Get automatic certificate from ACME Provider

[Hesaam]

Hi, I have a server with IP: xx.xx.24.141, domain: domain1.com and directadmin on it, that I added a new IP and a new domain to this server. Now when I'm using "Get automatic certificate from ACME Provider", because of the IP of server is xx.xx.24.141 and just new IP (xx.xx.24.182) refers to new domain "domain2.co", I got this error:

""Error with LetsEncrypt request
2022-11-29 18:55
Found wildcard domain name and http challenge type, switching to dns-01 validation.
2022/11/29 18:55:46 [INFO] acme: Registering account for [email protected]
2022/11/29 18:55:46 Could not complete registration
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct ::
urn:ietf:arams:acme:error:invalidEmail :: Error creating new account :: contact email "[email protected]" has invalid domain :
The ACME server can not issue a certificate for an IP address
Certificate generation failed.""

It means it wants to get certificate for domain2.co with server IP xx.xx.24.141 that is not for this domain.
what should I do?
please help me.
thanks

 

[zEitEr]

contact email "[email protected]" has invalid domain

Hello,

To get this error fixed, you should go to DirectAdmin, open user's details of "admin", and change its contact email address to a valid one. Then request a new certificate once again.

 

[Hesaam]

Thanks.
but after changing the email, I did it again and got this error:

""2022/11/30 15:45:54
No key found for account [email protected]. Generating a 4096 key.
2022/11/30 15:45:58
Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2022/11/30 15:45:58
Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused
Certificate generation failed.""



then I did it again too and this one I got a new error:


"2022/11/30 15:50:45
Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get "https://acme-v02.api.letsencrypt.org/directory": dial tcp 172.65.32.248:443: connect: connection refused
Certificate generation failed."
now what should I do?
thanks for helping.

 

[zEitEr]

What I would try is

- removing folder /usr/local/directadmin/data/.lego/
- removing files:

/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cacert.pem.combined
/usr/local/directadmin/conf/cacert.pem.creation_time
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem

whenever they exist, and then try again to request a new certificate for hostname and domain.

Please note, you can not request a certificate for IP-address. Not too sure, why the CloudFlare's IP 172.65.32.248 is here though.[/icode]

 

[Hesaam]

do it with ZeroSSL:

and do it again

 

[zEitEr]

Never tried ZeroSSL, probably other members of the forums could help you more.

But what seems to be wrong for me, is that the scripts still tries using [EMAIL][email protected][/EMAIL] as a contact email. I would expect to see a valid email address there. Probably it is the root cause of the issue.

 

[Hesaam]

What I would try is

- removing folder /usr/local/directadmin/data/.lego/
- removing files:

/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cacert.pem.combined
/usr/local/directadmin/conf/cacert.pem.creation_time
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem

whenever they exist, and then try again to request a new certificate for hostname and domain.

Please note, you can not request a certificate for IP-address. Not too sure, why the CloudFlare's IP 172.65.32.248 is here though.[/icode]

my IPs are 65.21.24.141 and 65.21.24.182.
I don't know where this IP (17265.32.248 ) was found.

 

[zEitEr]

Is there any reason on why you try ZeroSSL? It failed on my side:

[[email protected] ~]# /usr/local/directadmin/scripts/letsencrypt.sh request $(hostname -f)
Setting up certificate for a hostname: server.domain.com
2022/11/30 20:17:57 No key found for account [email protected]. Generating a P256 key.
2022/11/30 20:17:57 Saved key to /usr/local/directadmin/data/.lego/accounts/acme.zerossl.com/[email protected]/keys/[email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2022/11/30 20:18:12 [INFO] [server.domain.com] acme: Obtaining SAN certificate
2022/11/30 20:18:23 [INFO] [server.domain.com] AuthURL: https://acme.zerossl.com/v2/DV90/authz/jYQd3KCXUHri6ssxEFN65g
2022/11/30 20:18:23 [INFO] [server.domain.com] acme: use http-01 solver
2022/11/30 20:18:23 [INFO] [server.domain.com] acme: Trying to solve HTTP-01
2022/11/30 20:33:53 [INFO] Deactivating auth: https://acme.zerossl.com/v2/DV90/authz/jYQd3KCXUHri6ssxEFN65g
2022/11/30 20:33:58 Could not obtain certificates:
        error: one or more domains had a problem:
[server.domain.com] the server didn't respond to our request
Certificate generation failed.
[[email protected] ~]#

You might try Letsencrypt instead of ZeroSSL probably.

 

[zEitEr]

Can help you with Let's Encrypt. Have no single certificate from ZeroSSL either on my own or customers servers.

 

[Hesaam]

Is there any reason on why you try ZeroSSL? It failed on my side:

No, just I had an error with Letsencrypt.
Please forget ZeroSSL.
Now what should I do for using Letsencrypt?

 

[zEitEr]

Remove /root/.zerossl or revert back any other changes you've made in order to start using ZeroSSL

 

[Hesaam]

Remove /root/.zerossl or revert back any other changes you've made in order to start using ZeroSSL

Ok, there isn't any folder or file like that.

 

[zEitEr]

And what error will you get now when requesting a new certificate?

 

[Hesaam]

Remove /root/.zerossl or revert back any other changes you've made in order to start using ZeroSSL

I founded a key file in this link, and deleted it.
./usr/local/directadmin/data/.lego/accounts/acme.zerossl.com/[email protected]/keys

 

[Hesaam]

And what error will you get now when requesting a new certificate?

 

[zEitEr]

Can it be that your firewall blocks connections to IP: 172.65.32.248?

csf -g 172.65.32.248

?

 

[Hesaam]

Can it be that your firewall blocks connections to IP: 172.65.32.248?

csf -g 172.65.32.248

?

thanks, the problem was from datacenter, now I have a new error:

I also changed the dns of directadmin server to dns of 65.21.24.182 in administrator settings/server Settings.
thanks for your attention.

 

[zEitEr]

Check the post #2 for a solution on how to change the contact email.

 

[Hesaam]

T

Check the post #2 for a solution on how to change the contact email.

Thanks a lot. Now it has the certificate.

 

[Hesaam]

Now I have a new problem, when I change the "Set IP To" to the first domain's IP, the first domain is accessible and has ssl certificate but the second domain is not accessible, and when I change "Set IP To" to the second IP, it is the opposite.
I also added the other IP as an additional IP, but nothing was changed.
thanks.

"Set IP To"
in Dashboard/Show Users/View/User Modify/Change the User's IP