Problem on creating new SSL with LetsEncrypt in DirectAdmin

[harro]

See update at the end, which may explain the issue


I would like to add a request for your views / advice on a problem I have on two virtual machines that I copied from another working VM:

When I try to create new Lets Encrypt certificates I get the following error (which may or may not be related to the fact that I copied the VM)


- Lets Encrypt is working well in the original VM, but not in both copies.
- In the copied VMs I changed the IP-address (using the IPswap script), renewed the SSL certificates, changed the hostname, etc.
- I updated DirectAdmin and Lets Encrypt to the latest versions using Custombuild.
- After trying different letsencrypt.sh options (that didn't work), I followed the instructions at https://help.directadmin.com/item.php?id=629 that I followed when I installed the original VM. This did not work either.
- The hostname (and mail.hostname) resolve to the IP of the VM (as you can see in the output of ATTEMP 3, below).
- I also did the rewrite_configs


ATTEMPT 1:

scripts]# ./letsencrypt.sh request hostname.domain.tld 4096
Generating 4096 bit RSA key for hostname.domain.tld...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/hostname.domain.tld.key.new"
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................++
.....................................................................................................................................................................++
e is 65537 (0x10001)
Error Loading request extension section SAN
3071907564:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:326:
3071907564:error:22097069:X509 V3 routinesO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=
3071907564:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

I also get this error when I try to add a subdomain with the hostname (command taken from the DA help page https://help.directadmin.com/item.php?id=645):

ATTEMPT2:

scripts]# ./letsencrypt.sh request `hostname`,mail.papillon.plie.nl,ftp.papillon.plie.nl,papillon.plie.nl 4096
skipping papillon.plie.nl challenge test failed
skipping mail.papillon.plie.nl challenge test failed
skipping ftp.papillon.plie.nl challenge test failed
skipping papillon.plie.nl challenge test failed
Generating 4096 bit RSA key for papillon.plie.nl...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/papillon.plie.nl.key.new"
Generating RSA private key, 4096 bit long modulus
...........................................................................................................................................................................................................................................................++
...........................................................++
e is 65537 (0x10001)
Error Loading request extension section SAN
3072165612:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:326:
3072165612:error:22097069:X509 V3 routinesO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=
3072165612:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

Then I tried the 'old' way (https://help.directadmin.com/item.php?id=645) which is what I have been doing up until now on my servers:

ATTEMPT 3:

scripts]# ./letsencrypt.sh request hostname.domain.tld 4096 /usr/local/directadmin/conf/ca.san_config
Getting challenge for hostname.domain.tld from acme-server...
Waiting for domain verification...
Challenge is valid.
Getting challenge for mail.hostname.domain.tld from acme-server...
Waiting for domain verification...
Challenge is valid.
Generating 4096 bit RSA key for hostname.domain.tld...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/admin/domains/hostname.domain.tld.key.new"
Generating RSA private key, 4096 bit long modulus
...............................................++
......................................................++
e is 65537 (0x10001)
Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...

Any thoughts on what could be causing this problem and/or how I could move to fixing it? Could it be linked to the new version of Lets Encrypt, or is it specific to the fact that the VMs are clones? Is there another issue at play?

Thank you and kind regards,

Harro


UPDATE:
In the shell there was no clarification of the error, but in the message system it did show the actual error message:

Size of certificate response is smaller than 500 characters, it means something went wrong. Printing response...
"detail": "Error creating new cert :: Too many certificates already issued for exact set of domains: mail.hostname.domain.tld, hostname.domain.tld

Could that ultimately be the cause (strange error reporting on the command line, though)? How long will I need to wait before I can make a new request?

 

[SeLLeRoNe]

If i'm not wrong there is a limit per week, so, next Monday should work

Best regards

 

[ikkeben]

Don't know or this is a older problem with such domains handled as subdomain and not tld.
.co.uk for example

https://publicsuffix.org/

as you can read here could help i don't know or letsencrypt if this is your prob has solved it a other way.
https://github.com/certbot/certbot/issues/2091

The main limit is Certificates per Registered Domain (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

Also i remembered max was once 100 per week now it is 20 per week!
https://letsencrypt.org/docs/rate-limits/

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

DO DA letsencrypt script take care of this new limit?

We have also recently (December 2016) introduced a rate limit on overall request volume. The “new-reg”, “new-authz” and “new-cert” endpoints have an Overall Request Per Second rate limit of 20 requests per second. All other endpoints have a rate limit of 2000 requests per second.

For more then 20 subdomains you have to use this workarround this is not default handled in the DA script?

Note that the Renewal Exemption also means you can gradually increase the number of certificates available to your subdomains. You can issue 20 certificates in week 1, 20 more certificates in week 2, and so on, while not interfering with renewals of existing certificates.

And here giving a workaround for max 5 duplicate sets a week

We also have a Duplicate Certificate limit of 5 certificates per week. A certificate is considered a duplicate of an earlier certificate if they contain the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [www.example.com, example.com], you could request four more certificates for [www.example.com, example.com] during the week. If you changed the set of names by adding [blog.example.com], you would be able to request additional certificates.

It therefore could be handy to have a overview of how many Set / Certificates requests of these are done in the one week. is this possible with this script?https://help.directadmin.com/item.php?id=645

 

[explosive]

I have problem with LE and Apache.

Latest LE, Apache 2.4.9 then 2.4.25.

- user make LE certificate, everything is ok
- but few second later Apache is down!!! every time.

[Mon Jan 09 10:25:09.037958 2017] [core:warn] [pid 213492:tid 139924540192704] AH00045: child process 213498 still did not exit, sending a SIGTERM
[Mon Jan 09 10:25:09.038000 2017] [core:warn] [pid 213492:tid 139924540192704] AH00045: child process 213611 still did not exit, sending a SIGTERM
[Mon Jan 09 10:25:11.039958 2017] [core:error] [pid 213492:tid 139924540192704] AH00046: child process 213498 still did not exit, sending a SIGKILL
[Mon Jan 09 10:25:11.040001 2017] [core:error] [pid 213492:tid 139924540192704] AH00046: child process 213611 still did not exit, sending a SIGKILL
[Mon Jan 09 10:25:12.041075 2017] [mpm_event:notice] [pid 213492:tid 139924540192704] AH00491: caught SIGTERM, shutting down
[Mon Jan 09 10:25:13.065964 2017] [fcgid:error] [pid 213496:tid 139924540192704] FastCGI process 213942 still did not exit, terminating forcefully
[Mon Jan 09 10:25:13.066001 2017] [fcgid:error] [pid 213496:tid 139924540192704] FastCGI process 215298 still did not exit, terminating forcefully

- I must manually start apache ;(

[Mon Jan 09 10:25:56.120728 2017] [:notice] [pid 215583:tid 139814993704896] mod_hostinglimits: use Min UID 500
[Mon Jan 09 10:25:56.120805 2017] [:notice] [pid 215583:tid 139814993704896] mod_hostinglimits: use filter for LVE exit
[Mon Jan 09 10:25:56.120810 2017] [:notice] [pid 215583:tid 139814993704896] mod_hostinglimits: version 1.0-27. LVE mechanism enabled
[Mon Jan 09 10:25:56.120815 2017] [:notice] [pid 215583:tid 139814993704896] mod_hostinglimits: found apr extention version 3
[Mon Jan 09 10:25:56.120822 2017] [:notice] [pid 215583:tid 139814993704896] mod_hostinglimits: apr_lve_environment_init_group_minuid check ok
[Mon Jan 09 10:25:57.136334 2017] [ssl:warn] [pid 215583:tid 139814993704896] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jan 09 10:25:57.137057 2017] [ssl:warn] [pid 215583:tid 139814993704896] AH01909: shared.domain:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jan 09 10:25:57.141645 2017] [ssl:warn] [pid 215583:tid 139814993704896] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Jan 09 10:25:57.141665 2017] [suexec:notice] [pid 215583:tid 139814993704896] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jan 09 10:25:57.439200 2017] [:notice] [pid 215588:tid 139814993704896] mod_hostinglimits: use Min UID 500
[Mon Jan 09 10:25:57.439242 2017] [:notice] [pid 215588:tid 139814993704896] mod_hostinglimits: use filter for LVE exit
[Mon Jan 09 10:25:57.439252 2017] [:notice] [pid 215588:tid 139814993704896] mod_hostinglimits: version 1.0-27. LVE mechanism enabled
[Mon Jan 09 10:25:57.439257 2017] [:notice] [pid 215588:tid 139814993704896] mod_hostinglimits: found apr extention version 3
[Mon Jan 09 10:25:57.439263 2017] [:notice] [pid 215588:tid 139814993704896] mod_hostinglimits: apr_lve_environment_init_group_minuid check ok
[Mon Jan 09 10:25:57.439271 2017] [auth_digest:notice] [pid 215588:tid 139814993704896] AH01757: generating secret for digest authentication ...
[Mon Jan 09 10:25:58.136828 2017] [ssl:warn] [pid 215588:tid 139814993704896] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jan 09 10:25:58.137543 2017] [ssl:warn] [pid 215588:tid 139814993704896] AH01909: shared.domain:443:0 server certificate does NOT include an ID which matches the server name
[Mon Jan 09 10:25:58.142185 2017] [ssl:warn] [pid 215588:tid 139814993704896] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 436
6)
[Mon Jan 09 10:25:58.142214 2017] [lbmethod_heartbeat:notice] [pid 215588:tid 139814993704896] AH02282: No slotmem from mod_heartmonitor
[Mon Jan 09 10:25:58.147916 2017] [mpm_event:notice] [pid 215588:tid 139814993704896] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1e-fips mod_fcgid/2.3.7 configured -- resuming normal operations
[Mon Jan 09 10:25:58.147976 2017] [core:notice] [pid 215588:tid 139814993704896] AH00094: Command line: '/usr/sbin/httpd'

 

[orangelight]

We've also ran into trouble with LetsEncrypt and I'm not sure were this is coming from. I've update LetsEncrypt to 1.04 (and now no more updates are available).

I'm getting the following error message (domain.to.website is just for obfuscating purposes):

Getting challenge for coffeelovers.staging.51north.nl from acme-server...
Error: http://domain.to.website/.well-known/acme-challenge/letsencrypt_1483917011 is not reachable. Aborting the script.
dig output for domain.to.website:
37.34.52.85
Please make sure /.well-known alias is setup in WWW server.

Which seems to be correct because there is no letsencrypt_1483917011 in the acme-challenge folder. But it did create a new file here called: 1tpNZBtbRI879IxzauEZxJ6a2C0mK9DVIRG0axkMA5c.X0YeIaz31XIaB8RjmZCruCJ1k32V775Uhg32TdX_K30.

Anyone else having the same issue or someone who knows how to fix this? Thanks in advance!

 

[SeLLeRoNe]

The path is randomly generated during the request, you may want to ensure that the alias is correctly set in Apache:
cat /etc/httpd/conf/extra/httpd-alias.conf | grep "well-known"

It should return something like this:
Alias /.well-known /var/www/html/.well-known

If not, use /usr/local/directadmin/custombuild/build rewrite_configs

and check again.

Best regards

 

[ger64]

Still have the same problem

I did:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Outcome:
Let's encrypt client 1.0.8 has been installed.

cd /usr/local/directadmin/scripts
./letsencrypt.sh request servxx.xxxx.xx 4096

STILL THE SAME

cd /usr/local/directadmin/scripts
[root@servxx scripts]# ./letsencrypt.sh request servxx.xxxx.xx 4096
Setting up certificate for a hostname: servxx.xxxx.xx
Getting challenge for servxx.xxxx.xx from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account registration error. Response: HTTP/1.1 100 Continue
Expires: Wed, 19 Apr 2017 19:39:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 107
Boulder-Request-Id: XoNf3L8gYKrwXcu-2pFKXtIiNTu4jE5x2DpCXEePwsE
Replay-Nonce: ftJ6nlBY2mSqlUut0G_O0&ykj5QZpxtVyrXYysOpYMQ
Expires: Wed, 19 Apr 2017 19:39:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 19 Apr 2017 19:39:55 GMT
Connection: close

{
"type": "urn:acme:error:invalidEmail",
"detail": "Error creating new registration",
"status": 400
}.

Somebody knows a solution?

 

[gohost.kz]

Bug report

Lets Encrypt changed their subscriber agreement. Default is now incorrect:

Getting challenge for domainname.com from acme-server...
User let's encrypt key has been found, but not registered. Registering...
Account registration error. Response: HTTP/1.1 100 Continue
Expires: Wed, 15 Nov 2017 14:54:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
"status": 400
}.

I think it's just happened...

 

[vverloop]

To see the wrong license:
cat /usr/local/directadmin/scripts/letsencrypt.sh | grep "LICENSE="

Edit the following file, to manually add the new license:
nano /usr/local/directadmin/scripts/letsencrypt.sh

Replace line: LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

With: LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

PS. This is a workaround. Let's Encrypt Client contains a bug.

 

[DirectAdmin Support]

Fixed on files1. LetsEncrypt 1.0.17 released.