SSL cert creation problem

knoll

Verified User
Joined
Sep 26, 2005
Messages
136
Location
Belgium
Hey,
i have a problem with the re creation of the SSL certs

i reinstalled the whole server and used normal user backups to restore.
now i setuped the whole server normaly correct

i have 2 ips on the server (centos 7.7)
but since when does ifconfig only shows the main ip? i added the other ip on the panel

.120 is the main server ip nginx listens on that to
.121 is the mailserver ip correct setupped in domainips & helo_data

i don't have problems with mailing etc.
some dns examples
www. A .120
mail A .121
smtp A .121

nginx listens on .120 for the websites etc
and worked before on this method
but the error says:

Code:
Cannot Execute Your Request

Details

Error: http://mail.mydomain.be/.well-known/acme-challenge/letsencrypt_1578358666 is not reachable. Aborting the script.
dig output for mail.mydomain.be:
myip.121
Please make sure /.well-known alias is setup in WWW server.
directadmin.conf has all the SSL things needed normally i don't understand it anymore

Code:
[root@gsi3 acme-challenge]# ls -la
total 12
drwxr-xr-x 2 webapps webapps 4096 Jan  7 01:07 .
drwxr-xr-x 3 webapps webapps 4096 Jan  6 00:10 ..
-rw-r--r-- 1 webapps webapps    0 Jan  6 00:10 letsencrypt_1578265815
-rw-r--r-- 1 webapps webapps    0 Jan  7 00:10 letsencrypt_1578352221
-rw-r--r-- 1 webapps webapps    5 Jan  6 11:03 test.txt
[root@gsi3 acme-challenge]#
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,392
Location
Maastricht
Had some search with Knoll and pity my memory is a bit bad, maybe my age. :)

But I found the cause. The problem is something I already reported before, but it's either not fixed, or it's Letencrypt itself and then we have to watch out for what users can do here.

Problem was caused because mail was selected for ssl creation before www or domain.
And there is an order issue which is not fixed. If mail is ordered before www then Letsencrypt will try to use http://mail.domain.com instead of http://www.domain.com as should be. As can be seen above.

You will find out that this problem will not occur when only selecting www and domain and ftp, or when mail, smtp etc. is selected after www and so is also ordered after www or domain. Also the issue will not occur when using wildcard ssl.

Hopefully this can be fixed, because when users will start doing this and selecting the wrong order for some reason or another, there will be more people encountering this issue.
 

knoll

Verified User
Joined
Sep 26, 2005
Messages
136
Location
Belgium
Richard did a good job tracking down my problem is fixed hopefully this bug to, this problem has taken alot of my time ;) good its fixed tx
 

knoll

Verified User
Joined
Sep 26, 2005
Messages
136
Location
Belgium
Just use ip a for this. https://bugzilla.redhat.com/show_bug.cgi?id=921527

Regarding the issue - I'd suggest creating a support ticket with the access or real domain names if you're unable to find the root cause of the issue.
i don't understand since when is this changed ? normally we allready see it on ifconfig ?
i see on your url thats a post of 2013
your ip a thing works
but its strange ;)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,392
Location
Maastricht
The ifconfig is a command from the net-utils pack which became obsolete in Centos 7. It's not a bug.

@smtalk for the fix of the issue, see my previous post. However, this looks like a DA bug. Because it happens when for example "mail" is selected before "www" and so letsencrypt will try to verify at the http://mail.domain.com instead of http://www.domain.com as I explained.

I encountered the same issue before some time ago about this order issue and mentioned it in one of my tickets if my memory is correct.
So the issue is not limited tohis system. It's a problem what occurs when creating an ssl certificate and the selection is not done in correct order (like when mail is ordered first).
 

knoll

Verified User
Joined
Sep 26, 2005
Messages
136
Location
Belgium
if investigation is needed you may always ask me for more info but @Richard G explained i think alot of people can have this issue if not all
i'm running on nginx webserver but richard had it on httpd ...
many thanks on advanse ;)
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,774
Location
LT, EU
@smtalk for the fix of the issue, see my previous post. However, this looks like a DA bug. Because it happens when for example "mail" is selected before "www" and so letsencrypt will try to verify at the http://mail.domain.com instead of http://www.domain.com as I explained.
Let's encrypt needs to verify every domain in the certificate, so it goes through them all. I'm not sure why the order changes something there?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,392
Location
Maastricht
I'm not sure why the order changes something there?
I've no idea, but the same happened to me some time ago. Same here, Letsencrypt try's http://mail.domain.com and this can not be reached so it throws the error and end of story.
I've fixed it in my case to request the certificate again but using another selection order.
And in this case I've seen the selection was wrong and I fixed it by choosing the wildcard option.

I will have a look if I might be able to find the ticket I mentioned this in, but I'm not sure I will succeed.

However if you think you might find another reason for causing the validation check on the wrong domain, I'm sure Knoll is happy to give you access to his server.
 
Top