No LetsEncrypt certificates option in user panel

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hi,

I set LetsEncrypt for the hostname using this guid:

https://help.directadmin.com/item.php?id=629

And I did get SSL to DA panel login.

I check and IP is assigned for the reseller and for the user.

I follow this guide and I cannot get LetsEncrypt certificates in user panel.

https://help.directadmin.com/item.php?id=648

I also check this guide and I do not get the Alias /.well-known in /etc/httpd/conf/extra/httpd-alias.conf even following the next steps.


And I cannot get the LetsEncrypt certificates in the user panel.
Screen Shot 2019-11-03 at 15.43.26.pngScreen Shot 2019-11-03 at 15.43.26.png

I am with DA version 1.59.4 on Debian 9.3

What's wrong ?

UPDATE:
After some more tries I could get the option to generate the LetsEncrypt certificates in the user panel but again I get the following erro:

"Error: http://domain.com/.well-known/acme-challenge/letsencrypt_1572810963 is not reachable. Aborting the script.
dig output for domain.com:

Please make sure /.well-known alias is setup in WWW server."

Again the /.well-known alias is not created, this must be a bug, this is the DA base installation, very annoying.

Any help will be appreciated.

I really didn´t expect this integration issue in with LetsEncrypt.

DA version 1.59.4
CustomBuild : updated

Websites do not load correctly most of the browsers redirect to https.

Anyone to well me with this new DA setup ?

Thanks
 
Last edited:

system-admin

Verified User
Joined
Aug 1, 2019
Messages
31
Are the nameservers or site's A record pointed at your servers?
Kindly make sure first.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hi,

I can ping the user-domain.com and www.user-domain.com that I want to instal the SSL certificates and is responding from my VPS IP.

My nameservers are vanity nameservers from a DNS service.

dig @8.8.8.8 +short NS user-domain.com
Output all my vanity-nameservers + dns-service-nameserver

dig @vanity-nameservers user-domain.com
I get an answer with the A record and correct IP

I think this answer your question.

Many thanks for your support
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hello,

Just an update to say that I still can not get the LetsEncrypt in the domain.

All DNS seems ok the domain is available but just loads in http in Safari but all other browser automatically redirect to hhps and give the certificate alert because I can not get the LetsEncrypt certificates.

Again the /.well-known alias is not created.


I also tried:

sudo./directadmin set hsts 0
sudo service directadmin restart


Please help
 
Last edited:

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
What's the domain name and the server IP, it possible to mention here?
designtudo.com
185.42.223.65

sudo ./directadmin c | grep ^letsencrypt=
letsencrypt=1
sudo ./directadmin c | grep ^hsts=
hsts=0
sudo ./directadmin c | grep ^enable_ssl_sni=
enable_ssl_sni=1

thanks a lot.
 
Last edited:

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hi,

Also add this to the domain:

Header always set Strict-Transport-Security "max-age=0; includeSubdomains;"

By going to Server Manager>Custom HTTPD configurations>designtudo.com

And restart httpd service.

This was to get the website online.

I still can not install the LetsEncrypt certificates.

Please help me to fix it.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hello @system-admin

I already send the domain and IP.

Do you have some time to check this issue ?

I am stuck in the last four days I will be grateful if you take a look.

Thanks
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,201
Location
LT, EU
Check aaaa record and also try updating Let's Encrypt script to the latest version.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Check aaaa record and also try updating Let's Encrypt script to the latest version.

Hi smtalk,

Thanks to help me here.

I am waiting for the host to assign me the IP6 /64 block so can create the AAAA record yet.

Let's Encrypt script to the latest version.:
I update the CustomBuild from the plugin and it says that everything ins update.
Should I do anything more after update CustomBuild to get Encrypt script updated ?

Em generating the LetsEncript certificate for all 6 subdomains I get the error that I mention before but it T try the wildcard it says that I need to wait for a confirmation but the message report this:

Error with LetsEncrypt request 11/7/2019, 18:49:03
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
DNS challenge test fail for _acme-challenge-test.domain.com IN TXT "pre-check", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
DNS validation failed. Exiting...


Will I need to create a TXT record ?

Any help will be appreciated
 
Last edited:

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
Hi smtalk,

I try to reinstall Let's Encrypt script and I do the following steps:

I follow this guide.
https://help.directadmin.com/item.php?id=648

Checking:
./directadmin c | grep ^letsencrypt=
letsencrypt=1

./directadmin c | grep ^enable_ssl_sni=
enable_ssl_sni=1

./directadmin c | grep ^ssl=
ssl=1

./directadmin c | grep ^hsts=
hsts=0

./directadmin c | grep ^force_hostname=
force_hostname=my.hostname.com

./directadmin c | grep ^ssl_redirect_host=
ssl_redirect_host=my.hostname.com

echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000
./build rewrite_confs

cd /usr/local/directadmin/custombuild

./build update
./build letsencrypt
Let's encrypt client 1.1.36 has been installed.

Then User Level -> SSL Certificates and try to generate.

If I select the Let's Encrypt Certificate Entries that I have A record in the external DNS server.

CERTIFICATE AND KEY SAVED.

Now lets try Wildcard:

Your request will run in the background. Once completed, you'll be notified in the Message System.

Message with error:
Error with LetsEncrypt request
11/8/2019, 16:57:09
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for domain.com...
Challenge is valid.
Processing authorization for domain.com...
DNS challenge test fail for _acme-challenge.domain.com IN TXT "AOu2tJn0DzsPr-6np_SH6KXBpV4Mb_yuv-qWJXZTS-g", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...

Why can I get the wildcard certificate ?

Thanks
 

HostinganID

Verified User
Joined
May 5, 2016
Messages
14
Location
Indonesia
Hi smtalk,

I try to reinstall Let's Encrypt script and I do the following steps:

I follow this guide.
https://help.directadmin.com/item.php?id=648

Checking:
./directadmin c | grep ^letsencrypt=
letsencrypt=1

./directadmin c | grep ^enable_ssl_sni=
enable_ssl_sni=1

./directadmin c | grep ^ssl=
ssl=1

./directadmin c | grep ^hsts=
hsts=0

./directadmin c | grep ^force_hostname=
force_hostname=my.hostname.com

./directadmin c | grep ^ssl_redirect_host=
ssl_redirect_host=my.hostname.com

echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue; /usr/local/directadmin/dataskq d2000
./build rewrite_confs

cd /usr/local/directadmin/custombuild

./build update
./build letsencrypt
Let's encrypt client 1.1.36 has been installed.

Then User Level -> SSL Certificates and try to generate.

If I select the Let's Encrypt Certificate Entries that I have A record in the external DNS server.

CERTIFICATE AND KEY SAVED.

Now lets try Wildcard:

Your request will run in the background. Once completed, you'll be notified in the Message System.

Message with error:
Error with LetsEncrypt request
11/8/2019, 16:57:09
Found wildcard domain name and http-01 challenge type, switching to dns-01 validation.
Requesting new certificate order...
Processing authorization for domain.com...
Challenge is valid.
Processing authorization for domain.com...
DNS challenge test fail for _acme-challenge.domain.com IN TXT "AOu2tJn0DzsPr-6np_SH6KXBpV4Mb_yuv-qWJXZTS-g", retrying...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...
Retry failed, trying again in 15s...

Why can I get the wildcard certificate ?

Thanks
Make sure you use directadmin hosted dns server, because is DNS Validation method can't verified if you are using eksternal dns like cloudflare.
 

crenet

Verified User
Joined
Sep 23, 2019
Messages
50
I am getting this using these commands:

>openssl s_client -showcerts -connect mail.domain.com:465

CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = host.domain.com
verify return:1

>openssl s_client -showcerts -servername domain.com -connect domain.com:465
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.com
verify return:1

Any ideas why mail.domain.com in not using user certificate ?
Thanks
 
Top