LetsEncrypt - #VERSION=2.0.2 - Can't get to issue a certificate

[SupermanInNY]

Oldish server:

CentOS 6
Server version: Apache/2.2.34
PHP 5.3.29 (cli) (built: Oct 2 2014 11:02:11)
DA Version 1.61.3

Trying to create a LetEncrypt certificate generated me IPv6 error (I changed the ipv6=1 to ipv6=0 in the directadmin.conf and restarted directadmin).

But, still I get a weired error:


Cannot Execute Your Request

Details

No help topic for '[email protected]'
Certificate generation failed.

I don't know even how to debug this.

Any poineters?

-Sup.

 

[smtalk]

Oldish server:

CentOS 6
Server version: Apache/2.2.34
PHP 5.3.29 (cli) (built: Oct 2 2014 11:02:11)
DA Version 1.61.3

Trying to create a LetEncrypt certificate generated me IPv6 error (I changed the ipv6=1 to ipv6=0 in the directadmin.conf and restarted directadmin).

But, still I get a weired error:


Cannot Execute Your Request

Details

No help topic for '[email protected]'
Certificate generation failed.

I don't know even how to debug this.

Any poineters?

-Sup.

Is it a valid email address?

 

[SupermanInNY]

Yes.. I've changed the real address here in the post. but when the error is showing, it is showing a real email address.
I'm not clear where is the email address is actually taken from? There is no Email field anymore in the LetsEncrypt screens.

 

[smtalk]

Yes.. I've changed the real address here in the post. but when the error is showing, it is showing a real email address.
I'm not clear where is the email address is actually taken from? There is no Email field anymore in the LetsEncrypt screens.

It comes from admin settings.

 

[SupermanInNY]

OK.. I've changed that email to my email (it was client's email).
Now,. it worked fine, but this is a very big difference in the letsEncrypt script from 1.x and how things are being set up.

I think this process should be explained in detail of what it does, as its very different from previous.
1. The email used - from DirectAdmin Admin account - why? if this is at User Level, why would the User level need to know my (internally used) email account? I don't see a reason why my alerts and copies of where I send emails as a server admin, should be known to my clients.

2. The email used - why is it not using the User Level email? its his SSL, why need to involve me (my email) as an admin?

3. HEADS UP (wow.. can you make me more scared?)

4. Why would the end user need to see where the concept of the emails and the lego files are stored. sorry,. that's not his business.

Just my $0.02.

-Sup.


Certificate and Key Saved.

Details

2020/06/30 13:03:12 No key found for account [email protected]. Generating a 4096 key.
2020/06/30 13:03:15 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2020/06/30 13:03:16 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/06/30 13:03:16 [INFO] [mydomain.com, mail.mydomain.com, www.mydomain.com] acme: Obtaining SAN certificate
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166600
2020/06/30 13:03:18 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166602
2020/06/30 13:03:18 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166604
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [www.mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [www.mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:28 [INFO] [mail.mydomain.com] The server validated our request
2020/06/30 13:03:28 [INFO] [mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:34 [INFO] [mydomain.com] The server validated our request
2020/06/30 13:03:34 [INFO] [www.mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:41 [INFO] [www.mydomain.com] The server validated our request
2020/06/30 13:03:41 [INFO] [mydomain.com, mail.mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/06/30 13:03:48 [INFO] [mydomain.com] Server responded with a certificate.
Certificate for mydomain.com,mail.mydomain.com,www.mydomain.com has been created successfully!

 

[smtalk]

1. The email used - from DirectAdmin Admin account - why? if this is at User Level, why would the User level need to know my (internally used) email account? I don't see a reason why my alerts and copies of where I send emails as a server admin, should be known to my clients.

If that was a valid email address - let's encrypt account would have been created already, and re-used for all the other certs (and not seen in the errors).

2. The email used - why is it not using the User Level email? its his SSL, why need to involve me (my email) as an admin?

Because a single Let's Encrypt account is used on the server. https://letsencrypt.org/docs/integration-guide/. Attaching the part in question.

3. HEADS UP (wow.. can you make me more scared?)

Em, I'm missing the question there. Unless it's if we can make you more scared, then the answer is "yes" likely

4. Why would the end user need to see where the concept of the emails and the lego files are stored. sorry,. that's not his business.

That's also because it was the first time you generated a cert after fixing the email. It's not shown on success in pre-release even for the first cert when the email address has been fixed.

We can release 2.0.3 version of letsencrypt.sh, but firstly it'd be nice to know why you wouldn't like to follow Let's Encrypt recommendations for a single account per server? As this would be a major change, which wouldn't let creating certs for more than 10 customers in 3 hours, meaning if you need 20 certs for 20 DA customers in 3 hours, you could also create 10 certs there, and 10 others after 3 hours.

 

[SupermanInNY]

First, THANK YOU !
You are doing a great work !

Second, while I may sound like I'm criticizing,. sorry for this, its not my intention, I have a terrible way of expressing my thank you )

I am actually trying to provide you feedback on what's not working to help improve, but I've expressed it in a wrong manor as if I'm criticizing, but that was not my intention at all, so let me apologize on this.

Next, for technical issues:

If that was a valid email address - let's encrypt account would have been created already, and re-used for all the other certs (and not seen in the errors).

The Admin account in DA was populated with REAL email and it failed. (for posting here I write it as [email protected])
I then proceeded to add [email protected], [email protected] (so now its the format that sends emails to multiple addresses).
So need to handle such a case as well, where you have multiple email address.
Perhaps its better to have a separate settings in the DA Administrator Settings menu? So that its not causing conflicts?
Also,. this email should have worked also, but it failed. Maybe there is a parsing issue with multiple (.) symbols like a [email protected] ?

HEADS UP - that kind of a msg is Alarming and for the end user, that's information that is of no use at all, yet it can be scaring them to think there is a problem of some kind. Why else you need to SHOUT HEADS UP (upper case).

No argument about the Single account for the server. Its just a shift from previous LetsEncrypt setup on DA, and I've not been reading too much into the letsEncrypt guidelines, so I missed on that.

 

[tomputer]

Some of our users are getting the same message. Note that I replaced the real hostname with whatever.foo:

2020/06/30 16:39:36 No key found for account [email protected]. Generating a P384 key.
2020/06/30 16:39:36 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2020/06/30 16:39:38 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.

I'm not sure if these warnings are really useful for the end users, as they do not have access to these paths anyway.

Will /usr/local/directadmin/data/.lego/ be the new location for all future Let's Encrypt certificates ? It seems vhosts still point to /usr/local/directadmin/data/users/USERNAME/domains/ to load certificates.

 

[mean]

the same problem,

- Let's encrypt client 2.0.2
- DA Version 1.61.3
- letsencrypt=2 on directadmin.conf
- load check cert on /home/user/domains/public_html/.well-known/acme-challenge/

Cannot Execute Your Request

Details

2020/06/30 22:54:53 [INFO] [domain.com, www.domain.com] acme: Obtaining SAN certificate
2020/06/30 22:54:54 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:54:54 [INFO] [www.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:54:54 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 22:54:54 [INFO] [domain.com] acme: use http-01 solver
2020/06/30 22:54:54 [INFO] [www.domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 22:54:54 [INFO] [www.domain.com] acme: use http-01 solver
2020/06/30 22:54:54 [INFO] [domain.com] acme: Trying to solve HTTP-01
2020/06/30 22:55:00 [INFO] [www.domain.com] acme: Trying to solve HTTP-01
2020/06/30 22:55:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:55:07 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:55:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:55:08 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:55:08 Could not obtain certificates:
error: one or more domains had a problem:
[domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://domain.com/.well-known/acme-challenge/vBv0piW5Iy9Sbe2d_bRZLlBIk5SNMEy2ZN4YBUgdtRs [IP Address]: "\n\n\n\n

Not Found
\nTh", url:
[www.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.domain.com/.well-known/acme-challenge/yVf-_6aY3bYs3qakHPfkHyBx20ZleFl_pGte2S2o-80 [IP Address]: "\n\n\n\n
Not Found
\nTh", url:
Certificate generation failed.

 

[mean]

then only work with letsencrypt=1

2020/06/30 23:07:19 [INFO] [domain.com, www.domain.com] acme: Obtaining SAN certificate
2020/06/30 23:07:21 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576522988
2020/06/30 23:07:21 [INFO] [www.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576522990
2020/06/30 23:07:21 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 23:07:21 [INFO] [domain.com] acme: use http-01 solver
2020/06/30 23:07:21 [INFO] [www.domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 23:07:21 [INFO] [www.domain.com] acme: use http-01 solver
2020/06/30 23:07:21 [INFO] [domain.com] acme: Trying to solve HTTP-01
2020/06/30 23:07:27 [INFO] [domain.com] The server validated our request
2020/06/30 23:07:27 [INFO] [www.domain.com] acme: Trying to solve HTTP-01
2020/06/30 23:07:34 [INFO] [www.domain.com] The server validated our request
2020/06/30 23:07:34 [INFO] [domain.com, www.domain.com] acme: Validations succeeded; requesting certificates
2020/06/30 23:07:35 [INFO] [domain.com] Server responded with a certificate.
Certificate for domain.com,www.domain.com has been created successfully!

 

[deeoo]

Since a couple of days ago I started getting "Error during automated certificate renewal for friendr.nl" (and several other domains).

I've never had this problem before.
DirectAdmin: 1.61.3
CentOS 6
Letsencrypt: 2.0.6
letsencrypt=1 on directadmin.conf

Cannot Execute Your Request

Details

2020/07/25 12:38:16 [INFO] [friendr.nl, www.friendr.nl] acme: Obtaining SAN certificate
2020/07/25 12:38:17 [INFO] [friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:17 [INFO] [www.friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: use http-01 solver
2020/07/25 12:38:17 [INFO] [www.friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/25 12:38:17 [INFO] [www.friendr.nl] acme: use http-01 solver
2020/07/25 12:38:17 [INFO] [friendr.nl] acme: Trying to solve HTTP-01
2020/07/25 12:38:22 [INFO] [www.friendr.nl] acme: Trying to solve HTTP-01
2020/07/25 12:38:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:29 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470609
2020/07/25 12:38:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:30 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6100470610
2020/07/25 12:38:30 Could not obtain certificates:
error: one or more domains had a problem:
[friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://friendr.nl/.well-known/acme-challenge/abAyqDBmwRXOhvcGLkWe4cwsuhRMPLnscfCMXY5CZhI [84.22.106.78]: "\n\n\n\n

Not Found
\nTh", url:
[www.friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.friendr.nl/.well-known/acme-challenge/D7Ao0-EiafA6LzO3nVcD8SZCU-hCYzQHP_TzmVLQDW4 [84.22.106.78]: "\n\n\n\n
Not Found
\nTh", url:
Certificate generation failed.

{
  "identifier": {
    "type": "dns",
    "value": "friendr.nl"
  },
  "status": "invalid",
  "expires": "2020-08-01T10:38:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://friendr.nl/.well-known/acme-challenge/abAyqDBmwRXOhvcGLkWe4cwsuhRMPLnscfCMXY5CZhI [84.22.106.78]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003cHTML\u003e\u003cHEAD\u003e\\n\u003cTITLE\u003e404 Not Found\u003c/TITLE\u003e\\n\u003c/HEAD\u003e\u003cBODY\u003e\\n\u003cH1\u003eNot Found\u003c/H1\u003e\\nTh\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/6100470609/5MB0kg",
      "token": "abAyqDBmwRXOhvcGLkWe4cwsuhRMPLnscfCMXY5CZhI",
      "validationRecord": [
        {
          "url": "http://friendr.nl/.well-known/acme-challenge/abAyqDBmwRXOhvcGLkWe4cwsuhRMPLnscfCMXY5CZhI",
          "hostname": "friendr.nl",
          "port": "80",
          "addressesResolved": [
            "84.22.106.78"
          ],
          "addressUsed": "84.22.106.78"
        }
      ]
    }
  ]
}

I'm not sure what changed why it stopped working.

 

[smtalk]

It responded with 404 not found error, instead of the challenge. You're likely missing the alias, or have some DC filtering between your server and Let's Encrypt.

 

[deeoo]

It responded with 404 not found error, instead of the challenge. You're likely missing the alias, or have some DC filtering between your server and Let's Encrypt.

The thing is, I didn't change any settings. Could an update in the CustomBuild have changed a default setting that caused this?

Disclaimer: I'm only half a nerd and my only CentOS /Linux experience is copy pasting stuff I found on Stack Overflow.

 

[deeoo]

I've been doing some more testing. It almost looks like the letsencrypt is not able to write the token. It is however able to write the acme directory and the .htaccess file.