Error during automated certificate renewal of subdomain that no longer exists
- Thread starter Sharif
- Start date
Not much information is given here.
When you do this
dig subdomain.server.com A +short
Does it return a valid IP address?
Sharif
Verified User
- Joined
- May 21, 2021
- Messages
- 44
Yes, it end up with the server IP address
I already delete the subdomain from DirectAdmin, and find out it's not deleted from DNS Management still, so I delete it from DNS Management
not sure if this going to solve the issue.
Important question: is the subdomain your actual hostname or a normal subdomain? It sounds like the error came when it was trying to renew a hostname SSL certificate and it could not find the hostname set in /etc/virtual/domainonwers and in hostname set in Directadmin setting. Perhaps you need to remove the auto-renew certificate manually if you don't want to see this error but, need more info about this subdomain and how did you renew the subdomain in the first place.
Some links that might help with similar error:
How to add a let's Encrypt SSL Certificate to a subdomain
Hello, I already have a purchased SSL certificate for my domain. And now I want to add an SSL certificate to my subdomain too. But I do not understand how to do it. I have read these instructions: https://site-helper.com/evo/ssl.php#letsencrypt But still do not understand. As you can see from...
forum.directadmin.com
Can't get letsencrypt working on server hostname
Hello, I got a fresh install of DA, have been trying to set server to use Letsencrypt SSL for DA login ie. at myserver.hostname.com:2222 I went to this guide: https://help.directadmin.com/item.php?id=15 which took me to : https://help.directadmin.com/item.php?id=629 I made sure that...
forum.directadmin.com
Tristan
Verified User
Same problem over here, I think removing domains or disabling SSL is broken on latest DirectAdmin. Recently moved a couple of domains from one user to another external server. Disabled SSL on the user/ssl page. Now I'm getting daily "Error during automated certificate renewal for ...." tickets since Directadmin still tries to renew these certificates completely ignoring SSL is disabled for these domains.
Richard G
Verified User
Normally you can just ignore these, after several days DA will stop trying to renew them.
Just disabling SSL does not do the trick. However, this should also be fixed by DA indeed.
However, there is a small issue that if an account gets deleted, something is not deleted with it, so the renewal still will be done.
That needs fixing by DA.
You disabled SSL or you disabled auto-renew? Normally if you disable auto-renew (there is a button for that), then things will be fine.
Just disabling SSL does not do the trick. However, this should also be fixed by DA indeed.
However, there is a small issue that if an account gets deleted, something is not deleted with it, so the renewal still will be done.
That needs fixing by DA.
Tristan
Verified User
Good point, I disabled SSL thinking that would just disable the auto-renew as well. Now I re-enabled SSL and afterwards disabled auto-renew but that also doesn't seem to work now. Maybe because of the weird order of steps for that. Hope DirectAdmin will fix this though.
Richard G
Verified User
This indeed only works if you this is done at first, so before the domain is removed or ssl is disabled. Weird issue.
@fln @DirectAdmin Support can this be fixed some how?
got this too.. but for months now.
And i can't find a way to solve this, searching for weeks now. I never ever had this problem in the past and I'm manage my server for 15 years already. Can someone help?
In directadmin
exec ["/usr/local/bin/lego" "--accept-tos" "--email=[email protected]" "--key-type=ec256" "--server=https://acme-v02.api.letsencrypt.org/directory" "--path=/usr/local/directadmin/data/.lego" "--http" "--http.webroot=/var/www/html" "--domains=srv.mywebsite.com" "--domains=server-109-236-91-13.da.direct" "run" "--no-bundle" "--preferred-chain=ISRG Root X1"]
2024/08/04 06:12:09 [INFO] [srv.mywebsite.com, server-109-236-91-13.da.direct] acme: Obtaining SAN certificate
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3784815535
2024/08/04 06:12:10 [INFO] [srv.mywebsite.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3858166143
2024/08/04 06:12:10 [INFO] [srv.mywebsite.com] acme: authorization already valid; skipping challenge
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: Could not find solver for: tls-alpn-01
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: use http-01 solver
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: Trying to solve HTTP-01
2024/08/04 06:12:16 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3784815535
2024/08/04 06:12:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3858166143
2024/08/04 06:12:16 Could not obtain certificates:
error: one or more domains had a problem:
[server-109-236-91-13.da.direct] acme: error: 400 :: urn:ietf
arams:acme:error:connection :: 109.236.91.13: Fetching http://server-109-236-91-13.da.dire...enge/DXXX-454dsqsnHvb0c8alGR4v9mvJUyAiPzSNbhg: Error getting validation data
exit status 1
And i can't find a way to solve this, searching for weeks now. I never ever had this problem in the past and I'm manage my server for 15 years already. Can someone help?
Error during automated certificate renewal for srv.mywebsite.com
In directadmin
srv.mywebsite.com is my Server's Hostname
exec ["/usr/local/bin/lego" "--accept-tos" "--email=[email protected]" "--key-type=ec256" "--server=https://acme-v02.api.letsencrypt.org/directory" "--path=/usr/local/directadmin/data/.lego" "--http" "--http.webroot=/var/www/html" "--domains=srv.mywebsite.com" "--domains=server-109-236-91-13.da.direct" "run" "--no-bundle" "--preferred-chain=ISRG Root X1"]
2024/08/04 06:12:09 [INFO] [srv.mywebsite.com, server-109-236-91-13.da.direct] acme: Obtaining SAN certificate
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3784815535
2024/08/04 06:12:10 [INFO] [srv.mywebsite.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3858166143
2024/08/04 06:12:10 [INFO] [srv.mywebsite.com] acme: authorization already valid; skipping challenge
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: Could not find solver for: tls-alpn-01
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: use http-01 solver
2024/08/04 06:12:10 [INFO] [server-109-236-91-13.da.direct] acme: Trying to solve HTTP-01
2024/08/04 06:12:16 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3784815535
2024/08/04 06:12:16 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3858166143
2024/08/04 06:12:16 Could not obtain certificates:
error: one or more domains had a problem:
[server-109-236-91-13.da.direct] acme: error: 400 :: urn:ietf
arams:acme:error:connection :: 109.236.91.13: Fetching http://server-109-236-91-13.da.dire...enge/DXXX-454dsqsnHvb0c8alGR4v9mvJUyAiPzSNbhg: Error getting validation dataexit status 1
Richard G
Verified User
Look here... fetching server-109-236-etc.da.direct. So seems it's still trying to get the old hostname's certificate.
And this:
So for your normal hostname, there is already an ssl certificate.
Problem is that you still have some of that da.direct stuff left on your server.
Try and create a new certificate like this manually as root via SSH, then after that you should be fine.
First check if both your /etc/hosts and /etc/hostname file contain your srv.mywebsite.com hostname fully.
Then use this:
Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh server_certNow the da.direct stuff must be gone, if not, let it know.
Additionally, I don't know if you want to send mail from this server, but if yes, then you have to change the rDNS/PTR record.
Set your ip's (both ipv4 and if you use it also your ipv6) to your srv.mywebsite.com hostname.
You should be able to do that at your worldstream panel or otherwise ask them to do it.