Let's encrypt stopped working

ikkeben

Verified User
Joined
May 22, 2014
Messages
705
Location
Netherlands Germany
round 12-05 we booked Martynas support for it

As fast as they are:

I’ve installed prerelease directadmin version. Please check if sni and letsencrypt works as expected.
So we and he tested this after 12-05 and a few other things that solved the problem.

Thanks ofcourse.
For anyone thinking about booking support at Martynas / smtalk is doing great.
 

klasje

Verified User
Joined
Jan 5, 2008
Messages
19
Urgent:
I did the fix mentioned in this topic and it SEEMED to fix it, since a new certificate was succesfully created, BUT:
now all my sites stopped working after the certificates expired.

So even though a new certificate was generated, it seems as tough nginx doesn't use these new cetificates.

Message before the fix:
Getting challenge for publicoll.com from acme-server...
/usr/local/directadmin/scripts/letsencrypt.sh: line 319: /var/www/html/.well-known/acme-challenge/: Is a directory
/usr/local/directadmin/scripts/letsencrypt.sh: line 322: [: -ne: unary operator expected
Waiting for domain verification...
rm: cannot remove `/var/www/html/.well-known/acme-challenge/': Is a directory
Challenge is . Details: . Exiting...
<br>
Message after the fix:
Subject: Automated certificate renewal for publicoll.com has succeeded
Getting challenge for publicoll.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www.publicoll.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for publicoll.com...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/crebezze/domains/publicoll.com.key.new"
Generating RSA private key, 4096 bit long modulus
............................................++
..........................................................................................................................................................................++
e is 65537 (0x10001)
Certificate for publicoll.com has been created successfully!
But as you can see on https://www.publicoll.com, the renewal of the certificate did not fully work.
Now many sites are broken.

How can I fix this?

Thank you!
 

klasje

Verified User
Joined
Jan 5, 2008
Messages
19
Ok, I found a manual fix.

1) Put the SSL certificate back to the servers self-hosted certificate
2) Go into custom httpd configuration and open a random domain, verify at the bottom whether no other domains have issues (I had about 10 times this issue)
After changing these 10 ssl certificates to self hosted, nginx was able to rebuild.

Then I one by one generated new let's encrypt certificates for these domains.

Example error message I received:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/directadmin/data/users/username/domains/publicoll.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
22:33 31/05/2016

So if you had certificate renewal error's, check your nginx config test logs!
 

dws

Verified User
Joined
Mar 10, 2007
Messages
9
Let's encrypt support was marked as BETA in DirectAdmin 1.50: https://www.directadmin.com/features.php?id=1828. That's the reason why a new version of DA hasn't been released just to fix the let's encrypt issue.

To fix the script for DA 1.50 it's enough to change the following line:
Code:
CHALLENGE="`echo "${RESPONSE}" | egrep -o '{[^{]*\"type\":\"http-01\"[^}]*'`"
To:
Code:
CHALLENGE="`echo "${RESPONSE}" | awk '/\"type\": \"http-01\"/,/}/'`"
Thanks for this solution smtalk
 

ShamrockInfoSec

Verified User
Joined
Mar 22, 2016
Messages
9
location of .wel-known challenge

Let's encrypt support was marked as BETA in DirectAdmin 1.50: https://www.directadmin.com/features.php?id=1828. That's the reason why a new version of DA hasn't been released just to fix the let's encrypt issue.

HOnestly, why release stable software with BETA features in it which if they break may have a large impact on people their important webpresence?
And then the moment it breaks you give the fix, kudos for that, but start pointing to "its" a beta version feature you should have known that" is quite sick. We paying users are not your beta testing team you know, certainly not with our production systems.
And certainly not with a security feature like this.
 

Kiekeboe100

Verified User
Joined
Apr 19, 2008
Messages
143
Location
Belgium
HOnestly, why release stable software with BETA features in it which if they break may have a large impact on people their important webpresence?
And then the moment it breaks you give the fix, kudos for that, but start pointing to "its" a beta version feature you should have known that" is quite sick. We paying users are not your beta testing team you know, certainly not with our production systems.
And certainly not with a security feature like this.
Hi,

Only Let's Encrypt support is Beta.
This is stated on the feature information page. And on that same page is written how you (the server administrator) has to enable support for this beta feature. Hence, by default this is off.
It is up to you (the server administrator) to decide whether you release this beta feature to your clients (enable it on a production server), or test it on a testing server.

I personally would not prefer to have to use DirectAdmin pre-release binaries just to be able to test let's encrypt. So I am happy they release their stable software, with the beta piece in there, as long as we have to enable it manually.

Next to that. I have had two issues with Let's Encrypt. Both have been fixed on time (manually) to make renewing the certificate on a couple of domains possible.
I did change the renewal time to 80 days instead of 85 so I get a little more time to fix things when they are broken.

I think you can compare it to the Tesla auto-pilot function. Do you want to have the whole car software running on pre-release software just to be able to test the auto-pilot beta function?

regards,
Stijn
 

Typify

New member
Joined
Jul 6, 2016
Messages
1
Just restart Apache

Urgent:
I did the fix mentioned in this topic and it SEEMED to fix it, since a new certificate was succesfully created, BUT:
now all my sites stopped working after the certificates expired.

So even though a new certificate was generated, it seems as tough nginx doesn't use these new cetificates.

Message before the fix:


Message after the fix:


But as you can see on https://www.publicoll.com, the renewal of the certificate did not fully work.
Now many sites are broken.

How can I fix this?

Thank you!
I had the same issue, DirectAdmin confirmed the certificate was renewed, but the browser was still showing the old expiration date. For me it was simply a matter of restarting Apache to fix this.

Code:
service httpd restart
Not to say that this would have solved your issue as well of course (especially since you are using nginx). I guess Directadmin should restart Apache after updating the certificate to make it work.
 

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
This still does not work. Im getting notices for days and when i look at the letsencrypt script the pointed out is correct. Yes, i am upgraded to the latest version. And echo "action=rewrite&value=letsencrypt" >> /usr/local/directadmin/data/task.queue does nothing.
 

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
I still cannot get my hostname da.myserver.net certificate to renew no matter what i do. I have followed and updated everything needed. Iv searched every error and thread and cannot find a solution.

When i run the script it keeps talking about MAIL

Code:
Getting challenge for mail.da.myserver.net from acme-server...
Error: http://mail.da.myserver.net/.well-known/acme-challenge/letsencrypt_1493799042 is not reachable. Aborting the script.
dig output for mail.da.myserver.net:
Please make sure /.well-known alias is setup in WWW server.
I havent seen anyone post a similar error where mail keeps coming up. Why is MAIL appending to the hostname? Im running

./letencrytp.sh renew da.myserver.net 4096

So why its complaining about mail.da.myserver.net?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
705
Location
Netherlands Germany
How about ad the mail in your server dns settings. ;)

While in the script this is default.

( Or you have to change the script (if serverdomain then do ...)
We use server as mail Server with mail. so then no problems.


Further pointing out to you this is not the letsencrypt is stopped working error
While this is the default behaviour from the script, and letsencrypt is probably working fine for the other domains, if you're not using mail. at all ( also for other domains on server) you have to change script.
 
Last edited:

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
Solved!

Code:
[root@da scripts]# ./letsencrypt.sh request_single da.mydomain.com 4096
Setting up certificate for a hostname: da.mydomain.com
Getting challenge for da.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for da.mydomain.com...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
etc
WTF? All this time the certificate was working properly off mydomain.com as da.mydomain.com as subdomain then come renewal it fails? So how was it working as da.mydomain.com on my hostname all this time?
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
705
Location
Netherlands Germany
Solved!

Code:
[root@da scripts]# ./letsencrypt.sh request_single da.mydomain.com 4096
Setting up certificate for a hostname: da.mydomain.com
Getting challenge for da.mydomain.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for da.mydomain.com...
openssl genrsa 4096 > "/usr/local/directadmin/conf/cakey.pem.new"
Generating RSA private key, 4096 bit long modulus
etc
WTF? All this time the certificate was working properly off mydomain.com as da.mydomain.com as subdomain then come renewal it fails? So how was it working as da.mydomain.com on my hostname all this time?
If was working for how long? The first renewal maybe?

If so the script ( renewal) don't remember / stored the "request-single" or in the meantime a update for letsencrypt or script changed somethings for that
 
Top