Need help with renew LetsEncrypt's cert

steveniori

Verified User
Joined
Nov 2, 2022
Messages
19
Hi, I have problem with renew LetsEncrypt's cert manually, my problem is:

1. I can renew my clients's cert via directadmin web ui without problem(YES, without problem, the expiry date will update)
2. I can renew my admin account domain's cert via directadmin web ui and I can get a message to tell me:
LetsEncrypt request successful for:
mydomain.com
*.mydomain.com
3. I have this problem only all admin account(even I create another admin account and doing same thing)

BUT when I check my cert in user level at SSL Certificates's page, I see my cert still same expiry date, even I try again and again


any one know how can I fix it? thanks
 
Last edited:
So the issue is that a certificate can not be renewed? Or DirectAdmin shows wrong information about a certificate?

What domain is giving an issue?
 
So the issue is that a certificate can not be renewed? Or DirectAdmin shows wrong information about a certificate?

What domain is giving an issue?
the cert show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com can not be renewed, however letsencrypt has been calculated my renew as success renew and show me :
acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours

I think my problem is directadmin was renewed my cert, but it show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com's cert is my old cert(not updated here) however when I check the cert on browser, my cert is the new one (not same expiry date show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com page)

Thank you
 
I just try again and find this error:

Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL
 
I try again and again, but still faild to get new cert ( I try many times, but still show me old cert and the expiry date is nothing change) from DA and LetsEncrypt , so I give up, change to ZeroSSL, because they have webui and simple verification then I get my cert and paste to DA.
 
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
 
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
Thank you, I just check my domain via your link, and it show me my domain without CAA record, but how can I add caa record via directadmin?
Thanks
 
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
I want to ask for 1 new question thanks:
do you know where did directadmin save my new cert after I request for renew via https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com (directadmin 's SSL Certificates page)?

Thank you so much

=======================
I find my case with weird thing:
In directadmin SSL Certificates + my domain's web page : my ssl cert is OLD cert
but.. in directadmin panel(web), my cert is a new cert, also I find /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key is new cert too

is this a bug?
 
Last edited:
I find my case with weird thing:
In directadmin SSL Certificates + my domain's web page : my ssl cert is OLD cert
but.. in directadmin panel(web),
I don't understand what you mean with Directadmin panel (web). What is the difference with DA SSL Certificates?

Maybe it's not updated yet, but if you find the certs are new, then the new ones are working.

but how can I add caa record via directadmin?
You can add it like as CAA record in DNS.
However, if you want to use CAA records, you might have to set dns_caa=1 in directadmin.conf (and restart DA) if that is not already a default value.

The DNS record you can set like this if you want to use it:
yourdomain.com. 3600 IN CAA 128 issue "letsencrypt.org"
ofcourse replace yourdomain.com. with the domain you want to use it for, and mind the trailing dot at the end.
 
I don't understand what you mean with Directadmin panel (web). What is the difference with DA SSL Certificates?

Maybe it's not updated yet, but if you find the certs are new, then the new ones are working.


You can add it like as CAA record in DNS.
However, if you want to use CAA records, you might have to set dns_caa=1 in directadmin.conf (and restart DA) if that is not already a default value.

The DNS record you can set like this if you want to use it:
yourdomain.com. 3600 IN CAA 128 issue "letsencrypt.org"
ofcourse replace yourdomain.com. with the domain you want to use it for, and mind the trailing dot at the end.
thank you

So my problem is :
1. Directadmin will renew my cert when I renew my cert, but it only updated to /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key (I call it CERT A)

2. But directadmin will not update my
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.cert
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.key
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.ca
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.combined
(I call it CERT B)

with my same cert.

so for now, when I check https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com 's cert content or https://www.mydomain.com or https://mydomain.com:2222 via browser it will still old cert (CERT B)

but when I check my cert via browser https://123.123.123.123:2222 (directadmin website) are new cert. (CERT A)
 
Do anyone know is that problem because my domain is set to my server hostname? (same as my domain, hostname = my domain)

because I try many time renew, directadmin still only update to to /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key
and never update my
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.cert
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.key
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.ca
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.combined
 
Last edited:
Do anyone know is that problem because my domain is set to my server hostname? (same as my domain, hostname = my domain)
If your hostname and domain name are the same, then yes that is a problem. For example.

Suppose your domain name is mydomain.com and your hostname is mydomain.com then yes, that's not a real hostname and this causes problems.
However, if your domain name is mydomain.com and your hostname is server.mydomain.com then no that is normal and should not cause any issues.

You can best either give us the real domain name so we can check for you if we find issues.
Or otherwise send in a ticket to directadmin.
 
also I checked is also updated:
/usr/local/directadmin/conf/cacert.pem
/usr/local/directadmin/conf/cacert.pem.combined
/usr/local/directadmin/conf/cacert.pem.creation_time
/usr/local/directadmin/conf/cakey.pem
/usr/local/directadmin/conf/carootcert.pem

for I can confirm about: Directadmin only don't update my
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.cert
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.key
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.ca
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.combined

anyone know how to fix it? thank you
 
If your hostname and domain name are the same, then yes that is a problem. For example.

Suppose your domain name is mydomain.com and your hostname is mydomain.com then yes, that's not a real hostname and this causes problems.
However, if your domain name is mydomain.com and your hostname is server.mydomain.com then no that is normal and should not cause any issues.

You can best either give us the real domain name so we can check for you if we find issues.
Or otherwise send in a ticket to directadmin.
please check "Conversations"(https://forum.directadmin.com/conversations/) thank you, so is that mean I need to change my hostname to fix my problem? thanks
 
May I just edit my /etc/hosts or /etc/hostname ? thanks
If your hostname and domain name are the same, then yes that is a problem. For example.

Suppose your domain name is mydomain.com and your hostname is mydomain.com then yes, that's not a real hostname and this causes problems.
However, if your domain name is mydomain.com and your hostname is server.mydomain.com then no that is normal and should not cause any issues.

You can best either give us the real domain name so we can check for you if we find issues.
Or otherwise send in a ticket to directadmin.
 
If your hostname and domain name are the same, then yes that is a problem. For example.

Suppose your domain name is mydomain.com and your hostname is mydomain.com then yes, that's not a real hostname and this causes problems.
However, if your domain name is mydomain.com and your hostname is server.mydomain.com then no that is normal and should not cause any issues.

You can best either give us the real domain name so we can check for you if we find issues.
Or otherwise send in a ticket to directadmin.
Thank your for your help, I just want to update I just fixed my problem by go to https://123.123.123.123:2222/CMD_ADMIN_SETTINGS and change my "Server's Hostname" under "Server Settings (will restart DirectAdmin)", I hope if someone get same problem they can fix by this post.

Thanks
 
I just came online, good to hear you fixed it. Thank you for reporting back.
I just find another problem and fixed it, after I change my hostname, directadmin will get a bug:
Directadmin will rename my /etc/virtual/mydomain.com/ to /etc/virtual/server.hostname/(I change to server.hostname) so I got location "E-Mail Accounts" problem(Directadmin can't read all my email accounts, Catch-All E-Mail, Autoresponders... all email part setting get error), so I clone /etc/virtual/hostname/ to /etc/virtual/mydomain.com/ then this problem fixed, hope someone this will help someone get this problem.
 
Yes if both exists then it's good.

Your system needs 2 seperate ones of these:
/etc/virtual/server.mydomain.com (so your hostname) and
/etc/virtual/mydomain.com (so your domain name)

However, DA shuold indeed not have changed your /etc/virtual/mydomain.com but probably that is not a real bug, but caused because you did not used the correct hostname.

Just to be sure if I were you, I would change the /etc/hosts and /etc/HOSTNAME files too so the correct hostname is in there too.
And reboot the server afterwards.
 
Yes if both exists then it's good.

Your system needs 2 seperate ones of these:
/etc/virtual/server.mydomain.com (so your hostname) and
/etc/virtual/mydomain.com (so your domain name)

However, DA shuold indeed not have changed your /etc/virtual/mydomain.com but probably that is not a real bug, but caused because you did not used the correct hostname.

Just to be sure if I were you, I would change the /etc/hosts and /etc/HOSTNAME files too so the correct hostname is in there too.
And reboot the server afterwards.
Thank you for you help
 
Back
Top