Letsencrypt SSL in 1.5 not working

hank

New member
Joined
Feb 29, 2016
Messages
3
I reinstalled my directadmibn from scratch
updated to 1.5 and tried the ssl cert from lets encrypt but i keep getting the following error

Getting challenge for mywebsitename.com from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for www. mywebsitename.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://www.mywebsitename.com/.well-known/acme-challenge/7EL5bRwHpeoxH6cdURaR7NynqCM7VuJ9Uzg0oTPsqSU [178.18.87.86]: 404. Exiting...

there are no files created in the acme-challenge/ folder

i did the custom build changes and added the .wellknown alias
Any ideas why this is not working?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
Are you running CustomBuild 2.0? Is letsencrypt=1 set in directadmin.conf? I think that it might be an alias related problem, and I'd suggest opening a ticket in tickets.directadmin.com if you're unable to solve it by yourself.
 

hank

New member
Joined
Feb 29, 2016
Messages
3
I have custom build 2 installed
and enable_ssl_sni=1 with letsencrypt=1in directadmin.conf
 

hank

New member
Joined
Feb 29, 2016
Messages
3
i read something about wordpress install incompatibilities.

could that be it?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
Your issue seems to be caused by an incorrect DNS configuration of the domain.
 

jkirker

Verified User
Joined
Nov 22, 2012
Messages
97
Your issue seems to be caused by an incorrect DNS configuration of the domain.
Same problem here. nginx/apache

When I rename the .well-known to well-known I can hit the url - however I can't with the . preceding it.

1.5 / CB 2 / All up to date.

Thoughts?
 

phillcoxon

Verified User
Joined
Oct 17, 2015
Messages
23
Same problem here. nginx/apache

When I rename the .well-known to well-known I can hit the url - however I can't with the . preceding it.

1.5 / CB 2 / All up to date.

Thoughts?
Same here. :( I thought it had been working / renewing previously but I may be mistaken. I am using WordPress sites which I saw may be related. Possibly .htaccess rules?
 

phillcoxon

Verified User
Joined
Oct 17, 2015
Messages
23
Same here. :( I thought it had been working / renewing previously but I may be mistaken. I am using WordPress sites which I saw may be related. Possibly .htaccess rules?
Looks like apache blocking access?

[Tue Mar 15 06:19:49.159102 2016] [autoindex:error] [pid 16418:tid 139691093210880] [client 219.89.124.151:33737] AH01276: Cannot serve directory /home/domain/domains/domainname.com/public_html/.well-known/: No matching DirectoryIndex (index.html,index.htm,index.shtml,index.php,index.php5,index.php4,index.php3,index.phtml,index.cgi,index.pl) found, and server-generated directory index forbidden by Options directive
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
/home/domain/domains/domainname.com/public_html/.well-known/ should never be accessed with letsencrypt=1 set in directadmin.conf.
 

jkirker

Verified User
Joined
Nov 22, 2012
Messages
97
What do we do next?

[root@host4 scripts]# ./letsencrypt.sh request domain.com
Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/LVc9b0WtLrFqGRM2JNGjx3LAAuToab8K3YwbHqVmvvk [206.111.111.111]: 404. Exiting...

Also, maybe a little off topic but it would be great to also request mail.domain.com in addition to @ and www so that we can offer our clients secure email as part of the cert package?
 

wrad

New member
Joined
Mar 16, 2016
Messages
3
Same here with letsencrypt=2, the random key file seems not to be generated

When I check the folder acme-challenge, no key file is generated.
Ip address in the error message is correct so resolving seems to go ok.

Code:
Cannot Execute Your Request

Details

Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/bOgiuZnAfZ2bNcYOvVE8hKIhE-az1NwyGRAdh6ZhNZM [123.45.67.89]: 404. Exiting...
 

phillcoxon

Verified User
Joined
Oct 17, 2015
Messages
23
What do we do next?

[root@host4 scripts]# ./letsencrypt.sh request domain.com
Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/LVc9b0WtLrFqGRM2JNGjx3LAAuToab8K3YwbHqVmvvk [206.111.111.111]: 404. Exiting...

Also, maybe a little off topic but it would be great to also request mail.domain.com in addition to @ and www so that we can offer our clients secure email as part of the cert package?
Yeah, I'm getting frustrated too. Trying to use letsencrypt through the DirectAdmin control panel gives me the same error above - 404 error trying to connect to the acme-challenge.

However, if I run from the command line (./letsencrypt.sh request example.com 4096 "" /var/www/html) it works in terms of generating the certificate and claims to be successful but the lets encrypt certificate is not in place - instead it's trying to use the server certificate for the hosting domain, rather than the newly generated lets encrypt certificate.

So right now I have sites with invalid certificates and no idea how to fix them. Very frustrating when trying to follow the documentation provided and not getting expected results.
 

ShamrockInfoSec

Verified User
Joined
Mar 22, 2016
Messages
9
When I check the folder acme-challenge, no key file is generated.
Ip address in the error message is correct so resolving seems to go ok.

Code:
Cannot Execute Your Request

Details

Getting challenge for domain.com from acme-server...
Waiting for domain verification...
Challenge is invalid. Details: Invalid response from http://domain.com/.well-known/acme-challenge/bOgiuZnAfZ2bNcYOvVE8hKIhE-az1NwyGRAdh6ZhNZM [123.45.67.89]: 404. Exiting...
Seeing the exact same messages on my installation.
When looking for the .well-known directory on the linux filesystem I found it in /var/www/html/ and not in /home/<usesr>/domains/<domain>/public_html/ where it should be.
That is exactly what is causing the error 404 on the challenge request. I suppose a bug somewhere in the letsencrypt support structure within DirectAdmin.
 

ShamrockInfoSec

Verified User
Joined
Mar 22, 2016
Messages
9
location of .wel-known challenge

hi, same issues here with the 1.50 install.
Interestingly the challenge files are accessible from the internet though not from the correct domain.
They are placed in /var/www/html/ instead of the public_html directory under the domain itself where they are accessible by the challenge server from LetsEncrypt.
Seems there is a "bug" somewhere where the backend is using the incorrect path for the domain's webroot directory.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,340
Location
LT, EU
hi, same issues here with the 1.50 install.
Interestingly the challenge files are accessible from the internet though not from the correct domain.
They are placed in /var/www/html/ instead of the public_html directory under the domain itself where they are accessible by the challenge server from LetsEncrypt.
Seems there is a "bug" somewhere where the backend is using the incorrect path for the domain's webroot directory.
Make sure you have letsencrypt=2 set in the output of:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt=
DA pre-release binaries might provide you more information about your issue when generating the cert.
 

ShamrockInfoSec

Verified User
Joined
Mar 22, 2016
Messages
9
Make sure you have letsencrypt=2 set in the output of:
Code:
/usr/local/directadmin/directadmin c | grep letsencrypt=
DA pre-release binaries might provide you more information about your issue when generating the cert.
Ah, didn't know there were more possibilities for the letsencrypt= option then either 0 or 1, will certainly try it.
 

phillcoxon

Verified User
Joined
Oct 17, 2015
Messages
23
So right now I have sites with invalid certificates and no idea how to fix them. Very frustrating when trying to follow the documentation provided and not getting expected results.
Following up on my previous thread here as I was still having issues.

I had some assistance from Martynas (thank you) who pointed out that I hadn't run "./build rewrite_confs" after changing letsencrypt= value in the directadmin conf.

So if anyone else is getting invalid challenge errors try running ./build update && ./build rewrite_confs in /usr/local/directadmin/scripts/
 

dmacleo

Verified User
Joined
Jun 21, 2012
Messages
635
Following up on my previous thread here as I was still having issues.

I had some assistance from Martynas (thank you) who pointed out that I hadn't run "./build rewrite_confs" after changing letsencrypt= value in the directadmin conf.

So if anyone else is getting invalid challenge errors try running ./build update && ./build rewrite_confs in /usr/local/directadmin/scripts/
shouldn't that be in
/usr/local/directadmin/custombuild
 

tnuz

Verified User
Joined
Jan 12, 2006
Messages
19
Location
Canada
I found that it works well with Apache, not with Nginx-Apache as setup like in https://forum.directadmin.com/showthread.php?t=49438
It this a bug or am I doing something wrong? The challenge failed for the domain without www.

Same thing for LetsEncrypt renewals. Had to reverse to Apache only (without Nginx proxy) to get this going again.
 
Last edited:

tnuz

Verified User
Joined
Jan 12, 2006
Messages
19
Location
Canada
Today it was time for an automatic renewal on a server that I left on nginx+apache.
I got this Message System message:
Code:
Subject: Error during automated certificate renewal for www.domain.com

Getting challenge for www.domain.com from acme-server...
/usr/local/directadmin/scripts/letsencrypt.sh: line 319: /var/www/html/.well-known/acme-challenge/: Is a directory
/usr/local/directadmin/scripts/letsencrypt.sh: line 322: [: -ne: unary operator expected
Waiting for domain verification...
rm: cannot remove `/var/www/html/.well-known/acme-challenge/': Is a directory
Challenge is . Details: . Exiting...
<br>
(replaced the real domain with www.domain.com)
 
Top