Let Encrypt won't create cert with forced SSL setting

Aar

Aar

Verified User
Joined
Feb 10, 2005
Messages
210
Location
Netherlands
Since I use Cloudflare for my domains.

In my messagebox of my user appears the next error:
Code: 
Error: http://www.beta.example.org/.well-known/acme-challenge/letsencrypt_1592442705 is not reachable. Aborting the script.
dig output for www.beta.example.org:
2606:4700:3036::****:****
2606:4700:3031::****:****
2606:4700:3035::****:****
Please make sure /.well-known alias is setup in WWW server.
<br>

Why is this error happening?
I've read that this can be prevented by the disabling of the 'forced SSL' setting in DA on the SSL-manager.
This works, but this is not a convenient workaround. Now i must every time when this error-message appears switch off the setting again temporarily for one night, so that it goes well again.

Why is it not possible to create a new certificate when i use forced SSL? I have updated LetsEncrypt already.

This also happens when i i have turned off the Forced SSL setting in DA, and i use the Always SSL-setting in CloudFlare.
 
Last edited:
I can see where this might happen if the certificate is already expired. The cannot be reached because of the expired certificate just like it would in your browser. But if the cert is not already expired then I don't know.

You also don't have to switch it off for an entire night. Switch it off and then manually update the certificate. Then turn it back on.

Also http://www.beta.domain.nl does redirect to https://www.vip.nl so that could be part of the problem as well.
 
@floyd No, domain.nl is an example. ;-)

The certificate is not expired. But according DA settings, the renewal is working after 60 days. But it doesn't with my settings.
 
May you message me access details? People were reporting this from time to time, let’s check the actual cause of it.
 
@floyd Sorry, I thought you'd realize it was a fake name. From now on I will use example.org with emphasis that it is fake.
@smtalk I'll discuss it with others about access. Because what do you want to know exactly?
 
Last edited:
Aar said:
@floyd Sorry, I thought you'd realize it was a fake name. From now on I will use example.org with emphasis that it is fake.
@smtalk I'll discuss it with others about access. Because what do you want to know exactly?
Click to expand...
I want to debug why it’s not reachable. If you’ve done this already - just name why it does not work and we can get it fixed then.
 
Going off-topic here, I can never quite grasp why someone would want www dot with a sub-domain by default....... Yes, if they want it, they can add www dot when they create the sub-domain, but DA seems to add it by default..
 
@Aar smtalk werkt voor DA die is betrouwbaar.
Hope he is allowed to check it out and fix because that can help more users in the future.
 
Peter Laws said:
Going off-topic here, I can never quite grasp why someone would want www dot with a sub-domain by default....... Yes, if they want it, they can add www dot when they create the sub-domain, but DA seems to add it by default..
Click to expand...

A lot of people still use www when typing in a domain. I see it advertised everywhere. "Go to our web site at www......" It drives me crazy.
 
floyd said:
A lot of people still use www when typing in a domain. I see it advertised everywhere. "Go to our web site at www......" It drives me crazy.
Click to expand...
We do it also in text links, or manuals because this is the easy way to explain it is a website/url ( while new tld's as .cool aren't known by a lot as websites). ( looks way more nicer then https:// and it sound even better then it ) Haha, yup then you can choose to redirect whatever , but www.sub.domain.tld hmm.

Oyea the letsencrypt on DA even with subdomains always looking in ( a www) as www.sub.blabla.tld

Sometimes some software is only running good ( some redirection on DA server is our experience with subdomain, i mean www is subdomain, so not using was after cache with redir to https://domain.tls giving errors. ( The same with www.domain.tld or in another sub as shop.domain.tld was working)

This was only on DA servers, still is with the centos7x, tried a lot problem sometimes it seems to work, because of some cache ( not browser cache this was off. a day or many hours later a 500 error.

Yes we have or had kind of the same as Aar so maybe both hangs with some settings together, we have to many changes now to blaim DA as BUG, and also don't want to look at it while this box is going EOL i hope this year.

Now a foreward ssl works to https , but when using site redirection for domain ( to otherdomain) with 302 only the redirection with www is redirecting to the otherdomain.tld , without www is is going to https:// domain.tld With force ssl and using private.

None changes done in htaccess here by me.

These settings:

Force Redirect

domain.nl so without www​
Redirection for domain, pointers,
and sub-domains.


private_html setup for domain.nl - (SSL must be enabled above)
This one is usedUse a directory named private_html
this is on
Force SSL with https redirect
 
Last edited:
floyd said:
A lot of people still use www when typing in a domain. I see it advertised everywhere. "Go to our web site at www......" It drives me crazy.
Click to expand...
On main domains, it's fine (even I redirect to www), but on sub domains?... Seems a bit useless to me...... Google can see duplicate content in this case....... Just my view.....
 
Thanks for the replies.

I'm going to check this weekend next week if the file can be created and if it is available in ./well-known via both https and http. And then I also take a look with cURL.
That is the first step..

To be continued.....
 
Last edited:
We are a few weeks later after I was busy with some other things. But I did some research.
The /.well-known folder can be reached if I test a file instead.

And it is now clear that I have to temporarily disable forced http-> https setting (I do not use hsts) so that the certificate on the server is properly re-newed. Whether this setting happens in DirectAdmin or in Cloudflare, in both cases this fixes it. So it doesn't seem to be specifically related to the force SSL switch in DA.

Are there still things I can check? Because I see that it happens with the '.beta'-subdomain. Maybe removing that (unnecessary to me) subdomain will fix it, but that won't fix the actual problem.

Since there are some customers on the server, and the server is running fine, I would rather look at it with someone, instead of just granting access.
 
Same problem here, I kept getting emails telling me my domain SSL renewal failed with LetsEncrypt. I tried manually renewing and troubleshooting and noticed that the only way I can get it renewed is by turning the Force SSL with https redirect option off for the domain. This is going to be a problem because every few months the auto-renew will run on each domain and fail. I will then have to login and turn off Force SSL with https redirect and manually renew. This essentially means that LetsEncrypt auto-renew is useless at this point. Is there a fix?
 
floyd said:
Its almost like the certificate has expired already. I can see where force https would be a problem if the cert has already expired.

Try this as a test https://help.directadmin.com/item.php?id=2087
Click to expand...

Definitely not expired. I tried the test in https://help.directadmin.com/item.php?id=2087 before posting and just received an error, I just can't remember what it was at the moment.

I can tell you for sure that the cert is NOT expired and that none of the troubleshooting steps or knowledge-base articles etc seem to work. As soon as I turn off "Force SSL with https redirect" option for the domain, then run the renewal manually, everything works and the cert is renewed with no problem.

As I remember from last night (I was tired) I used the command in https://help.directadmin.com/item.php?id=2087 to manually renew after turning that option off. Same command fails with the option on.
 
Additional info:
As I remember when I ran the command in the URL you provided above, it mentioned something about a permanent redirect to the https version of the domain and then just died.

Curious, did the original poster Aar figure this out? Seems we are having the identical issue which is why I posted comments here in his thread.
 
You must log in or register to reply here.
Back
Top