Let's Encrypt invalid challenge only for one domain

I

inavan

Verified User
Joined
Sep 20, 2013
Messages
8
Hello

We are facing an unusual issue while setting up Let's Encrypt certificate. We have one main domain (eg: maindomain.com) and multiple parked domains (eg: parkeddomain1.com, parkeddomain2.com, subdomain.parkeddomain3.com, etc.), and we have to setup a single SSL certificate for all these domains using SAN. Once in a while, we may have to add new parked domains to this main domain, and thus, we have to regenerate the certificate by including this new parked domain.

We were successfully able to do this process till now, but now when we added a new domain (eg: newparkeddomain.com), the certificate generation fails always with the message:

Code: 
Getting challenge for maindomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain1.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain2.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for subdomain.parkeddomain3.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain4.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain5.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for subdomain.parkeddomain6.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for newparkeddomain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://newparkeddomain.com/.well-known/acme-challenge/r0W-YpkLxgpnqwQHmdpDe5i82AMY7mri0q_lLhobejE: \. Exiting...

It only happens with this domain, and we added more new domains after this, Acme challenge was successfully completed for all other domains except this one. This domain (as all others), were hosted in a different server, for which we have edited the DNS records to have it pointed to our server. All these are hosted on a single server and is under a dedicated IP for the main domain (maindomain.com). Initially we thought that it it could be due to DNS propagation delay and thus we waited for 2 full days and tried the certificate generation again. But that also failed.

Can anybody let us know what could be the problem related with this newparkeddomain.com? As the certificate generation is failing, all other domains which was working fine with HTTPS, also fails to load. Then we have to restore the backed up configuration files and restart Apache to make them work.

We are stuck with this issue for quite a while and were trying all possibilities which we could think of. So any inputs regarding this is highly appreciated.

FYI: we already have enabled Alias /.well-known in the configuration file

Thanks & Regards
Sujith
 
Can you post the actual domain that's failing, but obscure it somehow? (ie. sub the dots for the word 'dot', put a space between some of the words, etc).
 
Hello adam12

Thanks for your quick response. I am not authorized to disclose the actual domains, but still, considering the urgency of situation, I will get a confirmation from our senior officials to provide you that. Just before checking with our seniors, I gave another try to generate the certificate, and now I get totally different error messages:

Code: 
Cannot Execute Your Request

Details

Getting challenge for maindomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain1.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain2.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for subdomain.parkeddomain3.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain4.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for parkeddomain5.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for subdomain.parkeddomain6.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for newparkeddomain.com from acme-server...
new-authz error: HTTP/1.1 100 Continue 
Expires: Mon, 26 Jun 2017 02:30:41 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 

HTTP/1.1 500 Internal Server Error 
Server: AkamaiGHost 
Mime-Version: 1.0 
Content-Type: text/html 
Content-Length: 177 
Expires: Mon, 26 Jun 2017 02:30:41 GMT 
Cache-Control: max-age=0, no-cache, no-store 
Pragma: no-cache 
Date: Mon, 26 Jun 2017 02:30:41 GMT 
Connection: close 


An error occurred while processing your request.


Reference #179.67d2f748.1498444241.29846a8b
. Exiting...

I am not sure if this is still related with the domain name, or something related with DirectAdmin/acme-server. With this error, if you get any clue, please let me know. Meanwhile, I will try to get the consent from our authorities to provide you actual domain names.

Thanks & Regards
Sujith
 
Hello Sujith,

Make sure you've got the latest letsencrypt.sh script.

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

then try again.
 
Judging from the value in the 'Server' header, I'd suspect that it's still a DNS issue of some sort, where the DNS is still pointing to an Akamai CDN server.
 
zEitEr said:
Hello Sujith,

Make sure you've got the latest letsencrypt.sh script.

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

then try again.
Click to expand...

Hello Alex

Thanks for the input. Lets try this option too and see if it resolves the issue.

Thanks & Regards
Sujith
 
adam12 said:
Judging from the value in the 'Server' header, I'd suspect that it's still a DNS issue of some sort, where the DNS is still pointing to an Akamai CDN server.
Click to expand...

Hello Adam

We also thought so, and waited for 4 days to make sure that the DNS records are propagated everywhere and then tried again. But still it goes back to the initial error. We got the "Internal Server Error" header message only once, and during each subsequent try, it was going to to the same first error.

And is not yet solved.

Thanks & Regards
Sujith
 
zEitEr said:
Try this version: https://github.com/poralix/directadmin-utils/blob/master/letsencrypt/letsencrypt_poralix.sh it will add an interaction and will allow to re-try on 500 error.
Click to expand...

Hello Alex

Thanks a lot for that script, and sorry for the delayed response. Anyhow, as we were struggling with this issue, we decided to take out the problematic domain from the domain list while generating the certificate. We have to try it again later, and that time, we will surely use the script you sent us.

Thanks & Regards
Sujith
 
You must log in or register to reply here.
Back
Top