HSTS failing on hostname after change

H

helpanother

New member
Joined
Feb 4, 2024
Messages
5
Hi all,

I'm in the process of moving to DA from 20 long years with WHM & cPanel. I'm sick of their proposterous pricing increases.

Long story short, I'm trying to wrap my head around HSTS. I've setup a server with DA, installed it fine, it gacve me a hostname on da.direct, which I then changed to use the hostname I wanted, which is a .ing domain (which enforces HSTS, which I had forgotten about — enter the first issue). I have updated the GLUE for this domain at my provider to my server IP, and a nameserver ns1.example.domain.ing. Added that domain to DA, so I could manage the DNS, and also changed the nameservers of the domain at my provider to ns1.example.domain.ing. Updated the nameservers in the DNS, I have also changed the SERVERNAME variable inside .conf and done this through the panel too. I've check everywhere, and it has updated everywhere.

However, SSL is not working on the hostname.

I have ran:
Code: 
cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single $(hostname -f) 4096

It returns successfully, but for the old hostname:
Code: 
[root@we scripts]# cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single ns1.example.domain.ing 4096
Setting up certificate for a hostname: ns1.example.domain.ing
2024/02/04 11:21:45 [INFO] [server-*-*-*-*.da.direct] acme: Obtaining SAN certificate
2024/02/04 11:21:45 [INFO] [server-*-*-*-*.da.direct] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/311479034337
2024/02/04 11:21:45 [INFO] [server-*-*-*-*.da.direct] acme: authorization already valid; skipping challenge
2024/02/04 11:21:45 [INFO] [server-*-*-*-*.da.direct] acme: Validations succeeded; requesting certificates
2024/02/04 11:21:53 [INFO] [server-*-*-*-*.da.direct] Server responded with a certificate for the preferred certificate chains "ISRG Root X1".
Certificate for server-*-*-*-*.da.direct has been created successfully!
DirectAdmin certificate has been setup.
Setting up cert for Exim...
2024/02/04 11:21:54  info executing task            task=action=exim&value=restart
2024/02/04 11:21:54  info executing task            task=action=dovecot&value=restart
Setting up cert for WWW server...
2024/02/04 11:23:25  info executing task            task=action=httpd&affect_php_fpm=no&value=reload
Setting up cert for FTP server...
2024/02/04 11:23:25  info executing task            task=action=pure-ftpd&value=restart
2024/02/04 11:23:25  info executing task            task=action=directadmin&value=restart

As you can see, it still thinks the hostname is server-*-*-*-*.da.direct, so what is happening here and how can I resolve it. Because at present. I am locked out of the panel and only accessible via SSH

I am trying to migrate from cPanel, so would appreciate a rapid resolution.
 
Just a tip. I would use ns1.domain.com instead of ns1.host.domain.com, same for ns2 because the ns A records are also regulated in the domain.com or you need to set them in your hostname record. Most just use ns1.domain.com and it's easier. But it's your choice.

As for the hostname, there are 2 ways to do this.
I always use my own method, but feel free to take another method.

You can verify the steps I have taken to see if you missed something.

Sll for hostname still getting old hostname

Hi guys, i'm trying to install ssl for my server hostname, but the server refuse to recognize core.mydomain.com as hostname instead the letsencript show me as hostname the one that is setup when DA is installed server-xx-xx-xx-xx.da.direct. What i'm doing wrong? I already checked my hosts file...
forum.directadmin.com forum.directadmin.com
 
Richard G said:
Just a tip. I would use ns1.domain.com instead of ns1.host.domain.com, same for ns2 because the ns A records are also regulated in the domain.com or you need to set them in your hostname record. Most just use ns1.domain.com and it's easier. But it's your choice.

As for the hostname, there are 2 ways to do this.
I always use my own method, but feel free to take another method.

You can verify the steps I have taken to see if you missed something.

Sll for hostname still getting old hostname

Hi guys, i'm trying to install ssl for my server hostname, but the server refuse to recognize core.mydomain.com as hostname instead the letsencript show me as hostname the one that is setup when DA is installed server-xx-xx-xx-xx.da.direct. What i'm doing wrong? I already checked my hosts file...
forum.directadmin.com forum.directadmin.com
Click to expand...
Hi Richard, thanks for your link I will try this very soon, but just wanted some clarity on what you meant about the nameservers.

We have them like

we.love.******.ing
do.more.******.ing

Thanks for your advice. Very new to DA, not touched it since about 2008
 
Richard, thanks. For some reason in hosts file was

Code: 
server-*-*-*-*.da.direct      ns1.example.domain.ing

That being said, I am rate limited now by LE lol
 
helpanother said:
We have them like

we.love.******.ing
do.more.******.ing
Click to expand...
Ah oke that's good.
I though you were using like hostname like ns1.server.domain.ing (which would also not be wrong). But you have some unique ones, that's fine too.

As for my help, you're welcome!
 
Richard G said:
Ah oke that's good.
I though you were using like hostname like ns1.server.domain.ing (which would also not be wrong). But you have some unique ones, that's fine too.

As for my help, you're welcome!
Click to expand...
Sorry Richard, problem does not seem to be solved still. I am wondering if it could be a DNS issue? Perhaps somehow a CNAME or somethign exists for ns1.example.domain.ing that points it to server-*-*-*-*.da.direct, because even though I am rte limited by LE, it still gives me the same error as it's trying to create SSL for server-*-*-*-*.da.direct. Any clues?
 
Did you create a seperate DNS entry for your hostname? So not in your domain name but a real seperate one in DNS administration?
Best is not to use CNAME for these things if present.

Also the hostname needs some time to resolve once created correctly.
I hope the RDNS for your server is not set to the ip.da.direct hostname.
 
How can I check RDNS?

Yes, first thing I did was an entry for the host name with an A record in top level DNS admin. I've ran a dig on dns and there are no CNAME present that could do that. The rate limit on LE is halting progress at the moment. I can't use ZeroSSL either as I need to verify the domain but can't access the panel to add DNS records or create an inbox! lol.

EDIT: PTR is correct on rDNS, so no idea still!
 
helpanother said:
How can I check RDNS?
Click to expand...
rDNS=PTR so you check that already.

helpanother said:
but can't access the panel to add DNS records or create an inbox! lol.
Click to expand...
Let's start there, because that is important. Why can't you access the panel to check and add DNS etc.?
Is that because of SSL? If yes, that is an easy solution.
Edit the /usr/local/directadmin/conf/directadmin.conf file and change ssl=1 to ssl=0 and restart directadmin and you're done.
At least you're back into DA then and that makes checking things a lot more easy.

Also check your /etc/hostname file.
 
You must log in or register to reply here.
Back
Top