Let's Encrypt error on just one of 9 domains

[coer]

Hi,
I successfully installed LetsEncrypt on 8 of my 9 domains through DirectAdmin (login to user level, SSL, select 'Free & automatic certificate from Let's Encrypt', select proper certificate entries, fill email, click Save).
For some reason, one domain gives the below error. (I replaced the domain with domain.com and the letsencrypt_nr to letsencrypt_xxxxxxxxxx below).

The error:
Cannot Execute Your Request

Details
Getting challenge for domain.com from acme-server...
Error: http://domain.com/.well-known/acme-challenge/letsencrypt_xxxxxxxxxx is not reachable. Aborting the script.
Please make sure /.well-known alias is setup in WWW server.

I have searched everywhere, Google, DirectAdmin Forums, general instructions. But I cannot find what to do. I updated CentOS, I updated CustomBuild, I did 'build rewrite_confs, I rebooted the server. And obviously the /.well-known alias is setup in WWW server (or otherwise it would not have worked with the other domains).

My setup:
- Latest version of DirectAdmin
- Centos 6 (updated)
- CustomBuild 2.0 (updated)

Any ideas?

 

[SeLLeRoNe]

Maybe you have customer rules/aliases for that domain?
Provide the domain would be useful for us to investigate.

Regards

 

[coer]

Maybe you have customer rules/aliases for that domain?
Provide the domain would be useful for us to investigate.

Regards

Thanks for your reply.

What I see is that the domain has a different hosts file, compared with the rest of the domains.

This problematic Domain:

                <VirtualHost IP address:443 >
		SSLEngine on
		SSLCertificateFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.cert
		SSLCertificateKeyFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.key
		SSLCACertificateFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.cacert

The other domains (where LetsEncrypt works fine):

<VirtualHost IP address:443 >
		SSLEngine on
		SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
		SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
		SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca

I don't understand why the hosts file for this domain is different.

I did a lot of Googling, but I cannot find how to get this domain's Host file to be like the rest.

Could someone help me understand why this could have happened, and where the settings are that I should look at to change, in such a way that DirectAdmin doesn't subsequently overwrite it ;-)

As I said earlier, I already tried build rewrite_confs but that doesn't change the Hosts file for the domain.

Your help would be appreciated!

Regards

 

[SeLLeRoNe]

That's actually strange, the first one is the correct one, if you create a Let's Encrypt SSL Certificate for the domain the configuration should be exactly as the first one, can you try request the certificate using the web interface instead of ssh?

The second one just mean that a domain is using the server certificate, which shouldn't be valid for every specific domain.

Check /etc/httpd/conf/extra/httpd-alias.conf that have this line:
Alias /.well-known /var/www/html/.well-known

Regards

 

[coer]

That's actually strange, the first one is the correct one, if you create a Let's Encrypt SSL Certificate for the domain the configuration should be exactly as the first one, can you try request the certificate using the web interface instead of ssh?

The second one just mean that a domain is using the server certificate, which shouldn't be valid for every specific domain.

Check /etc/httpd/conf/extra/httpd-alias.conf that have this line:
Alias /.well-known /var/www/html/.well-known

Regards

I have not tried via SSH, only via the DirectAdmin web interface.


Sorry, I mixed the two around, so you are right to be surprised!!
The problematic domain:

               <VirtualHost IP address:443 >
		SSLEngine on
		SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
		SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
		SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.ca

The other domains (which work fine with let's Encrypt):

                <VirtualHost IP address:443 >
		SSLEngine on
		SSLCertificateFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.cert
		SSLCertificateKeyFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.key
		SSLCACertificateFile /usr/local/directadmin/data/users/xxusernamaexx/domains/xxusernamaexx.nl.cacert

Just to be sure, I'm using (the recommended) setting letsencrypt=1 in directadmin.conf.
Also, all other websites are correctly reflecting the Let's Encrypt certificate. So it's working correctly, because I'm not (yet) using Let's Encrypt for the server, so there is no Let's Encrypt certificate to be found there

Yes, /etc/httpd/conf/extra/httpd-alias.conf has the line:
Alias /.well-known /var/www/html/.well-known

Can anybody point me to where Hosts files are generated, where the general template is, and in what ways the exceptions can be made per domain, so I can try to find why this one domain has a different virtual hosts file.

 

[SeLLeRoNe]

The templates are generated by one of those two (custom one have priority):
/usr/local/directadmin/data/templates/
/usr/local/directadmin/data/templates/custom/

Can you try using SSH?
/usr/local/directadmin/scripts/letsencrypt.sh request DOMAIN

Regards

 

[coer]

The templates are generated by one of those two (custom one have priority):
/usr/local/directadmin/data/templates/
/usr/local/directadmin/data/templates/custom/

Can you try using SSH?
/usr/local/directadmin/scripts/letsencrypt.sh request DOMAIN

Regards

Thanks! You have a nice direct way to explain things, I really appreciate it!

This is relevant part of the default template at /usr/local/directadmin/data/templates/httpd.conf :

<VirtualHost |SERVER_IP|:443>
        ServerName localhost
        ServerAdmin webmaster@|SERVER_NAME|
	ScriptAliasMatch ^/~([^/]+)/cgi-bin(/.*)* /home/$1/public_html/cgi-bin/$2
	AliasMatch ^/~([^/]+)(/.*)* /home/$1/public_html$2
        DocumentRoot /var/www/html
        ScriptAlias /cgi-bin/ /var/www/cgi-bin/

        SSLEngine on
	SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
        SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

	CustomLog /var/log/httpd/homedir.log homedir
</VirtualHost>

And this is /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf :

|?CGI=ScriptAlias /cgi-bin/ `HOME`/public_html/cgi-bin/|
|?DOCROOT=`HOME`/private_html|
|?REALDOCROOT=`HOME`/private_html|
|?OPEN_BASEDIR_PATH=`HOME`/:/tmp:/var/tmp:/usr/local/lib/php/|
|?ALLOW_OVERRIDE=AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,Includes,IncludesNOEXEC,MultiViews,FollowSymLinks,None|
<VirtualHost |IP|:|PORT_443| |MULTI_IP|>
|CUSTOM|
		SSLEngine on
		SSLCertificateFile |CERT|
		SSLCertificateKeyFile |KEY|
		|CAROOT|

Now the key is: which file determines the definition of these variables:
|CERT|
|KEY|
|CAROOT|

And one more question:
Is there a way to make a custom virtual hosts file for a specific domain which takes priority over both /usr/local/directadmin/data/templates/ and /usr/local/directadmin/data/templates/custom/? If yes, where would such a file be?

Regards

 

[SeLLeRoNe]

The first one you showed is wrong, that's the apache httpd, you need to check virtual_host2_secure.conf in both directory.

If the template work for a domain it must work for all, anyway for custom content use:

For HTTP: /usr/local/directadmin/data/templates/custom/virtual_host2.conf
For HTTPS: /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf

For custom entries based on virtual host you can use:
|*if DOMAIN="SPECIFIC-DOMAIN.TLD"|
content
|*else|
Default content
|*endif|

Have you tryed using SSH?

Regards

 

[coer]

The first one you showed is wrong, that's the apache httpd, you need to check virtual_host2_secure.conf in both directory.

If the template work for a domain it must work for all, anyway for custom content use:

For HTTP: /usr/local/directadmin/data/templates/custom/virtual_host2.conf
For HTTPS: /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf

For custom entries based on virtual host you can use:
|*if DOMAIN="SPECIFIC-DOMAIN.TLD"|
content
|*else|
Default content
|*endif|

Have you tryed using SSH?

Regards

Hi,
Thanks again!

The relevant code at both /usr/local/directadmin/data/templates/virtual_host2_secure.conf as well as /usr/local/directadmin/data/templates/custom/virtual_host2_secure.conf is as follows:

<VirtualHost |IP|:|PORT_443| |MULTI_IP|>
|CUSTOM|
	SSLEngine on
	SSLCertificateFile |CERT|
	SSLCertificateKeyFile |KEY|
	|CAROOT|

And there is no domain specific code in either the default- or the custom template. So that can't be it. Still the Virtual host files of the domains differ, so the question remains:
What determines the definition of these variables:
|CERT|
|KEY|
|CAROOT|

Because somewhere these variables are defined! And since these are the only difference between the virtual hosts files of the rogue and the normal domains, it is likely causing the issue with Let's Encrypt.
So... where should I look?

No I didn't try using SSH. I would first like solve the virtual hosts issue..

Regards

 

[SeLLeRoNe]

Somehow that host hasn't been created correctly, is quite easyer if you try to force DA to re-write it, the other option you have is to run DA in Debug mode and try to re-generate the certificate so you can see what is going on.

Here the guide to run DA in Debug mode: https://help.directadmin.com/item.php?id=293

Regards

 

[coer]

Somehow that host hasn't been created correctly, is quite easyer if you try to force DA to re-write it, the other option you have is to run DA in Debug mode and try to re-generate the certificate so you can see what is going on.

Here the guide to run DA in Debug mode: https://help.directadmin.com/item.php?id=293

Regards

Yes I would like to force DA to re-write the host! But how? I thought that was rewrite_confs ?
I've done that numerous times, but nothing changes.

Can somebody help me to understand the answer to my question:
What determines the definition of these variables in the virtualhosts file:
|CERT|
|KEY|
|CAROOT|

Regards

 

[coer]

Yes I would like to force DA to re-write the host! But how? I thought that was rewrite_confs ?
I've done that numerous times, but nothing changes.

Reading a bit more, (I start to understand the topic better as the input increases for which thank you!) I found an instructions to rewrite ALL virtualhosts files:
echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue
Source: https://help.directadmin.com/item.php?id=2

I would like to only rewrite one specific virtual hosts file of the rogue domain with username xxusernamaexx

What would be the command for that?


Regards

 

[SeLLeRoNe]

You can easily run that command, it shouldn't create any harm.

But if DA don't know that the user have a LetsEncrypt certificate it will recreate the file as it is (so it mean it is using the server certificate), that's why i'm keeping telling you to try to re-create it.

Regards