SSL Help Needed - Certificate Generation Fails

BillyS

Verified User
Joined
Jul 17, 2021
Messages
453
I use naked domains (of the form domain.com), I have never been able to successfully generate new certificates. I have to open a ticket every time. I think something is fundamentally wrong with my configuration, unless the auto renewal or manual renewal feature is completely broken. No matter what I try to do, DA has a mind of its own.

I do not run DNS, so I never request wildcard certificates. Yet, when a certificate renewal fails, DA continues to request wildcards on my behalf. When I manually request LetsEncrypt certificates, it fails naked to issue on for the naked domain, instead only for subdomains (some of which I dont even use). How should this be configured? I really dont care if I have to request certificates myself each time they are up for renewal.

Bill
 
Yet, when a certificate renewal fails, DA continues to request wildcards on my behalf.
That might be caused by the autossl feature which is in effect some time already.
Normally it should not be that big an issue if you use the LEGO function (if I'm not mistaken).

You can disable the autossl feature like this:
Code:
/usr/local/directadmin/directadmin set admin_ssl_check_retries 0
service directadmin restart
This way, DA won't try to request wildcards for you anymore automatically.

As for your other question, I don't know. I would have a look at the docs and doublecheck every small step mentioned for installing Letsencrypt.

Maybe it was wrongly configured in the first place.
You could try disable the auto renew for your domain. Then request new certificates and select only the ones you need. But take care that the autossl function is disabled first, just to be sure. Maybe it's a bug but hard to say without seeing any logs or whatever.[/code]
 
I'll gladly read up on how it SSL is supposed to function if the documentation is up to date. If anyone could point me in the right direction, I'll gladly go through those steps myself or at least the sections that someone might suggest I run through.

Admittedly, when I do look at documentation, the notes are thin, for example

letsencrypt_list=www:mail:ftp:pop:smtp

Ability to select which DNS records to include in Let's Encrypt certificate.

I dont use the DNS functionality of Let'sEncrypt and I need a certificate for a naked domain. I have no idea how to configure this config.
 
If anyone could point me in the right direction,
I always use Google for that like "letsencrypt directadmin" and first result:
these docs are up to date and not thin imho.

I dont use the DNS functionality of Let'sEncrypt and I need a certificate for a naked domain. I have no idea how to configure this config.
You can't use SSL without DNS records. That's why there is the LEGO option, so external DNS can be used.
There was in the past an option that DNS was not needed, but that was deprecated by LE if I'm not mistaken.

However, feel free to try another SSL method if that works better/easier for you:

What exactly do you mean by a naked domain?
 
You can't use SSL without DNS records.
Yeah, you're right - I should have said I don't run local DNS and my DNS provider doesn't support wildcards issued through LEGO / Lets Encrypt.

What exactly do you mean by a naked domain?
A non-www domain (domain.com instead of www.domain.com).

I did open up a ticket with DirectAdmin too. Two techs looked at the problem so far and one of them was able to solve the issue with one domain, but a second domain is still not working and it's being referred to another tech to see if they can figure out what's happening.
 
A non-www domain (domain.com instead of www.domain.com).
Ah oke, that is not a big difference, I would use both in an SSL script anyway, because users often type in the www. And it's easy to redirect to non-www.

to another tech to see if they can figure out what's happening.
Ah great. Let me know the outcome. I could imagine it being a bug in the autossl option. However this is disabled now if you used the commands I gave you. However, still very curious to the cause of this.
So please let us know if they figured it out, ask them what the cause was. Thanks!
 
So please let us know if they figured it out, ask them what the cause was. Thanks!
I do think that if DA would take the time to explain more about what happened, they might avoid the same issue in the future. On several occasions (all with SSL) I've asked about the correct procedure and didn't get a response, instead they fix the problem. This was the outcome of the latest problem
This time the issues were caused by OpenLiteSpeed configuration, and John fixed it with "/usr/local/directadmin/custombuild/build rewrite_confs" yesterday.
The thing is, I have not done anything with the OpenLiteSpeed configuration since the original install. Just gone through I believe one upgrade via custom build when it was offered maybe a month ago now. Unfortunately, I still have no idea how we are supposed to request new certificates because each approach I have tried in the past has resulted in failed attempts, incorrect certificates, and therefore the site effectively goes offline since browsers won't let visitors in.
 
This is indeed a very odd issue if indeed nothing was changed. An update via custombuild should not cause that kind of issues.
But thank you for sharing what they did.

If you keep having this issue, then maybe it still might be a good idea to give the ZeroSSL I mentioned before a tryout, see if that gives better results.

At least if you run into kindlike issues you can try the rewrite_confs for starters, but as said normally an update should not cause these issues.
 
Back
Top