Solved: Setup seems to be stuck on Trying to issue automatic TLS certificate

[grandm1961]

Hello, i had to unfortunalty start from scratch on my server with an fresh install of Almalinux and directadmin.
i made a minimal install and everything looked alright until it came to the point of issueing a new TLS certificate.
It says it might take some time, but i have the idea that it is completely stucked.
Some help would be nice to overcome this.

 

[zEitEr]

Hello,

Did you wait enough long? You might request a certificate in CLI and see what is going on there, like:

/usr/local/directadmin/scripts/letsencrypt.sh request domain.com,*.domain.com

 

[grandm1961]

Like i said it was on the initial setup after installing almalinux and the first time installing directadmin so nothing was done at all. i had no backups so i had to start from scratch

 

[zEitEr]

So what is your question then? If you don't have steps to reproduce the issue, what help do you need then?

 

[grandm1961]

Why is the setup stuck at issueing a new TLS certificate. course if i don't set a server.domain.com it just installs with my ip.direct and api but then the main TLS gets a x509 not trusted and when applying for the proper one after setting the proper servername it won't update the main TLS certificate since it uses the older directadmin credentials

 

[zEitEr]

Why is the setup stuck at issueing a new TLS certificate.

No will to play a guess game. The script used for requesting certificates might work slower when requesting multiple wildcard certificates at the same time. But I never seen it stuck. So if you want to find out the reason you will need to replicate the issue on your own.

 

[Richard G]

it won't update the main TLS certificate since it uses the older directadmin credentials

If this is what you mean by "it got stuck" then it's an old issue which once a while still happens.
It's mentioned in my manual here (click).
Then check "older DA systems" in the middle the solution of @zEitEr there. If that works and it's not stuck anymore, then we know what's going on. Normally on new OS this almost does not occur anymore.

Best is to set the correct hostname before installation so it will fetch the correct SSL certificate the first time.

 

[grandm1961]

This is what i mean when i installed almalinux minimal installation and then try to install a fresh directadmin with the setup.sh.
See screenshot, this is where i get stuck it doesn't do nothing not even for an hour.

 

[Richard G]

Oke didn't see that happening before. But this says directadmin already exists, but I presume you only did that to show us.
Did you try to remove those files before restarting setup as stated in the manual?

 

[grandm1961]

I formatted the complete server from the ground up, so including all the harddrives on my server and a complete fresh install of everything.
left the eth0 on localhost as domainname and installed almalinux the latest version 9.6 with the minimal install and then went to install directadmin with the setup.sh
I have nothing left from my previous server so i have to start from scratch. but no matter what i do it gets always stuck with that SAN Certificates.
even when i managed to install directadmin but then it skips the SAN Certificate and with even your instruction guide it gets stuck on that San Certificate.


[root@server scripts]# ./letsencrypt.sh request_single server.duraweb.eu 4096
Setting up certificate for a hostname: server.duraweb.eu
localhost was skipped due to unreachable http://localhost/.well-known/acme-challenge/letsencrypt_05c21ea29acddacd1d1c19e4b35b0385 file.
2025/08/06 17:29:35 [INFO] [server-195-240-80-244.da.direct] acme: Obtaining SAN certificate
2025/08/06 17:29:35 Could not obtain certificates:
acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietfarams:acme:error:malformed :: Unable to validate JWS :: JWS verification error


Failed to issue new certificate

So i am clueless now

 

[Richard G]

I formatted the complete server from the ground up,

That is odd because in the screenshot it clearly says directadmin already exist.

Did you wait long enough after installation? Because the Direct admin installation itself is fast and then you can reach DA, but you have to wait doing things until all background tasks are finished, there will be a message about that in the message system.

localhost was skipped due to unreachable http://localhost/.well-known/acme-challenge/letsencrypt_05c21ea29acddacd1d1c19e4b35b0385 file.

Seems a configuration error to me. It's logical that Letsencrypt can not reach your server via "localhost".
Check your /etc/hosts file and see if for any reason it's pointing localhost to your server, like:
127.0.0.1 server.duraweb.eu
and/or
server.durawaweb.eu (or your server's ip) 127.0.0.1

If yes, remove that, 127.0.0.1 should only point to:
127.0.0.1 localhost.localdomain localhost
and nothing else.

1.) Install Almalinux 9.6
2.) Do a yum update and update everything
3.) Install the hostname (use my manual)
4.) Install directadmin via the setup.sh
5.) Wait until all installation is finished, so background tasks are also all finished.

And all should be fine, providing you didn't mess up the /etc/hosts file. Also doublecheck that the /etc/hostname file does contain the full hostname and not just server.

 

[grandm1961]

I know but it also does the same on a fresh install as well, this was just to show where i am getting against.
And waiting for more than a hour should not be now would it?

I am doing a clean install now from almalinux 10 and exactly the same happends, again stuck at automatic TLS certificate

 

[Richard G]

this was just to show where i am getting against.

So how about the /etc/hosts file I was talking about on a fresh install? Because the system is searching for localhost and that is not something which is common on a fresh install.

Be aware that CSF firewall is not working on Almalinux 10 and probably something else not either. So you might want to choose for Alma 9 in this case.
If you don't succeed, there are a couple of options like these
1.) If you have a modern license (Lite or Standaard) then you can have DA installed for free by DA.
2.) I can also have a quick free look for you after DA installation via SSH if you trust me enough, on Almalinux 9. Only a quick look if I can find something.
3.) You can hire somebody for a fee, like for example @zEitEr to check or do DA installation for you.

 

[DrWizzle]

Sorry to butt in here, this is how I see the problem...

If you've wiped the system, in bash enter the following:

export [email protected]
export DA_HOSTNAME=hostname.domain.com
export DA_NS1=ns1.nameserver.domain.com
export DA_NS2=ns2.nameserver.domain.com
export DA_SKIP_AUTO_TLS_CERT=yes

bash <(curl -fsSL https://download.directadmin.com/setup.sh) 'yourlicencekey'

Last one should turn off trying to autoinstall the TLS cert. You should then be able to login to the panel and activate it again in admin SSL.

Also, acme is trying to issue a cert for the server. The servername [hostname] should be a FQDN with an A record in your DNS and resolveable.
Once you've done that, you should be able to get a TLS cert no problem.

 

[grandm1961]

this is in the /etc/hosts file now
# Loopback entries; do not change.
# For historical reasons, localhost precedes localhost.localdomain:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
# See hosts(5) for proper format and other examples:
# 192.168.1.10 foo.example.org foo
# 192.168.1.13 bar.example.org bar
192.168.2.8 server.duraweb.eu server

 

[DrWizzle]

Looking at your setup, your IP resolves to a servername, so you should be able to login to your panel and get a TLS cert issued.

 

[Richard G]

this is in the /etc/hosts file now

That looks good.
If the /etc/hostname also has the full fqdn hostname, then setup of DA should be not an issue.
Install DA, then wait until you get the message that all background tasks are finished and then have a look.

If that again hangs during installation, then there is an odd problem.

so you should be able to login to your panel and get a TLS cert issued.

That most likely won't change anything if the certificate already hangs during installation.
Unless he uses the commands you provided, but in fact that should not be necessary on a fresh installation. Worth a try tho.

 

[DrWizzle]

That looks good.
If the /etc/hostname also has the full fqdn hostname, then setup of DA should be not an issue.
Install DA, then wait until you get the message that all background tasks are finished and then have a look.

If that again hangs during installation, then there is an odd problem.

I did loook at that and comment but thought after it wasn't that bad. I have quite a few DA installs that I use for DNS Servers as the DNS on DA is amazing I find. In my /etc/hosts file, the FQDN at the bottom has the public IP of my server, not a local IP.

If he's using a home setup and has a DMZ or Port Forward config, that IP should be fine. Also wondering if he has all the ports open? Haven't looked myself, but I'd guess he needs ports 53 and 953 open for the DNS. He's using Cloudflare's NS so i'm not sure how their DNS ties up with his server, Only mentioning this as if he's using CF for DNS, he might not hae ports open on his server?

 

[DrWizzle]

Something for OP to look at... DNS ports are closed as I thought.

 

[zEitEr]

The only reason the script /usr/local/directadmin/scripts/letsencrypt.sh can freeze is a missing binary or command or a file. So the only way to check it, is to run the script in cli:

bash -x /usr/local/directadmin/scripts/letsencrypt.sh request domain.com