DirectAdmin / LetsEncrypt - Always adding www.?

[DanBennett]

So when creating a LetsEncrypt certificate, I specifically untick www.sub.domain.com from "Let's Encrypt Certificate Entries" (it's auto ticked along side sub.domain.com) and remove the www. from the common name (because we're using sub.domain.com. No www here!). This is a legit subdomain and certificates can be installed for subdomains...

But DA (Or LetsEncrypt, not sure who to blame yet) automatically still tries to verify www.sub.domain.com and complains about it not being accessible, which is right - it's not meant to be! I didn't ask for that!

Getting challenge for sub.domain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.sub.domain.com from acme-server...
Error: http://www.sub.domain.com/.well-known/acme-challenge/letsencrypt_1470842013 is not reachable. Aborting the script.
Please make sure .htaccess or WWW server is not preventing access to /.well-known folder.

Which stops the certificate being generated!

Any thoughts on how to stop this happening?

 

[zEitEr]

Hello,

Just tried with the latest DA and Let's Encrypt script and could NOT replicate the issue. I was able to create a letsencrypt cert without www via Directadmin interface:

[root@server etc]# cat /usr/local/directadmin/data/users/bob/domains/dev.example.com.san_config
[ req ]
default_bits            = 4096
default_keyfile         = keyfile.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
prompt                  = no
output_password         = bogus


[ req_distinguished_name ]
CN                      = dev.example.com
emailAddress            = [email protected]


[ req_attributes ]
[ SAN ]
subjectAltName=DNS:dev.example.com
[root@server etc]#

So make sure you've got the latest version of Let's Encrypt client: 1.0.1 and Directadmin.

 

[DanBennett]

How do I find out if I have the latest LetsEncrypt client?

DA is version 1.50.1.

Also, in directadmin.conf I have set `letsencrypt=2` as it's used for reselling.

 

[ditto]

How do I find out if I have the latest LetsEncrypt client?

DA is version 1.50.1.

Also, in directadmin.conf I have set `letsencrypt=2` as it's used for reselling.

cd /usr/local/directadmin/custombuild
./build update
./build versions

and

./build letsencrypt

 

[DanBennett]

Thanks, I can't do those sadly (well, I can I'm just not meant to) but "versions.txt" in that directory has the versions

letsencrypt_sh:1.0.1

So it's already 1.0.1.

I'm doing all this in DA by the way. So the user account has the domain of sub.domain.com. LetsEncrypt tries to get the SSL for that AND www.sub.domain.com.

The script itself does seem to purposly do this, but it doesn't make sense as to why it does this. If a domain doesn't have WWW, it adds it. But why is that in the script? If a domain doesn't have www you cannot presume that www is valid.

 

[zEitEr]

The file versions.txt has information of only available versions of software, they might differ from installed.

To see installed versions you should follow user ditto's recommendations and run

cd /usr/local/directadmin/custombuild
./build update
./build versions

 

[DanBennett]

 ./build versions
Latest version of DirectAdmin: 1.50.1
Installed version of DirectAdmin: 1.50.1

./build letsencrypt
Downloading letsencrypt.sh...
[...]
2016-08-19 12:00:42 (2.16 MB/s) - '/usr/local/directadmin/custombuild/letsencrypt.sh' saved [18855/18855]

Let's encrypt client 1.0.1 has been installed.

Still the same issue happens where it is adding www to sub domains.

 

[vivalafe]

I can confirm this issue. If you try to issue a cert for a subdomain (for example subdomain.domain.com) you need to create a www subdomain for that subdomain (Eg.: www.subdomain.domain.com) or the script will complain it can not resolve www.subodmain.domain.com.

Regards,

Isaias

 

[Richard G]

you need to create a www subdomain

If you create a subdomain through Directadmin, the www subdomain is created automatically in DNS too. So there should be no need to create this manually, or are you using an older version of Directadmin maybe?

 

[DanBennett]

That's the problem though. If you don't have DNS through DA - you wouldn't be setting up a www.subdomain entry because it's not a requirement. And if you don't control a domains DNS (e.g. you're doing this for a client) it's even more difficult.

This should never be an issue. We've worked round it in the past, but now it's a blocker.

 

[zEitEr]

OK, what do you suggest? How Directadmin knows whether or not you have control of domains DNS?

It seems that the most common case is the opposite when a directadmin server manages DNS. Otherwise here we would have much more complaints on the matter.

 

[DanBennett]

Oh for sure. www. before a subdomain.com should not be a requirement regardless though, should it? Because that makes it a sub-sub-domain (seen as really, www is a sub domain itself).

I get that it's trying to be helpful... but it shouldn't force it, nor hidden away in a config file. Hmm...

 

[zEitEr]

I agree with you, that the www. should not be the requirement for a subdomain. And it does not seem to be the requirement. I've just tested and created a new SSL/TLS cert for a domain with 10+ subdomains, and Directadmin did not even add subdomains with www. into san_config file.

Thus I conclude that you add a sub-domain as a regular domain on "Add Another Domain" page, and don't use "Subdomain Management" page for it. If this is the case then the things differ... and you might need to adjust:

letsencrypt_list=www:mail:ftp:pop:smtp

and remove www: from the list:

letsencrypt_list=mail:ftp:pop:smtp

by:

echo "letsencrypt_list=mail:ftp:pop:smtp" >> /usr/local/directadmin/conf/directadmin.conf
service directadmin restart

And from the point of view of Directadmin, it does not differ:

subdomain.example.com

from

example.com.net

Thus directadmin hardly can know that the domain you add should be treated as subdomain if you don't use its own page for managing subdomains.

 

[dmacleo]

I see this ONLY when using nginx or nginx/apache proxy, with pure apache do not see issue
have not had chance to dig into it yet though

 

[DanBennett]

Wow it's been a while since I've looked at this!

Thus I conclude that you add a sub-domain as a regular domain on "Add Another Domain" page, and don't use "Subdomain Management" page for it. If this is the case then the things differ... and you might need to adjust:

letsencrypt_list=www:mail:ftp:pop:smtp

and remove www: from the list:

letsencrypt_list=mail:ftp:pop:smtp

by:

echo "letsencrypt_list=mail:ftp:pop:smtp" >> /usr/local/directadmin/conf/directadmin.conf
service directadmin restart

And from the point of view of Directadmin, it does not differ:

subdomain.example.com

from

example.com.net

Thus directadmin hardly can know that the domain you add should be treated as subdomain if you don't use its own page for managing subdomains.

So, we already do add subdomains via the "Domain" box. This for new users and for users with multiple root domains. That's where I'm having the issue.

I've tried setting the letsencrypt_list to exclude 'www' but it doesn't seem to take affect. I presume this is because we're using letsencrypt=2 as our directories are user based (/home/user/domains/domain.com/public_html)