certificate for web4host.net has been created successfully!

did not work with me in new server!!
 
@how@ said:
...............................
Certificate for web4host.net has been created successfully!

did not work with me in new server!!
Click to expand...

Can you explain what didn't work exactly, looking at the result of the request it worked and going to https://www.web4host.net shows the certificate. The only issue I see is mixed content, but that has to be solved in the coding of your site and is not related to DA.
 
You must log in or register to reply here.
Back
Top