Solved Unable to request SSL for base domain

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
241
Location
Een echte Hollander
Dear DirectAdmin forum,

We manage the DNS from all of the domainnames including their subdomains
When requesting an SSL for the domains, the expected behavior is that we can request all but www.croatianwine.online
The actual behavior is that only the following domains can receive an SSL certificate:
Code: 
Subject: LetsEncrypt request successful
LetsEncrypt request successful for:
mail.croatianwine.online
mail.croatianwines.online
www.croatianwine.be
www.croatianwine.nl
Cannot find domain in the certificate.
However, subdomains have been found instead. Proceeding with them.
Today at 11:16
This was yesterday.
This is unexpected behavior as stated above, so I split the www.domains and domains from the mail.domains and pointed those to Server 2 (vps18.jk.nl), leaving mail.domains on Server 1 (vps04.jk.nl) and then changing the DNS accordingly.
However, even after these steps have been applied succesfully and confirmed through ping commands from different, independent servers and my office computer, I still cannot request an SSL for all but the www.croatianwine.online and the mail.domains. Instead, vps18.jk.nl can only request the following ones:
Code: 
Subject: LetsEncrypt request successful
LetsEncrypt request successful for:
www.croatianwine.be
www.croatianwine.nl
Cannot find domain in the certificate.
Not setting up Mail SNI.
Today at 11:48
This was also yesterday.
We fully manage the servers, we fully manage the DNS, we are not on a blacklist (Let's Debug) so I have no clue why either server can't request an SSL for their expected domains. I've reverted the changes back now to vps04.jk.nl, confirmed the IPv4 and IPv6 changed back succesfully by pinging the www and non-www croatianwine.online, deleted any existing certificates, requested an SSL certificate just now for the expected domains which are all but the domain www.croatianwine.online but it still doesn't work.

For more referrence, I've gone to the LE forum and got referred here.
community.letsencrypt.org

Unable to request SSL for domain

My domain is: croatianwine.online (corrected) I ran this command: On DirectAdmin, I requested an SSL certificate for the domains: croatianwine.online mail.croatianwine.online www.croatianwine.online croatianwine.be mail.croatianwine.be www.croatianwine.be croatianwine.nl...
community.letsencrypt.org community.letsencrypt.org
 
I'm wondering if they are even A records, look like CNAME records, also 2 different ipv6.
This name is shown as an alias if you do an nslookup on it.
 
Active8 said:
OK. Domain croatianwine.online. resolves to:
  • 136.144.156.99

OK. Domain www.croatianwine.online. resolves to:
  • 104.16.8.49
  • 104.17.156.30

Is this on purpose ?
Click to expand...
Yes, this is on purpose
Richard G said:
I'm wondering if they are even A records, look like CNAME records, also 2 different ipv6.
This name is shown as an alias if you do an nslookup on it.
Click to expand...
Even if they weren't A records, which they appear to be to me, that wouldn't explain why I can't get an SSL for croatianwine.be and .nl, but I can for www. And yes, www. are aliases to non-www, but the non-www are controlled directly by me and I have succesfully switched servers on DNS level and accessed the respective domainnames on vps18.jk.nl
 

Attachments

  • chrome_s7N7ylKojd.png
    chrome_s7N7ylKojd.png
    20.6 KB · Views: 4
  • chrome_CnEEF7RLTN.png
    chrome_CnEEF7RLTN.png
    16.4 KB · Views: 4
  • chrome_0n5xYbLuR5.png
    chrome_0n5xYbLuR5.png
    16.1 KB · Views: 4
  • chrome_2FdETo1Qr8.png
    chrome_2FdETo1Qr8.png
    20.5 KB · Views: 4
  • mRemoteNG_esKKvgK1UY.png
    mRemoteNG_esKKvgK1UY.png
    15.1 KB · Views: 4
Last edited:
Where does the DNS of these domain names run? If this is via DA, you can temporarily reset the DNS records via DNS administration. also deassign the IPv6 address of the domain names under the user account per domain name. then delete the user's ipv6 address. Run : da build rewrite_confs. Then add the IPv6 address to the user and then to the domain names and try again to generate an SSL.
 
DA does not run the DNS, and so I do not understand why nothing works, even though the DNS can point to a different server if I have to.

Perhaps @smtalk can help here

I am also considering using a manually created certificate. I am not sure if this is going to break anything, but I need to do -something-
 

Attachments

  • mRemoteNG_4dHSnPWhct.png
    mRemoteNG_4dHSnPWhct.png
    86.1 KB · Views: 1
exlhost said:
Temporarily reset the DNS records via DNS administration. also deassign the IPv6 address of the domain names under the user account per domain name. then delete the user's ipv6 address. Run : da build rewrite_confs. Then add the IPv6 address to the user and then to the domain names and try again to generate an SSL.
Click to expand...
Then I would still try my suggested solution.
 
Dear DA forum,

It turns out that the "force www redirect" was the cause of the inability to request an SSL certificate, because the ACME challenge would then happen on the www.croatianwine.online domain, which is not managed on the our server. Kudos to my colleague who actually found the solution.

Thank you all for thinking with me, I appreciate it.
 
You must log in or register to reply here.
Back
Top