Let's Encrypt - Ubuntu 20.04

[TomB1]

Hello,

I have issues with Let's Encrypt renewal at the moment.

The error on all domain in DA:
domain.com was skipped due to unreachable http://domain.com/.well-known/acme-challenge/ file.
www.domain.com was skipped due to unreachable http://www.domain.com/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

1. DirectAdmin: 1.62.7
2. Cloudflare is not in use (as reverse proxy)
3. Performed all steps from: https://docs.directadmin.com/webservices/ssl/troubleshooting-letsencrypt.html
4. The testfile for the acme-challenge is reachable from the internet http://domain.com/.well-known/acme-challenge/test.txt & also generated correctly.
5. letsencrypt=1 is correct
6. /.well-known has been added and the alias is correct
7. Enabled curl with:
   #Advanced Settings
   curl=yes
8. The websites (www alias and root) are reachable from the internet and OK from different locations. Also pointed correctly to the DA server.
9. No CAA records
10. We use external DNS servers (cloudflare, transip etc.) and not directadmin for DNS.

Any idea?

 

[TomB1]

2021:09:20-06:43:30: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-06:43:30: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:12:15: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:12:16: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:12:16: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:12:17: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:12:17: Ssl::getKeyBit: Error checking for key bit size:
2021:09:20-07:13:18: LetsEncrypt(7543): exit code: 1 for domain='domain.com' : domain.com was skipped due to unreachable http://domain.com/.well-known/acme-challenge/ file.
www.domain.com was skipped due to unreachable http://www.domain.com/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.
from: /var/log/directadmin/error.log

[Mon Sep 20 07:14:01.897019 2021] [ssl:warn] [pid 426:tid 140075556512192] AH01909: www.domain.com:443:0 server certificate does NOT include an ID which matches the server name
from: /var/log/httpd/domains/domain.com.error.log

 

[damador]

https://forum.directadmin.com/threads/lets-encrypt-error.64494/#post-335379 the same error also @ ubuntu 20.04

 

[TomB1]

To be clear:
The issue is for ALL domains in directadmin and also for the directadmin panel. We use multiple domains without cloudflare DNS. So there is no proxy in between. This is a direct A and CNAME record to the DA IP address. In addition, there is also no IPv6 in the config/ubuntu installation. This problem is new, but I've been using directadmin for almost a year. This problem started after the updates.

All LE certificates will expire on 9 oct 2021.

 

[TomB1]

Cannot find the file /usr/local/directadmin/data/users/admin/domains/domain.com.san_config, but the script should create it if it's missing. Will determine the key type via other means.
Ssl::use_letsencrypt: renewing for domain.com, but there is no key. Reverting to default keytype.
Error reading /usr/local/directadmin/data/users/admin/domains/domain.com.san_config to find default_bits. Reverting to default.
Key defaulting to secp384r1.
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': write_san_config
Load to env (Let's Encrypt):
0: HOME=/root
1: staging=no
Ssl::use_letsencrypt:ConfigFile &cf, action='renew': calling command: /usr/local/directadmin/scripts/letsencrypt.sh renew 'domain.com' secp384r1 /usr/local/directadmin/data/users/admin/domains/domain.com.san_config /var/www/html
execute('/usr/local/directadmin/scripts/letsencrypt.sh renew 'domain.com' secp384r1 /usr/local/directadmin/data/users/admin/domains/domain.com.san_config /var/www/html', maxsize=154, fd=1, env=0)
LetsEncrypt(2064): exit code: 1 for domain='domain.com' : domain.com was skipped due to unreachable http://domain.com/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

Ssl::use_letsencrypt:ConfigFile &cf, action='renew' exit_code=1: letsecnrypt_post.sh
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_post.sh: Found hook name 'letsencrypt_post'
get_hook_paths_from:/usr/local/directadmin/scripts/custom/letsencrypt_post.sh: got the following paths for 'letsencrypt_post':
listType: 0 size=64
Error renewing certificate for domain.com: domain.com was skipped due to unreachable http://domain.com/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.
<br>


Tried separate ubuntu instance with the same public ip. (Certbot and NGINX) This was immediately successful.

 

[TomB1]

@DirectAdmin Support

Installed custom version 2.0.12 and the problems are gone. I'm happy with this workaround on Ubuntu 20.04

 

[TomB1]

2.0.16 works also fine. It is something with the LE module.

 

[TomB1]

I can confirm that the issue is related to LE module 2.0.18 and up. 2.0.16 is fine.

@damador Go to your admin panel > CustomBuild 2.0 > Customize Versions > letsencrypt_sh > Version 2.0.16 & delete the MD5 hash.

I didnt test 2.0.17 because of this issue: https://forum.directadmin.com/threa...ficates-are-not-working-as-they-should.63722/

 

[TomB1]

Any update about this? @DirectAdmin Support

Still using 2.0.16 instead of 2.0.26.

The error on all domains in DA with the latest letsencrypt module:
domain.com was skipped due to unreachable http://domain.com/.well-known/acme-challenge/ file.
www.domain.com was skipped due to unreachable http://www.domain.com/.well-known/acme-challenge/ file.
No domains pointing to this server to generate the certificate for.

 

[brien]

Man, I've been searching all day for a resolution to this. I have the same problem with the same version of Ubuntu.

 

[brien]

I guess I can't edit my post. Anyway, the lower version resolved it for me. Thank you.

 

[TomB1]

I guess I can't edit my post. Anyway, the lower version resolved it for me. Thank you.

You are the third one. Thanks for letting me know. Still waiting for a solution, but I have the personal edition without technical support.

 

[SupermanInNY]

Same issue here. I just posted a new thread about this problem.