Solved: Setup seems to be stuck on Trying to issue automatic TLS certificate

[Richard G]

the FQDN at the bottom has the public IP of my server, not a local IP.

Correct. I presumed he just used a local ip to mask the external ip. But indeed I could have concluded wrongly and he's using a LAN setup or something.

Are you using a LAN @grandm1961 or just used the internal ip in the /etc/hosts file to mask your real internet ip?

 

[DrWizzle]

Correct. I presumed he just used a local ip to mask the external ip. But indeed I could have concluded wrongly and he's using a LAN setup or something.

Are you using a LAN @grandm1961 or just used the internal ip in the /etc/hosts file to mask your real internet ip?

I bought a dell poweredge last year and use it for test builds of allsorts. I know when I setup a vm with DA on it, the /etc/hosts file will have something like:



But the ip address 10.0.99.2 is made static in my router, i'll make sure my public IP is set as the A record on 3 DNS servers, and i'll set the DMZ up so all incoming traffic just comes to this server when i'm testing. My point here is it looks like a locally hosted machine for OP, so I suspect ports being an issue not being opened and forwarded correctly? I did an nmap on his IP earlier and ports were closed. That's my thoughts anyway.

I use Ubuntu 24.04 Pro , not Alma or Rocky.

 

[grandm1961]

Correct. I presumed he just used a local ip to mask the external ip. But indeed I could have concluded wrongly and he's using a LAN setup or something.

Are you using a LAN @grandm1961 or just used the internal ip in the /etc/hosts file to mask your real internet ip?

I saw that mistake and changed it to the public IP but nevertheless the problem remains. i did as @

zEitEr mentioned and i got some ssl certificates but still no luck for the server_cert​

 

[grandm1961]

I bought a dell poweredge last year and use it for test builds of allsorts. I know when I setup a vm with DA on it, the /etc/hosts file will have something like:

View attachment 9197

But the ip address 10.0.99.2 is made static in my router, i'll make sure my public IP is set as the A record on 3 DNS servers, and i'll set the DMZ up so all incoming traffic just comes to this server when i'm testing. My point here is it looks like a locally hosted machine for OP, so I suspect ports being an issue not being opened and forwarded correctly? I did an nmap on his IP earlier and ports were closed. That's my thoughts anyway.

I use Ubuntu 24.04 Pro , not Alma or Rocky.

Yes, my server is locally and i have the same ports open as i had it before when it was fully functional and working.
and before i never had any problems at all i was doing this for a couple of years now. yet this problem is new to me, and i don't know what it could be, either a bug or something in the fresh Almalinux download of 9.6 i have tried version 10 but that is to buggy and it can't even get the custombuild right.

 

[DrWizzle]

Yes, my server is locally and i have the same ports open as i had it before when it was fully functional and working.
and before i never had any problems at all i was doing this for a couple of years now. yet this problem is new to me, and i don't know what it could be, either a bug or something in the fresh Almalinux download of 9.6 i have tried version 10 but that is to buggy and it can't even get the custombuild right.

I use Ubuntu and rarely get any issues, although this community are amazing when I do get trouble I cant sort.
I'm not sure if it will work, but you could always try getting a TLS cert by forcing it the old way via CLI? Haven't tested this but know it did work a while back.

cd /usr/local/directadmin/scripts
./letsencrypt.sh request_single `hostname` 4096

 

[grandm1961]

I tried that one and i installed certbot just a minute ago and i saw when trying to ask for only the server.duraweb.eu that it won't let me after the first try because it throws the error:

too many certificates (5) already issued for this exact set of identifiers

So for today i quit and try it tomorrow again and hopefully it will working again. Some ppl rely on me for their website including me for my emails.

 

[Richard G]

too many certificates (5) already issued for this exact set of identifiers

That is correct but you already have a lot of certificates for the hostname present with Letsencrypt, they just are not visible on the server yet.

crt.sh | server.duraweb.eu

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

crt.sh

So there are Letsencrypt SSL certificate's create over the past days. But it looks like DA is still using the self-signed certificate.

How did you create the hostname exactly in DA?

Might have something to do because you're using Cloudflare. I thought Cloudflare would take care of certificates if you use Cloudflare.

by forcing it the old way via CLI?

That is still working but this is the new command:

cd /usr/local/directadmin/scripts
./letsencrypt.sh server_cert

or just
/usr/local/directadmin/scripts/letsencrypt.sh server_cert
make's it a bit easier.

If you try again tomorrow, be sure to remove the files I mentioned first so you are sure LE will put new ones in there.

 

[grandm1961]

I will reinstall everything again from scratch, so a free AlmaLinux or Rocky Linux or whatever, and see if that makes a difference. I have a feeling that the minimal Almalinux wasn't completely correctly installed and I want to rule that one out also.
I never had problems with Cloudflare and I use it only for dns handling, not using the API at all. That's above my pay check, and what I don't get is that it worked in the past with the first AlmaLinux, with some hurdles to take. I will get it up and running again, even if it takes me weeks to figure this one out.

 

[DrWizzle]

I will reinstall everything again from scratch, so a free AlmaLinux or Rocky Linux or whatever, and see if that makes a difference. I have a feeling that the minimal Almalinux wasn't completely correctly installed and I want to rule that one out also.
I never had problems with Cloudflare and I use it only for dns handling, not using the API at all. That's above my pay check, and what I don't get is that it worked in the past with the first AlmaLinux, with some hurdles to take. I will get it up and running again, even if it takes me weeks to figure this one out.

I use Ubuntu Pro. Its totally free and doesn't give me any issues at all. Maybe give that flavour of linux a go? Ubuntu 24.04LTS or you could use Debian. Same as Ubuntu but Ubuntu is easier

 

[grandm1961]

well I get now this error from requesting a SAN Certificate:
Could not obtain certificates:
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietfarams:acme:error:badNonce :: Unable to validate JWS :: JWS has an invalid anti-replay nonce: "baVJhnvwnfWDdW8bVsG8vqmzelQCLAmKZwTiL0K93d8mzobUcjA"
info finished task duration=15m49.446939154s task=action=ssl&force=true&value=server_acme
exit status 1
Failed to issue new certificate

 

[zEitEr]

Failed to issue new certificate

See:

curl: (7) Failed connect to server.duraweb.eu:80; Connection refused
curl: (7) Failed connect to 195.240.80.244:80; Connection refused

 

[grandm1961]

See:

curl: (7) Failed connect to server.duraweb.eu:80; Connection refused
curl: (7) Failed connect to 195.240.80.244:80; Connection refused

I had at least that was an idea of myself and stopped the https.service in DirectAdmin, and I got the SAN Certificate.
I can Now reach at least the DirectAdmin on that port which needs to be changed in more private manner.
I will also test it if that's the case if I leave the httpd.service running, but for now I have a trusted San Certificate for 3 months

 

[zEitEr]

Even more:

[root@server ~]# time curl -i server.duraweb.eu
curl: (7) Failed connect to server.duraweb.eu:80; Connection refused

real    2m7.195s
user    0m0.005s
sys     0m0.011s
[root@server ~]# time curl -i 195.240.80.244
curl: (7) Failed connect to 195.240.80.244:80; Connection refused

real    0m0.013s
user    0m0.002s
sys     0m0.006s
[root@server ~]# time curl -i server.duraweb.eu
curl: (7) Failed connect to server.duraweb.eu:80; Connection refused

real    2m7.265s
user    0m0.008s
sys     0m0.008s
[root@server ~]#

connections to the IP are dropped instantly, connections to the hostname die after a timeout.

Seems to be related to IPv6, which is not on the board yet, or missconfigured:

server.duraweb.eu has address 195.240.80.244
server.duraweb.eu has IPv6 address 2a02:a44d:4a7c:0:2ef0:5dff:fece:b926

You need to make sure, IPv6 is added in DirectAdmin and linked to IPv4

 

[DrWizzle]

As @zEitEr pointed out, you now have HTTP(S) ports closed.



TLS requires ports 80,443 open for a HTTP(S) challenge for issuing a certificate. and requires port 53 open (DNS) for a dns challenge. It can only do a DNS challenge if you are running the BIND9/NAMED services on your server for DNS. Doubt it will work with Cloudflare automatically as the DNS challenge inserts a TXT record in briefly to verify you have control of the DNS. Prob works better with a manual CLI TLS install as it will give you a DNS record to create at Cloudflare.

A HTTP(S) challenge requires ports 80 and/or 443 open as it will place a txt file in (usually) /var/www/html/.well-known/

As you don't have ports 80/443 open, there is a simple workaround. You'll either need 2 SSH terminals running, or SSH and access to your control panel domain:2222 to issue a certificate.

Make sure you have /var/www/html folder

mkdir /var/www/html

then run a python simple server.

cd /var/www/html
python3 -m http.server 80    #HTTP

or use

cd /var/www/html
python3 -m http.server 443  #HTTPS

These should open one of the ports and as they re running a simple server, but only for duration of python script running.

To exit (when finished) - <CTRL> + C

Then on the other SSH manually request the certificate, or request it with the Admin Panel. If you CLI it, you'll see on the python terminal what acme certbot is doing and it can give you a clue as to what might be wrong.

If you get errors with running the python script above, check you havent got apache, nginx, or open/litespeed running.

systemctl stop httpd
systemctl stop nginx

etc...

Make sure you start them again after you've installed cert and killed python server.

systemctl restart httpd
systemctl restart nginx

Hope this helps

 

[zEitEr]

systemctl stop apache2

it should be httpd.service on a DirectAdmin server not, apache2.service

 

[DrWizzle]

it should be httpd.service on a DirectAdmin server not, apache2.service

Cheers @zEitEr, good catch. - Apologies, I've been up over 24 hours and really tired. Just thought i'd share this method as it worked for me on a server a few months ago.

 

[Richard G]

mkdir /var/www/html

It's better to not just make directory's yourself. These are things that DA should take care of during installation.
Also if creatd manually, they should also be chown to the correct owner and group.

cd /usr/var/www/

??? We don't have a /usr/var/www directory. Maybe better get some sleep/rest. Being 24 hours awake is not good for the health.

 

[grandm1961]

I was busy with that on the background, and still I am.
Had to do some alterations on the router and turn on ipv6 and the ports accordingly

 

[DrWizzle]

It's better to not just make directory's yourself. These are things that DA should take care of during installation.
Also if creatd manually, they should also be chown to the correct owner and group.


??? We don't have a /usr/var/www directory. Maybe better get some sleep/rest. Being 24 hours awake is not good for the health.

Cheers Richard, I've edited original post to reflect my errors should anyone happen upon this thread in the future. No idea where the usr bit came from, probably thinking of the DA files location

Also I put the create directory there if it didn't exist, just for the python server to run while getting a certificate. Yes you could potentially run into problems if the /var/www/html folder wasn't chown'ed to the correct user but on all my DA installs, the /var/www/html folder is chown'ed to root:root and that would've been DA when I installed the system. Can always delete it afterwards if created by OP to use.

As OP would be logging in as root (i'm assuming), the folder would be chown'ed to root:root and therefore should work for the purposes of getting a cert here.

And thanks, I will grab some sleep in a min. Had a project that took hours but glad it's finished!

 

[grandm1961]

Well, setting up is now going good except I get now for the ./well-known/security.txt that all the domains are:
non-ok status: 404 Not Found

so I searched the forums and it should be in /usr/local/directadmin/data/templates/default folder but there is only the index.html and nothing else.
And I had a fresh install so where is the 404.shtml then???

Found it under the control panel of DirectAdmin under advanced Functions.
but yet after altering it it placed in in the main domain and after restarting https and DirectAdmin the same error is in security.txt