Letsencrypt: "Error during automated certificate renewal"

deeoo

Verified User
Joined
Jan 11, 2019
Messages
7
Since a couple of days ago I started getting "Error during automated certificate renewal for friendr.nl" (and several other domains).

I've never had this problem before so what changed?

DirectAdmin: 1.61.3
CentOS 6
Letsencrypt: 2.0.6
letsencrypt=12on directadmin.conf

I get this error:

Code:
Cannot Execute Your Request

Details

2020/07/25 12:38:16 [INFO] [friendr.nl, www.friendr.nl] acme: Obtaining SAN certificate
2020/07/25 12:38:17 [INFO] [friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:17 [INFO] [www.friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: use http-01 solver
2020/07/25 12:38:17 [INFO] [www.friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/25 12:38:17 [INFO] [www.friendr.nl] acme: use http-01 solver
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: Trying to solve HTTP-01
2020/07/25 12:38:22 [INFO] [www.friendr.nl] acme: Trying to solve HTTP-01
2020/07/25 12:38:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:29 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:30 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:30 Could not obtain certificates:
error: one or more domains had a problem:
[friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://friendr.nl/.well-known/acme-challenge/abAyqDBmwRXOhvcGLkWe4cwsuhRMPLnscfCMXY5CZhI [84.22.106.78]: "\n\n\n\n

Not Found
\nTh", url:
[www.friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.friendr.nl/.well-known/acme-challenge/D7Ao0-EiafA6LzO3nVcD8SZCU-hCYzQHP_TzmVLQDW4 [84.22.106.78]: "\n\n\n\n
Not Found
\nTh", url:
Certificate generation failed.

The renewals have been working all this time.

Things I've tried:
  1. I've tried downgrading letsencrypt to 2.0.1
  2. I've tried changing letsencrypt=2 to letsencrypt=1 on directadmin.conf
  3. Rebooting
 
It's been a couple of days and I still haven't been able to figure this out. It's a live server with several clients so I can't 'trial and error' too much.

So here's me, trying my best to understand what's going on.

"acme: error: 403"
If I'm correct 403 is a permission error. The 404 in the response supports this.

So I tried the following: I deleted the .well-known/acme-challenge/ directories. I then did the following command line request.
/usr/local/directadmin/scripts/letsencrypt.sh renew friendr.nl 4096

This resulted again in the following
Code:
2020/07/28 13:49:27 [INFO] [friendr.nl, www.friendr.nl] acme: Obtaining SAN certificate
2020/07/28 13:49:29 [INFO] [friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:29 [INFO] [www.friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: use http-01 solver
2020/07/28 13:49:29 [INFO] [www.friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/28 13:49:29 [INFO] [www.friendr.nl] acme: use http-01 solver
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: Trying to solve HTTP-01
2020/07/28 13:49:34 [INFO] [www.friendr.nl] acme: Trying to solve HTTP-01
2020/07/28 13:49:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:41 Could not obtain certificates:
        error: one or more domains had a problem:
[friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://friendr.nl/.well-known/acme-challenge/WgPEy9Rk9MBYz2juXsgT3pTZNlcev2YRqAzMoq0g2Kk [84.22.106.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<HTML><HEAD>\n<TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</H1>\nTh", url:
[www.friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.friendr.nl/.well-known/acme-challenge/423i_uXwz299l1hL1Cym7X8cVXL34bRjd7wnHQsOh50 [84.22.106.78]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<HTML><HEAD>\n<TITLE>404 Not Found</TITLE>\n</HEAD><BODY>\n<H1>Not Found</H1>\nTh", url:
Certificate generation failed.

I checked the directory and found an empty /.well-known/acme-challenge/letsencrypt_1595936966 file which I can access through http.
So there's no problem in writing permissions. But letsencrypt is looking for /.well-known/acme-challenge/WgPEy9Rk9MBYz2juXsgT3pTZNlcev2YRqAzMoq0g2Kk but only wrote /.well-known/acme-challenge/letsencrypt_1595936966.

Why?
 
I’ve downgraded letsencrypt from version 2.0.7 to 1.1.42 and it’s working again!

This is partially good news. Good in that it’s all working again. But bad because I can’t upgrade letsencrypt any longer.
 
I'm having an issue that I'm wondering might be related to this.

I have 10 domains setup, all set to auto-renew with Let's Encrypt. Everything has always worked fine.

Looking at my admin messages, starting on September 17th, one of those 10 domains is getting an error when attempting to renew.

All of the other domains seem to be fine, and I haven't touched anything.

I'm now receiving the following error once a day, but only for this one particular domain:

Error during automated certificate renewal for domain.com

CSR config file /usr/local/directadmin/data/users/admin/domains/domain.com.san_config passed but does not exist or is empty.
ls: cannot access /usr/local/directadmin/data/users/admin/domains/domain.com.san_config: No such file or directory

I've looked in the /usr/local/directadmin/data/users/admin/domains/ directory, and I don't see a .san_config file for any of the domains.
 
I run into this problem now ona machine.
Is there any solution to this?
 
Back
Top