LetsEncrypt - #VERSION=2.0.2 - Can't get to issue a certificate

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
371
Oldish server:

CentOS 6
Server version: Apache/2.2.34
PHP 5.3.29 (cli) (built: Oct 2 2014 11:02:11)
DA Version 1.61.3

Trying to create a LetEncrypt certificate generated me IPv6 error (I changed the ipv6=1 to ipv6=0 in the directadmin.conf and restarted directadmin).

But, still I get a weired error:


Cannot Execute Your Request

Details

No help topic for 'email@emailaddress.com'
Certificate generation failed.

I don't know even how to debug this.

Any poineters?

-Sup.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,305
Location
LT, EU
Oldish server:

CentOS 6
Server version: Apache/2.2.34
PHP 5.3.29 (cli) (built: Oct 2 2014 11:02:11)
DA Version 1.61.3

Trying to create a LetEncrypt certificate generated me IPv6 error (I changed the ipv6=1 to ipv6=0 in the directadmin.conf and restarted directadmin).

But, still I get a weired error:


Cannot Execute Your Request

Details

No help topic for 'email@emailaddress.com'
Certificate generation failed.

I don't know even how to debug this.

Any poineters?

-Sup.
Is it a valid email address?
 

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
371
Yes.. I've changed the real address here in the post. but when the error is showing, it is showing a real email address.
I'm not clear where is the email address is actually taken from? There is no Email field anymore in the LetsEncrypt screens.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,305
Location
LT, EU
Yes.. I've changed the real address here in the post. but when the error is showing, it is showing a real email address.
I'm not clear where is the email address is actually taken from? There is no Email field anymore in the LetsEncrypt screens.
It comes from admin settings.
 

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
371
OK.. I've changed that email to my email (it was client's email).
Now,. it worked fine, but this is a very big difference in the letsEncrypt script from 1.x and how things are being set up.

I think this process should be explained in detail of what it does, as its very different from previous.
1. The email used - from DirectAdmin Admin account - why? if this is at User Level, why would the User level need to know my (internally used) email account? I don't see a reason why my alerts and copies of where I send emails as a server admin, should be known to my clients.

2. The email used - why is it not using the User Level email? its his SSL, why need to involve me (my email) as an admin?

3. HEADS UP (wow.. can you make me more scared?)

4. Why would the end user need to see where the concept of the emails and the lego files are stored. sorry,. that's not his business.

Just my $0.02.

-Sup.


Certificate and Key Saved.

Details

2020/06/30 13:03:12 No key found for account myemail@email.com. Generating a 4096 key.
2020/06/30 13:03:15 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/myemail@email.com/keys/myemail@email.com.key
2020/06/30 13:03:16 [INFO] acme: Registering account for myemail@email.com
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2020/06/30 13:03:16 [INFO] [mydomain.com, mail.mydomain.com, www.mydomain.com] acme: Obtaining SAN certificate
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166600
2020/06/30 13:03:18 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166602
2020/06/30 13:03:18 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5571166604
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [www.mydomain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 13:03:18 [INFO] [www.mydomain.com] acme: use http-01 solver
2020/06/30 13:03:18 [INFO] [mail.mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:28 [INFO] [mail.mydomain.com] The server validated our request
2020/06/30 13:03:28 [INFO] [mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:34 [INFO] [mydomain.com] The server validated our request
2020/06/30 13:03:34 [INFO] [www.mydomain.com] acme: Trying to solve HTTP-01
2020/06/30 13:03:41 [INFO] [www.mydomain.com] The server validated our request
2020/06/30 13:03:41 [INFO] [mydomain.com, mail.mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/06/30 13:03:48 [INFO] [mydomain.com] Server responded with a certificate.
Certificate for mydomain.com,mail.mydomain.com,www.mydomain.com has been created successfully!
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
9,305
Location
LT, EU
1. The email used - from DirectAdmin Admin account - why? if this is at User Level, why would the User level need to know my (internally used) email account? I don't see a reason why my alerts and copies of where I send emails as a server admin, should be known to my clients.
If that was a valid email address - let's encrypt account would have been created already, and re-used for all the other certs (and not seen in the errors).

2. The email used - why is it not using the User Level email? its his SSL, why need to involve me (my email) as an admin?
Because a single Let's Encrypt account is used on the server. https://letsencrypt.org/docs/integration-guide/. Attaching the part in question.

Screenshot 2020-06-30 at 13.22.42.png

3. HEADS UP (wow.. can you make me more scared?)
Em, I'm missing the question there. Unless it's if we can make you more scared, then the answer is "yes" likely :D

4. Why would the end user need to see where the concept of the emails and the lego files are stored. sorry,. that's not his business.
That's also because it was the first time you generated a cert after fixing the email. It's not shown on success in pre-release even for the first cert when the email address has been fixed.

We can release 2.0.3 version of letsencrypt.sh, but firstly it'd be nice to know why you wouldn't like to follow Let's Encrypt recommendations for a single account per server? As this would be a major change, which wouldn't let creating certs for more than 10 customers in 3 hours, meaning if you need 20 certs for 20 DA customers in 3 hours, you could also create 10 certs there, and 10 others after 3 hours.
 

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
371
First, THANK YOU !
You are doing a great work !

Second, while I may sound like I'm criticizing,. sorry for this, its not my intention, I have a terrible way of expressing my thank you :))

I am actually trying to provide you feedback on what's not working to help improve, but I've expressed it in a wrong manor as if I'm criticizing, but that was not my intention at all, so let me apologize on this.

Next, for technical issues:

If that was a valid email address - let's encrypt account would have been created already, and re-used for all the other certs (and not seen in the errors).
The Admin account in DA was populated with REAL email and it failed. (for posting here I write it as client@email.com)
I then proceeded to add my@email.com, client@email.com (so now its the format that sends emails to multiple addresses).
So need to handle such a case as well, where you have multiple email address.
Perhaps its better to have a separate settings in the DA Administrator Settings menu? So that its not causing conflicts?
Also,. this email should have worked also, but it failed. Maybe there is a parsing issue with multiple (.) symbols like a email@somethign.com.uk ?

HEADS UP - that kind of a msg is Alarming and for the end user, that's information that is of no use at all, yet it can be scaring them to think there is a problem of some kind. Why else you need to SHOUT HEADS UP (upper case).

No argument about the Single account for the server. Its just a shift from previous LetsEncrypt setup on DA, and I've not been reading too much into the letsEncrypt guidelines, so I missed on that.
 

tomputer

Verified User
Joined
Apr 5, 2016
Messages
18
Some of our users are getting the same message. Note that I replaced the real hostname with whatever.foo:
Code:
2020/06/30 16:39:36 No key found for account admin@server.whatever.foo. Generating a P384 key.
2020/06/30 16:39:36 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-v02.api.letsencrypt.org/admin@server.whatever.foo/keys/admin@server.whatever.foo.key
2020/06/30 16:39:38 [INFO] acme: Registering account for admin@server.whatever.foo
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/usr/local/directadmin/data/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
I'm not sure if these warnings are really useful for the end users, as they do not have access to these paths anyway.

Will /usr/local/directadmin/data/.lego/ be the new location for all future Let's Encrypt certificates ? It seems vhosts still point to /usr/local/directadmin/data/users/USERNAME/domains/ to load certificates.
 

mean

Verified User
Joined
Feb 14, 2007
Messages
46
the same problem,

- Let's encrypt client 2.0.2
- DA Version 1.61.3
- letsencrypt=2 on directadmin.conf
- load check cert on /home/user/domains/public_html/.well-known/acme-challenge/

Code:
Cannot Execute Your Request

Details

2020/06/30 22:54:53 [INFO] [domain.com, www.domain.com] acme: Obtaining SAN certificate
2020/06/30 22:54:54 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:54:54 [INFO] [www.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:54:54 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 22:54:54 [INFO] [domain.com] acme: use http-01 solver
2020/06/30 22:54:54 [INFO] [www.domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 22:54:54 [INFO] [www.domain.com] acme: use http-01 solver
2020/06/30 22:54:54 [INFO] [domain.com] acme: Trying to solve HTTP-01
2020/06/30 22:55:00 [INFO] [www.domain.com] acme: Trying to solve HTTP-01
2020/06/30 22:55:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:55:07 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315960
2020/06/30 22:55:07 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:55:08 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576315962
2020/06/30 22:55:08 Could not obtain certificates:
error: one or more domains had a problem:
[domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://domain.com/.well-known/acme-challenge/vBv0piW5Iy9Sbe2d_bRZLlBIk5SNMEy2ZN4YBUgdtRs [IP Address]: "\n\n\n\n

Not Found
\nTh", url:
[www.domain.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.domain.com/.well-known/acme-challenge/yVf-_6aY3bYs3qakHPfkHyBx20ZleFl_pGte2S2o-80 [IP Address]: "\n\n\n\n
Not Found
\nTh", url:
Certificate generation failed.
 

mean

Verified User
Joined
Feb 14, 2007
Messages
46
then only work with letsencrypt=1

Code:
2020/06/30 23:07:19 [INFO] [domain.com, www.domain.com] acme: Obtaining SAN certificate
2020/06/30 23:07:21 [INFO] [domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576522988
2020/06/30 23:07:21 [INFO] [www.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5576522990
2020/06/30 23:07:21 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 23:07:21 [INFO] [domain.com] acme: use http-01 solver
2020/06/30 23:07:21 [INFO] [www.domain.com] acme: Could not find solver for: tls-alpn-01
2020/06/30 23:07:21 [INFO] [www.domain.com] acme: use http-01 solver
2020/06/30 23:07:21 [INFO] [domain.com] acme: Trying to solve HTTP-01
2020/06/30 23:07:27 [INFO] [domain.com] The server validated our request
2020/06/30 23:07:27 [INFO] [www.domain.com] acme: Trying to solve HTTP-01
2020/06/30 23:07:34 [INFO] [www.domain.com] The server validated our request
2020/06/30 23:07:34 [INFO] [domain.com, www.domain.com] acme: Validations succeeded; requesting certificates
2020/06/30 23:07:35 [INFO] [domain.com] Server responded with a certificate.
Certificate for domain.com,www.domain.com has been created successfully!
 
Top