No LetsEncrypt after nginx_apache install?

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
Hi,

We enabled nginx_apache recently because of performance reasons. After that, it looks like requested Letsencrypt certificates are not "installed". Is that possible/a known issue?
The letsencrypt module gives no errors, SSL is enabled for the domains but new certificates do not work.

Domains where the certificate was installed already are working correctly (thankful enough) :)

Anyone else having issues or had this?

This is the error in Chrome:

This server could not prove that it is www.domain.com; its security certificate is from server.ourwebsite.nl. This may be caused by a misconfiguration or an attacker intercepting your connection.
 

PSD

Verified User
Joined
Apr 12, 2013
Messages
24
Hi just a thought are you running the most recent letsencrypt script??
a good idea to CHECK you've got the most recent script:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Phil
 

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
Yeah, looks like it:
Latest version of Let's Encrypt client: 1.0.18
Installed version of Let's Encrypt client: 1.0.18
 

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
Yeah looks like it:

Latest version of Let's Encrypt client: 1.0.18
Installed version of Let's Encrypt client: 1.0.18
 

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
It apparently looks like that -some- domains -are- working and some are not... still shooting some troubles :)
 

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
This is so weird...

I tried adding the domain again to the account a thousand times. It creates the certificate perfectly, but the browser just doesn't see it. Cleared caches... no change.

Created a new account and added this domain under it, certificate works like a charm. :rolleyes::rolleyes:
 

riderxxx

Verified User
Joined
Dec 24, 2016
Messages
17
Same is happening now with other domains which are "secondary" domains added to one account. The "main" domain works.

Several domains are now listed at 'Certificate Hosts' but only the "main" domain is safe through SSL, the secondary or pointer domains are not secured....

Edit: confirmed, all 'secondary' added domains to an account are having issues with SSL's... this is in the httpd logfile for the particular domain:

[Wed Nov 29 03:28:01.603488 2017] [ssl:warn] [pid 9922] AH01909: domain:443:0 server certificate does NOT include an ID which matches the server name
[Wed Nov 29 03:35:01.714802 2017] [ssl:warn] [pid 14616] AH01909: domain:443:0 server certificate does NOT include an ID which matches the server name
[Wed Nov 29 03:35:01.843291 2017] [ssl:warn] [pid 14617] AH01909: domain:443:0 server certificate does NOT include an ID which matches the server name
[Wed Nov 29 03:36:11.563283 2017] [ssl:warn] [pid 15431] AH01909: domain:443:0 server certificate does NOT include an ID which matches the server name
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
Hello,

Kindly provide more details or open a ticket with directadmin support.

OS version?
OpenSSL version?
Directadmin version?
Real domain name (for which you installed cert and it's not showing up) with its configs from nginx+apache?
 

chrismfz

Verified User
Joined
Jul 3, 2019
Messages
22
Digging for lets encrypt and nginx_apache found this, didn't to open new thread.

let's encrypt only issues SSL for www/domain. Not ftp / mail / smtp / ftp when nginx is running in front.

I did the same test today, Cloudlinux 7, latest DA version, just installed it today and configured a test domain to check.

DirectAdmin 1.57.2



Requesting new certificate order...
Processing authorization for infected.gr...
Waiting for domain verification...
Challenge is valid.
Challenge is valid.
Processing authorization for mail.infected.gr...
Error: http://mail.infected.gr/.well-known/acme-challenge/letsencrypt_1562234161 is not reachable. Aborting the script.
dig output for mail.infected.gr:
116.202.110.252
Please make sure /.well-known alias is setup in WWW server.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
Let's Encrypt requires a domain verification. It means that a domain should point to your server IP for the domain validation to succeed. Without passing the validation no certificate can be issued.

The domain you are testing does not seem to point to a server IP under your control.
 

chrismfz

Verified User
Joined
Jul 3, 2019
Messages
22
My mistake.
On testing domain I entered my hostname as DNS.

DirectAdmin zone default was my main DNS.

One dns handed the zone over the other.

Jumped to quick conclusions, sorry :)
 
Top