LetsEncrypt Issue

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,384
Location
Maastricht
I don't have external DNS and sometimes also have an issue that the first time when the certificat renews it gives a acme challenge issue stating the challenge code does not match or is incorrect or something like that.
If I do nothing or if I renew manually, the second attempt there is no problem anymore. However, this does not happen always.
So it might already be enough to just retry it when you get a acme_challenge error.
 

glio

Verified User
Joined
Jan 8, 2008
Messages
61
@glio
Are you sure it's not only a matter of deleting the _acme-challenge record? Because I had the same problem in some previous versions.

@crenet
This thread was initiated by my ISP and virtually marked as solved by me because some versions ago DA actually started to works with LE wildcard on external DNS. Read some pages back on this thread.
The old version < 1.1.25 is the only 1 was work for my server(before 1.1.35), but... it not work now.
Also _acme-challenge will add and delete by letsencrypt's plugin, so nothing you can do about it
 

glio

Verified User
Joined
Jan 8, 2008
Messages
61
I don't have external DNS and sometimes also have an issue that the first time when the certificat renews it gives a acme challenge issue stating the challenge code does not match or is incorrect or something like that.
If I do nothing or if I renew manually, the second attempt there is no problem anymore. However, this does not happen always.
So it might already be enough to just retry it when you get a acme_challenge error.
You mean they add "test"/"pre-check" record than get error?
If yes, so I think your problem just like my, I need to add some record to get work:
_acme-challenge-test.xxxx.net. 1 TXT "pre-check"
_acme-challenge-test.xxxx.net. 1 TXT pre-check

Also after added, You need to reload and restart named service
 
Last edited:

glio

Verified User
Joined
Jan 8, 2008
Messages
61
The link was fine and some how it stop working.

This is what we can read in Plesk doc about Let's Encrypt certificates, DA urgently need to add this feature in Directadmin for users that are using external DNS services. I think this a basic feature for who want to optimize DNS.
I just can not believe that DA is not able to do it.
To forum administrator this is not a promotion link this is just a prove that it´s possible to allow DA users to add LE wildcard certificates into DirectAdmin, you must use this feature as soon as possible.
Thank you so much
So this mean nothing we can do now, untill DA added LE wildcard external DNS services support right?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,384
Location
Maastricht
You mean they add "test"/"pre-check" record than get error?
No, I mean I get that error without adding that record. I never add records myself.

Wildcard DNS with external nameservers is not possible. However, if you check all options (www, ftp, mail etc.) instead of using wildcard then it will work.
 

glio

Verified User
Joined
Jan 8, 2008
Messages
61
No, I mean I get that error without adding that record. I never add records myself.

Wildcard DNS with external nameservers is not possible. However, if you check all options (www, ftp, mail etc.) instead of using wildcard then it will work.
so you need to add by yourself to get work.
No, The 1.1.25 was work for that. but I think LE was change something, and it not work anymore now
 

_rik_

Verified User
Joined
Sep 25, 2019
Messages
27
Location
England
It's a bit of a mess.
First, I confirm what @Richard G said above:
if I renew manually, the second attempt there is no problem anymore
Just tested now on an error renewing manually. The second time it works.

This is what happen in the first attempt
Challenge status: invalid. Challenge error: "type": "dns-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect TXT record \"_AymKPwxxxxxxxxxxxxxxxxxxxxxxxx\" found at _acme-challenge.xxxxxx.xxx", "status": 403 . Exiting...
(the xxx are just to hide sensitive info)

Second: DA+LE are OK with external DNS are OK for me. Apparently not for others people here on the forum.


Third (new for me): I've noticed that the wildcard function seems to work NOT 100% as a real *.domain.ltd. It works more like checking manually all the fields under the section "Let's Encrypt Certificate Entries" (where you can see a limited number of names: ftp, mail, www, etc.). I'm saying this because only such names get 100% a proper certificate. Any other name gets a certificate with the wrong common name: instead of the domain name it contains the server name.

For example, if I add to the DNS "incoming" cname "mail",
incoming.domain.tld gets a certificate but the common name contains the server name instead of the domain (and any client, email or browser, get warned of forgery). On the contrary, mail.domain.tld gets the proper common name. Maybe it's a normal behaviour? I don't know. I've "solved" it simply not inventing new names, simply using those already listed in the section "Let's Encrypt Certificate Entries".
 
Last edited:
Top