Directadmin daemon and Exim still uses old SSL cert after renewing

ataraxia

ataraxia

Verified User
Joined
Sep 1, 2022
Messages
6
I have followed the directadmin documentation to set up SSL with lets encrypt for the directadmin control panel on hostname:2222.

Automatic TLS Certificate For Server Hostname | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

The SSL certificate has expired, I've used the letsencrypt.sh to attempt to renew the cert. The script finishes without problems.

./letsencrypt.sh request_single server.example.com 4096
Code: 
Setting up certificate for a hostname:
2022/09/01 20:54:06 [INFO] acme: Obtaining SAN certificate
2022/09/01 20:54:06 [INFO] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/148441182327
2022/09/01 20:54:06 [INFO] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/148670627247
2022/09/01 20:54:06 [INFO] acme: authorization already valid; skipping challenge
2022/09/01 20:54:06 [INFO] acme: Could not find solver for: tls-alpn-01
2022/09/01 20:54:06 [INFO] acme: use http-01 solver
2022/09/01 20:54:06 [INFO] acme: Trying to solve HTTP-01
2022/09/01 20:54:25 [INFO] The server validated our request
2022/09/01 20:54:25 [INFO] acme: Validations succeeded; requesting certificates
2022/09/01 20:54:28 [INFO] Server responded with a certificate for the preferred certificate chains "ISRG Root X1".
Certificate for , has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
Setting up cert for WWW server...
Setting up cert for FTP server...
The services will be restarted in about 1 minute via the dataskq.

However, the Directadmin daemon and Exim still use the old expired certificate. I can run the commands below to check the cert:
openssl x509 -in /usr/local/directadmin/conf/cacert.pem -text -noout
openssl x509 -in /etc/exim.cert -text -noout
Both commands show that the cert has been set up correctly.

Code: 
Validity
            Not Before: Sep  1 19:54:28 2022 GMT
            Not After : Nov 30 19:54:27 2022 GMT

I run the commands below to check if SSL is enabled properly according to the documentation:
/usr/local/directadmin/directadmin config | egrep "^ssl=|^cacert=|^cakey="

Code: 
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
ssl=1

However, when I attempt to access the DA control panel, or retrieve new e-mail, I still receive errors showing that the SSL cert is out of date. When I check the certificate in my browser, I can see that it is still using the old cert.

Code: 
Validity
            Not Before: Fri, 03 Jun 2022 02:42:13 GMT
            Not After : Thu, 01 Sep 2022 02:42:12 GMT

This error does not occur when accessing hostname instead of hostname:2222.

I have tried disabling and re-enabling SSL in the directadmin.conf, restarting directadmin and the server itself multiple times, tried different browsers and mail clients, requesting new certificates instead of renewing.

How can I ensure Directadmin and Exim use the new certificate?
 
Additionally... the script for the hostname does not do everything. You have to renew the script for the domain too for exim to work on the domain and to visit domain.com:2222.
 
Richard G said:
Try this just to be sure.
cd /usr/local/directadmin/custombuild ./build update ./build rewrite_confs

Als check over here for the dates if they are known with LE.

Let's Debug Toolkit

tools.letsdebug.net tools.letsdebug.net
and

crt.sh | Certificate Search

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
crt.sh
Click to expand...
I've updated custombuild and rewritten confs. Restarted directadmin but the problem still persists.

The certificate exists and can be found with both of the websites you specified.

Richard G said:
Additionally... the script for the hostname does not do everything. You have to renew the script for the domain too for exim to work on the domain and to visit domain.com:2222.
Click to expand...
What do you mean by "renew the script for the domain"?
All other domains have no problems with renewing SSL certs, and none are expired right now. It is only the Directadmin panel which is still using an old certificate,
 
Never mind, just tested... gives an error on the hostname and doesn't even respond on the domain name itself on 2222, very odd.
Any content in a /custom folder?
 
Richard G said:
Is it? Try this:
https://server.example.com:2222 does that work or also give a failure? Replace by your own hostname ofcourse.
Click to expand...
Yes, when I access my hostname on port 2222, that is the only URL with the problem. Every other domain renews SSL certs fine.

https://hostname.com works
https://server.hostname.com works
https://anyotherdomain.hostname.com works

https://server.hostname.com:2222 does NOT work.

As stated in my original post, it is using an old SSL certificate despite following the instructions in the Directadmin docs to request and renew SSL certificates for the Directadmin daemon and Exim.
 
ataraxia said:
https://hostname.com works
Click to expand...
Yes, but https://hostname.com:2222 does not work either, while it should. Because it's the domain name of the hostname.
So https://hostname.com works, but there it says the certificate is provided by Cloudflare not by Letsencrypt.

And server.hostname.com is not automatically redirected to https. When I visited it the first time, I landed on the normal http which should not be the case.
However I didn't know you were on nGinx either. I'm not familiar with that. Best is on questions always state what you're using.

Might have something to do with the fact that there is a mixsup somewhere between cloudflare wildcard certificates for hostname.com which are stil valid until october.

So might even be Cloudflare is messing something up here.
Sorry I have to pass, maybe somebody else can help you further.
 
Richard G said:
Yes, but https://hostname.com:2222 does not work either, while it should. Because it's the domain name of the hostname.
So https://hostname.com works, but there it says the certificate is provided by Cloudflare not by Letsencrypt.

And server.hostname.com is not automatically redirected to https. When I visited it the first time, I landed on the normal http which should not be the case.
However I didn't know you were on nGinx either. I'm not familiar with that. Best is on questions always state what you're using.

Might have something to do with the fact that there is a mixsup somewhere between cloudflare wildcard certificates for hostname.com which are stil valid until october.

So might even be Cloudflare is messing something up here.
Sorry I have to pass, maybe somebody else can help you further.
Click to expand...
Neither example.com or hostname.com are my actual domain names. I was using them as placeholders for my actual domain name.

When i visit my server hostname, it DOES redirect to https.

I am not proxying my server hostname domain through Cloudflare as this would make it impossible to send and recieve e-mail.

In directadmin I am using both nginx and Apache.
 
ataraxia said:
Neither example.com or hostname.com are my actual domain names. I was using them as placeholders for my actual domain name.
Click to expand...
I know. But I found your actual hostname.com and checkced it out.

By the way, hostname is always used for server.domain.com (so really a hostname) so next time it's better to use domain.com and server.domain.com (or example.com) as examples, because hostname.com can be misleading as example.

ataraxia said:
When i visit my server hostname, it DOES redirect to https.
Click to expand...
That's either because you're using Chrome or because it's in cache. If I clear cache in Firefox and give in server hostname then I get a http page.

1662155387870.png

Ah never mind that last one.... seems the same on my servers now as the ssl redirect hostname setting became obsolete.
 
I have partially solved the problem in a very stupid way.

What I did was, I disabled Cloudflare on my main domain. After this, my website was using an old expired certificate. Upon noticing this, I was able to successfully request a new certificate for my main domain from letsencrypt within the DA panel.

After doing this, the directadmin panel at server.example.com:2222 started working and started successfully using the SSL certificate that I had generated yesterday.

Re-enabling Cloudflare on the main domain did not interfere with anything.

I have no idea why I thought this would work. but it did.

However, Exim is still using the old cert and I am still unable to retrieve my e-mails. A few minutes after I made this post, I restarted the whole server, and now it works.
 
Last edited:
Oh nice to hear you got it fixed. So with the Cloudflare I put you on the right track.

ataraxia said:
What I did was, I disabled Cloudflare on my main domain.
Click to expand...
I don't work with Cloudflare but have seen odd things happening more often. I don't know how this works with LEGO for Letsencrypt.
Maybe somebody using Cloudflare can comment on this to prevent this happening a next time.

Anyway, it's working again, that's good!
 
Richard G said:
Oh nice to hear you got it fixed. So with the Cloudflare I put you on the right track.


I don't work with Cloudflare but have seen odd things happening more often. I don't know how this works with LEGO for Letsencrypt.
Maybe somebody using Cloudflare can comment on this to prevent this happening a next time.

Anyway, it's working again, that's good!
Click to expand...
Yes. It seems that because of some Cloudflare issue, the directadmin can't get the real ip of the domain.
I also got the same error as you, and it worked .
Step 1 : disable cloudflare proxy feature on admin domain.
step 2 : login admin, and open proxy domain cloudflare.
end
 
You must log in or register to reply here.
Back
Top