Problem with SSL get from LetsEncrypt

adriangrzybek

Verified User
Joined
Mar 23, 2021
Messages
28
When I try to use function in DirectAdmin panel in user view "SSL Certificates" and "Free & automatic certificate from Let's Encrypt" I get an error and cant get certificate:


Could not execute your request​

Details
2024/02/19 12:22:29 [INFO] [normoklinic.com, www.normoklinic.com] acme: Obtaining SAN certificate
2024/02/19 12:22:30 [INFO] [normoklinic.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/316060668437
2024/02/19 12:22:30 [INFO] [www.normoklinic.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/317021105447
2024/02/19 12:22:30 [INFO] [normoklinic.com] acme: authorization already valid; skipping challenge
2024/02/19 12:22:30 [INFO] [www.normoklinic.com] acme: Could not find solver for: tls-alpn-01
2024/02/19 12:22:30 [INFO] [www.normoklinic.com] acme: use http-01 solver
2024/02/19 12:22:30 [INFO] [www.normoklinic.com] acme: Trying to solve HTTP-01
2024/02/19 12:23:18 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/316060668437
2024/02/19 12:23:18 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/317021105447
2024/02/19 12:23:18 Could not obtain certificates:
error: one or more domains had a problem:
[www.normoklinic.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: server failure at resolver looking up A for www.normoklinic.com; DNS problem: server failure at resolver looking up AAAA for www.normoklinic.com
Failed to issue new certificate​
 
Yes, it looks ok right now because i migrated website to another server, but on old server I've got a message in system directadmin messages:

The file:
/usr/local/directadmin/.........../domains/normoklinic.com.cacert

belonging to account normoklini, domain normoklinic.com, is either empty or missing,
but it's set to be used in that domain's config.
This is an incorrect state, so please re-add or unset file, and notify DirectAdmin support if it re-occurs.


What should I do to fix this on my old server? Is there a solution for this case?
 
What should I do to fix this on my old server? Is there a solution for this case?
You could try to remove that file and the request a new certificate. However this would only be accepted by Letsencrypt if the DNS is pointing correct.

However, if you now migrated it to another server is that fully migrated? Website and everything?
If yes, you could delete the account from the old server. Then use admin backup/transfer to transfer the domain back to the old server, then it should have the correct certs because now it's working.
Ofcourse you have to change the nameservers of the domain so it's working on the old server again.

Keep the domain on the other server for a little time longer so you're sure it's OK and then afterwards you can delete it again on the current server where it's working correctly.
 
The point is what is making this problem with SSL? Maybe I dont need to migrate accounts but just delete some files with wrong SSL and get new certificate and problem will be fixed quickly?
I've got same case with other domain:


Could not execute your request​

Details
2024/03/16 15:07:38 [INFO] [bonowicz.com, www.bonowicz.com] acme: Obtaining SAN certificate
2024/03/16 15:07:39 [INFO] [bonowicz.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/326991713437
2024/03/16 15:07:39 [INFO] [www.bonowicz.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/326993539357
2024/03/16 15:07:39 [INFO] [bonowicz.com] acme: authorization already valid; skipping challenge
2024/03/16 15:07:39 [INFO] [www.bonowicz.com] acme: Could not find solver for: tls-alpn-01
2024/03/16 15:07:39 [INFO] [www.bonowicz.com] acme: use http-01 solver
2024/03/16 15:07:39 [INFO] [www.bonowicz.com] acme: Trying to solve HTTP-01
2024/03/16 15:08:27 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/326991713437
2024/03/16 15:08:27 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/326993539357
2024/03/16 15:08:28 Could not obtain certificates:
error: one or more domains had a problem:
[www.bonowicz.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: server failure at resolver looking up A for www.bonowicz.com; DNS problem: server failure at resolver looking up AAAA for www.bonowicz.com
Failed to issue new certificate​
 
DNS problem: server failure at resolver looking up A for www.bonowicz.com
LE gives this as the reason for refusing the certificat. It can not find A or AAAA records for your www. An nslookup does not respond.
Seems intodns can find some IP on a Hetzner server.

From my servers everything is working fine. But from my home ISP it's not resolving.
Also when testing with MXtoolsbox, no valid nameservers are found.

Seems you changed the nameserver ip's for ns1 and ns2.interaktywa.com and they are not synchronized yet.
Or something is not in correct order there yet. Looks like nameservers are not setup correctly or not synchronized.
 
Clue of this case is that other domains on the same server are working fine, just this one user account has this issue. So my ns are working fine. In that case what should I do (what files delete and recreate to renew certificate or ns settings on this one account ?)
 
Status ProblemHTTP ConnectThe underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (http://bonowicz.com)


Their are issues with the setup of your DNS


Status ProblemDNS No Valid NameServers RespondedNot able to get a response from name servers within timeframe

I see NS1.INTERAKTYWA.COM and NS2.INTERAKTYWA.COM as your nameservers.

But the nameservers for INTERAKTYWA.com are
NS1.AFTERMARKET.PL
NS2.AFTERMARKET.PL


I dont see A records on your domain INTERAKTYWA.COM for your ns1 and ns2
 
Last edited:
So my ns are working fine.
No it's not, as you can see also @ericosman agrees with me. Somewhere there are issues. Propagation is not what it should be.
I don't know about the other domains maybe they keep working fine or maybe they will get issues when they need to renew.

If you want to delete files, do that on your own risk.
Check the /usr/local/directadmin/data/users/username/domains directory and maybe delete the cacert and cert files from there. But in that case there will not be ssl anyway so you have to create them newly.
Again... use at your own risk, I can't guarantee that is a correct way to work and I doubt that it will fix your issue.
 
Back
Top