Server SSL won't auto renew

P

peps03

Verified User
Joined
Oct 24, 2013
Messages
192
Location
Amsterdam
Hi, i tried this to renew the otherwise auto-renewing license: https://help.directadmin.com/item.php?id=629

Response:
Setting up certificate for a hostname: vpsXX.XXXXXXXX.nl
Challenge pre-checks for http://vpsXX.XXXXXXXX.nl/.well-known/acme-challenge/letsencrypt_1610053095 failed... Command:
/usr/local/bin/curl --connect-timeout 40 -k --silent --resolve vpsXX.XXXXXXXX.nl:80:2606:4700:20::681a:4ea --resolve vpsXX.XXXXXXXX.nl:443:2606:4700:20::681a:4ea -I -L -X GET http://vpsXX.XXXXXXXX.nl/.well-known/acme-challenge/letsencrypt_1610053095
Exiting.

Followed these debugging steps: https://help.directadmin.com/item.php?id=646
Step 3: Echos : test
Step 4: Returns 200 OK

As the test-file works, i assume het letsencrypt HTTP-01 challenge (https://letsencrypt.org/docs/challenge-types/) should work as well? But doesn't.

So not sure what is going on. The only thing i can think of is all incoming ports are blocked except for the cloudflare IPs (and some others). Thus i tested turning off the CSF firewall, and got the same error. So that is also not it.

Any ideas?
 
No ideas on this? Multiple vpsses now have this issue of expired server ssl certificates. Any help / guidance would be much appreciated.

Screenshot_395.png
 
Hi, could you perhaps DM me the hostname/IP you censored? It's hard to know what might be wrong with the info you provided.
 
peps03 said:
Done, i think. Is it a conversation?
Click to expand...
Yeah they call it that these days, it had some titels before in this order:
pm = personal message
dm = direct message (mostly used on social media)
conversation = conversation.

In fact... it's all the same.
 
Hi peps03, it's almost certainly to do with the fact that querying your hostname isn't returning your Directadmin IP address, but the IP address of the Cloudflare service in front of it. It should be possible to use Let's Encrypt and Cloudflare simultaneously, but it's not that straightforward, see for example: https://community.cloudflare.com/t/lets-encrypt-and-cloudflare-how-to-set/66442/8

If you're trying to generate a certificate for the hostname on port 2222, A workaround (which isn't perfect) would be to change your DNS settings to your Directadmin server, create the certificate, switch back to Cloudflare, and do the same thing let's say every 85 days, to renew the certificate: https://forum.directadmin.com/threads/lets-encrypt-wildcard-cloudflare.56585/
 
bdacus01 said:
Can't you just use Lego? Maybe not if you are not using cloudflare dns.

Cloudflare :: Let’s Encrypt client and ACME library written in Go.

Configuration for Cloudflare.
go-acme.github.io go-acme.github.io
Click to expand...
Oh, seems like you can, wasn't aware. Sorry for the misinformation peps03, it should work following these instructions:

LetsEncrypt 2.0 with 70+ dnsproviders, ready for testing

Hi guys, If you wish to test out the 70+ "dns providers", just update Let's Encrypt to 2.0 using CustomBuild script. This is currently only at the User Level, where, when creating the cert, once "wildcard"option, a new field (below) will appear, defauting to "Dns Provider = Local". This...
forum.directadmin.com forum.directadmin.com
 
wtptrs said:
Hi peps03, it's almost certainly to do with the fact that querying your hostname isn't returning your Directadmin IP address, but the IP address of the Cloudflare service in front of it.
Click to expand...
Thanks for your mention, it was this indeed. Fixed now by disabling cloudflare and opening the firewall.


Can't you just use Lego? Maybe not if you are not using cloudflare dns.
Click to expand...

Thanks! Looking into this, seems convenient!
 
bdacus01 said:
Can't you just use Lego? Maybe not if you are not using cloudflare dns.

Cloudflare :: Let’s Encrypt client and ACME library written in Go.

Configuration for Cloudflare.
go-acme.github.io go-acme.github.io
Click to expand...
Finally had the chance to look into this.

I managed to get the CERTs generated and they are on the VPS.

Question: normally I'd generate new a new CERT following https://help.directadmin.com/item.php?id=629:
/usr/local/directadmin/scripts/letsencrypt.sh request_single vpsXX.xxxxxxxxxx.nl 4096
And they would automatically be installed in multiple places like: apache, dovecot, exim, ftp, and DirectAdmin.

Now it is the other way around. I have the CERT but need them installed in these places. How do i do that? Can i tell the letsencrypt.sh script to use the CERTs from the LEGO request somehow?

Thanks!
 
peps03 said:
Question: normally I'd generate new a new CERT following https://help.directadmin.com/item.php?id=629:
/usr/local/directadmin/scripts/letsencrypt.sh request_single vpsXX.xxxxxxxxxx.nl 4096
And they would automatically be installed in multiple places like: apache, dovecot, exim, ftp, and DirectAdmin.
Click to expand...
This is to instal LE certs for your hostname and services. This is not for Domains thats done in the users SSL area.
peps03 said:
I have the CERT but need them installed in these places.
Click to expand...
Do you mean a purchased cert? A non Lets encrypt one?

The LEGO setup is so you can map your DNS provider (cloudflare in your case) so DA looks there to confirm the existence of the records and the domains. So it can validate and create the certs.

Version 1.61.4 | Directadmin Docs

DirectAdmin Knowledge Base
directadmin.com

I dont use cloudflare or this feature so not totally sure it will work for you.
 
> This is to instal LE certs for your hostname and services. This is not for Domains thats done in the users SSL area.

Yep, i know, that is what i want to do.

> Do you mean a purchased cert? A non Lets encrypt one?

Nope, a Let encrypt one, via LEGO, as the server is behind cloudflare.

> So it can validate and create the certs.

Yeah, that is done. I have the LE certs in a folder now. But now my question is, how do i tell DA to use these new CERTs for the hostname and services?

So how do i tell /usr/local/directadmin/scripts/letsencrypt.sh to not fetch a new CERT but use the just generated one by LEGO?
 
Last edited:
Ah I install the CERT using https://github.com/poralix/directadmin-utils/tree/master/ssl ?

When running that, i get:

[INFO] Validating CERT /home/admin/.lego/certificates/vpsXX.xxxxxxxxx.nl.crt
[OK] The cert md5 hash: e30fbb5ba0cecaad7a2d0cb836584c05
[INFO] Validating CERT /home/admin/.lego/certificates/vpsXX.xxxxxxxxx.nl.key
[ERROR] File /home/admin/.lego/certificates/vpsXX.xxxxxxxxx.nl.key is not a valid KEY
 
Last edited:
Any ideas on why i get this error:

[ERROR] File /home/admin/.lego/certificates/vpsXX.xxxxxxxxx.nl.key is not a valid KEY ?
 
It is fixed. The poralix script has been updated by Alex, very helpful of him! Thanks!

It now supports LEGO and also updates the pureftpd cert.
 
Yep, Poralix/Zeiter is very helpfull and has very nice scripts. If something wrong and he knows about it, he will fix them fast.
 
You must log in or register to reply here.
Back
Top