Let's encrypt stopped working
- Thread starter Neograph734
- Start date
raytrax
Verified User
- Joined
- Aug 5, 2011
- Messages
- 19
thanks
No need to do more, but you can launch the following command to renew certificates:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue
+info: https://www.directadmin.com/features.php?id=1828
Thanks smtalk for share the code that solves it!
No need to do more, but you can launch the following command to renew certificates:
echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue
+info: https://www.directadmin.com/features.php?id=1828
Thanks smtalk for share the code that solves it!
ikkeben
Verified User
round 12-05 we booked Martynas support for it
As fast as they are:
So we and he tested this after 12-05 and a few other things that solved the problem.
Thanks ofcourse.
For anyone thinking about booking support at Martynas / smtalk is doing great.
As fast as they are:
So we and he tested this after 12-05 and a few other things that solved the problem.
Thanks ofcourse.
For anyone thinking about booking support at Martynas / smtalk is doing great.
Urgent:
I did the fix mentioned in this topic and it SEEMED to fix it, since a new certificate was succesfully created, BUT:
now all my sites stopped working after the certificates expired.
So even though a new certificate was generated, it seems as tough nginx doesn't use these new cetificates.
Message before the fix:
Message after the fix:
But as you can see on https://www.publicoll.com, the renewal of the certificate did not fully work.
Now many sites are broken.
How can I fix this?
Thank you!
I did the fix mentioned in this topic and it SEEMED to fix it, since a new certificate was succesfully created, BUT:
now all my sites stopped working after the certificates expired.
So even though a new certificate was generated, it seems as tough nginx doesn't use these new cetificates.
Message before the fix:
Message after the fix:
But as you can see on https://www.publicoll.com, the renewal of the certificate did not fully work.
Now many sites are broken.
How can I fix this?
Thank you!
Ok, I found a manual fix.
1) Put the SSL certificate back to the servers self-hosted certificate
2) Go into custom httpd configuration and open a random domain, verify at the bottom whether no other domains have issues (I had about 10 times this issue)
After changing these 10 ssl certificates to self hosted, nginx was able to rebuild.
Then I one by one generated new let's encrypt certificates for these domains.
Example error message I received:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/username/domains/publicoll.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
22:33 31/05/2016
So if you had certificate renewal error's, check your nginx config test logs!
1) Put the SSL certificate back to the servers self-hosted certificate
2) Go into custom httpd configuration and open a random domain, verify at the bottom whether no other domains have issues (I had about 10 times this issue)
After changing these 10 ssl certificates to self hosted, nginx was able to rebuild.
Then I one by one generated new let's encrypt certificates for these domains.
Example error message I received:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/username/domains/publicoll.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
22:33 31/05/2016
So if you had certificate renewal error's, check your nginx config test logs!
jbb
Verified User
Thanks.........!
dws
Verified User
- Joined
- Mar 10, 2007
- Messages
- 16
Thanks for this solution smtalk
ShamrockInfoSec
Verified User
- Joined
- Mar 22, 2016
- Messages
- 5
Kiekeboe100
Verified User
Hi,
Only Let's Encrypt support is Beta.
This is stated on the feature information page. And on that same page is written how you (the server administrator) has to enable support for this beta feature. Hence, by default this is off.
It is up to you (the server administrator) to decide whether you release this beta feature to your clients (enable it on a production server), or test it on a testing server.
I personally would not prefer to have to use DirectAdmin pre-release binaries just to be able to test let's encrypt. So I am happy they release their stable software, with the beta piece in there, as long as we have to enable it manually.
Next to that. I have had two issues with Let's Encrypt. Both have been fixed on time (manually) to make renewing the certificate on a couple of domains possible.
I did change the renewal time to 80 days instead of 85 so I get a little more time to fix things when they are broken.
I think you can compare it to the Tesla auto-pilot function. Do you want to have the whole car software running on pre-release software just to be able to test the auto-pilot beta function?
regards,
Stijn
Just restart Apache
I had the same issue, DirectAdmin confirmed the certificate was renewed, but the browser was still showing the old expiration date. For me it was simply a matter of restarting Apache to fix this.
Not to say that this would have solved your issue as well of course (especially since you are using nginx). I guess Directadmin should restart Apache after updating the certificate to make it work.
I had the same issue, DirectAdmin confirmed the certificate was renewed, but the browser was still showing the old expiration date. For me it was simply a matter of restarting Apache to fix this.
Code:
service httpd restartNot to say that this would have solved your issue as well of course (especially since you are using nginx). I guess Directadmin should restart Apache after updating the certificate to make it work.
This still does not work. Im getting notices for days and when i look at the letsencrypt script the pointed out is correct. Yes, i am upgraded to the latest version. And echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue does nothing.
I still cannot get my hostname da.myserver.net certificate to renew no matter what i do. I have followed and updated everything needed. Iv searched every error and thread and cannot find a solution.
When i run the script it keeps talking about MAIL
I havent seen anyone post a similar error where mail keeps coming up. Why is MAIL appending to the hostname? Im running
./letencrytp.sh renew da.myserver.net 4096
So why its complaining about mail.da.myserver.net?
When i run the script it keeps talking about MAIL
Code:
Getting challenge for mail.da.myserver.net from acme-server...
Error: http://mail.da.myserver.net/.well-known/acme-challenge/letsencrypt_1493799042 is not reachable. Aborting the script.
dig output for mail.da.myserver.net:
Please make sure /.well-known alias is setup in WWW server.I havent seen anyone post a similar error where mail keeps coming up. Why is MAIL appending to the hostname? Im running
./letencrytp.sh renew da.myserver.net 4096
So why its complaining about mail.da.myserver.net?
ikkeben
Verified User
How about ad the mail in your server dns settings. 
While in the script this is default.
( Or you have to change the script (if serverdomain then do ...)
We use server as mail Server with mail. so then no problems.
Further pointing out to you this is not the letsencrypt is stopped working error
While this is the default behaviour from the script, and letsencrypt is probably working fine for the other domains, if you're not using mail. at all ( also for other domains on server) you have to change script.
While in the script this is default.
( Or you have to change the script (if serverdomain then do ...)
We use server as mail Server with mail. so then no problems.
Further pointing out to you this is not the letsencrypt is stopped working error
While this is the default behaviour from the script, and letsencrypt is probably working fine for the other domains, if you're not using mail. at all ( also for other domains on server) you have to change script.
Last edited:
Solved!
WTF? All this time the certificate was working properly off mydomain.com as da.mydomain.com as subdomain then come renewal it fails? So how was it working as da.mydomain.com on my hostname all this time?
Code:
[root@da scripts]# ./letsencrypt.sh request_single da.mydomain.com 4096
Setting up certificate for a hostname: da.mydomain.com
Getting challenge for da.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for da.mydomain.com...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
etcWTF? All this time the certificate was working properly off mydomain.com as da.mydomain.com as subdomain then come renewal it fails? So how was it working as da.mydomain.com on my hostname all this time?
ikkeben
Verified User
If was working for how long? The first renewal maybe?
If so the script ( renewal) don't remember / stored the "request-single" or in the meantime a update for letsencrypt or script changed somethings for that