Need help with renew LetsEncrypt's cert

steveniori

New member
Joined
Nov 2, 2022
Messages
8
Hi, I have problem with renew LetsEncrypt's cert manually, my problem is:

1. I can renew my clients's cert via directadmin web ui without problem(YES, without problem, the expiry date will update)
2. I can renew my admin account domain's cert via directadmin web ui and I can get a message to tell me:
LetsEncrypt request successful for:
mydomain.com
*.mydomain.com
3. I have this problem only all admin account(even I create another admin account and doing same thing)

BUT when I check my cert in user level at SSL Certificates's page, I see my cert still same expiry date, even I try again and again


any one know how can I fix it? thanks
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,485
Location
GMT +7.00
So the issue is that a certificate can not be renewed? Or DirectAdmin shows wrong information about a certificate?

What domain is giving an issue?
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
So the issue is that a certificate can not be renewed? Or DirectAdmin shows wrong information about a certificate?

What domain is giving an issue?
the cert show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com can not be renewed, however letsencrypt has been calculated my renew as success renew and show me :
acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours

I think my problem is directadmin was renewed my cert, but it show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com's cert is my old cert(not updated here) however when I check the cert on browser, my cert is the new one (not same expiry date show in https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com page)

Thank you
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
I just try again and find this error:

Found wildcard domain name and http challenge type, switching to dns-01 validation.
CAA record prevents issuing the certificate: SERVFAIL
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
I try again and again, but still faild to get new cert ( I try many times, but still show me old cert and the expiry date is nothing change) from DA and LetsEncrypt , so I give up, change to ZeroSSL, because they have webui and simple verification then I get my cert and paste to DA.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
9,550
Location
Maastricht
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
Thank you, I just check my domain via your link, and it show me my domain without CAA record, but how can I add caa record via directadmin?
Thanks
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
Do you have dnssec present for the domains?
Check if the DNS records are all correct for the domain(s), like A record and if CAA is present (might be present and wrong):

If you are on Centos/Alma/Rocky try these commands:
yum -y update dnsmasq bind bind-libs bind-utils

Got all these tips from other threads on the forums here.

ZeroSSL might be working now, but if your settings are incorrect, you might experience the problem in the future.
I want to ask for 1 new question thanks:
do you know where did directadmin save my new cert after I request for renew via https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com (directadmin 's SSL Certificates page)?

Thank you so much

=======================
I find my case with weird thing:
In directadmin SSL Certificates + my domain's web page : my ssl cert is OLD cert
but.. in directadmin panel(web), my cert is a new cert, also I find /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key is new cert too

is this a bug?
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
9,550
Location
Maastricht
I find my case with weird thing:
In directadmin SSL Certificates + my domain's web page : my ssl cert is OLD cert
but.. in directadmin panel(web),
I don't understand what you mean with Directadmin panel (web). What is the difference with DA SSL Certificates?

Maybe it's not updated yet, but if you find the certs are new, then the new ones are working.

but how can I add caa record via directadmin?
You can add it like as CAA record in DNS.
However, if you want to use CAA records, you might have to set dns_caa=1 in directadmin.conf (and restart DA) if that is not already a default value.

The DNS record you can set like this if you want to use it:
yourdomain.com. 3600 IN CAA 128 issue "letsencrypt.org"
ofcourse replace yourdomain.com. with the domain you want to use it for, and mind the trailing dot at the end.
 

steveniori

New member
Joined
Nov 2, 2022
Messages
8
I don't understand what you mean with Directadmin panel (web). What is the difference with DA SSL Certificates?

Maybe it's not updated yet, but if you find the certs are new, then the new ones are working.


You can add it like as CAA record in DNS.
However, if you want to use CAA records, you might have to set dns_caa=1 in directadmin.conf (and restart DA) if that is not already a default value.

The DNS record you can set like this if you want to use it:
yourdomain.com. 3600 IN CAA 128 issue "letsencrypt.org"
ofcourse replace yourdomain.com. with the domain you want to use it for, and mind the trailing dot at the end.
thank you

So my problem is :
1. Directadmin will renew my cert when I renew my cert, but it only updated to /etc/httpd/conf/ssl.crt and /etc/httpd/conf/ssl.key (I call it CERT A)

2. But directadmin will not update my
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.cert
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.key
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.ca
/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.combined
(I call it CERT B)

with my same cert.

so for now, when I check https://123.123.123.123:2222/CMD_SSL?domain=mydomain.com 's cert content or https://www.mydomain.com or https://mydomain.com:2222 via browser it will still old cert (CERT B)

but when I check my cert via browser https://123.123.123.123:2222 (directadmin website) are new cert. (CERT A)
 
Top