Weird TLS issue

wattie

wattie

Verified User
Joined
May 31, 2008
Messages
1,235
Location
Bulgaria
The server hostname is srv2.<server domain>.

I have wildcard sertificate added for <server domain>. I have not added srv2.<server domain> as separate hosting.

Opening https://srv2.<server domain> shows expired certificate notice and I see old LetsEncrypt cert there. Opening https://<whatever different from srv2>.<server domain> works fine...
 
I think there is no functional solution in Directadmin yet to have this kind of constillation.

For hostnamefunctions as DA port (2222) mailserver , ssh, ftp, they are not connected to the domain parts itself of the wildcard ssl part.

It is seperated, as also advice not having domain itself as hostname. ( you have that done right)

I also like to know.

For as i did always old DA manual command line , letsencrypt for hostname and there then also for the domain name itself.
Also dkim for the mailhost name server..
So is no wildcard and if using dkim caa later for the domain itself is .... ;(

Also hard to find all manuals and howto in one place to do this the right way.
 
Even weirder today everything is suddenly fine :)

I guess it was some kind of cache or something...
 
It was maybe the autossl. Replacing stuff or setting up new ones. Not sure

there was a new version of LE yesterday as well
 
The LE logic for updating the DA SSL cert had a bug.
One of my hosts had an expired cert. last week and I had to fix that. LE had blocked my access to asking for a new cert as the server had been requesting for a renewal every day and then _not_ using it after successfully getting a new cert.
More details here:

Letsencrypt problem (permissions on disk?)

Hey guys and girls, I also have Letsencrypt issues (just saw another post, could be related, did not want to hijack that thread). I'm an CentOS admin, running some Directadmin 1.61.5 machines. On all machines, I use letsencrypt for the control panel itself (all different hostnames in the same...
forum.directadmin.com forum.directadmin.com

This was apparently fixed in an update to the script, I got it working using the workaround from the link above.
 
Yes but that issue relates to doing something you should not do. Use your host name as a subdomain. A host name is not a subdomain it’s the name of the host node.
 
I don't do that, but still had the issue. The only reason I linked that post, is that it had a workaround.
There's more posts about this.
 
It got even weirder!!!

Going to https://srv2.<serverhostname>:2222 shows valid TLS certificate. It uses the wildcard certificate.

Going to https://srv2.<serverhostname>/ (so default port 443) shows the TLS warning that the certificate is expired.

I tried renewing it as shown in the help:

Code: 
/usr/local/directadmin/scripts/letsencrypt.sh request_single srv2.<serverhostname> 4096

but it failed with:

Code: 
2021/07/23 11:29:33 [INFO] [srv2.<serverhostname>] acme: Obtaining SAN certificate
2021/07/23 11:29:33 Could not obtain certificates:
        acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: srv2.<serverhostname>: see https://letsencrypt.org/docs/rate-limits/
Certificate generation failed.

Of course <serverhostname> is the actual server hostname.
 
YUP there are some docs about that or info Directadmin.

hostname port 2222 cert is not the same as on port 443

don't know now where to find

Problems also if using the domain so hostname as domain itself with cert or when used so no problem , pff i am confused about those to.

ON one box and which procedure you used for the LE / help file / docs, i dont use wildcard but the multi this one
 
1/07/23 11:29:33 Could not obtain certificates:
acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: srv2.<serverhostname>: see https://letsencrypt.org/docs/rate-limits/
Certificate generation failed.
Click to expand...

Could be a problem with automatic retry's is a topic or bug to about it in DA somewhere.

You can handle this i think with the multi and put extra domainname in it create a fake subdomain or so. ;)
The link is here but both ways single of multiple manual is old!?!?

Here in Manual still only the 4096 example and not Elliptic Curve 384

https://help.directadmin.com/item.php?id=645 Here in Manual still only the 4096 example and not howto Elliptic Curve 384. So there are more places newer settings for CERTS are not in HOWTO, Manuals, help, wiki and docs
forum.directadmin.com forum.directadmin.com
 
Yep.. if you look at https://crt.sh then you are most likely going to see that your server was happily asking for new certs (and got them too) but never applied them to your host.
I'm now wondering if this problem is going to be back in about 90 days :D
 
You must log in or register to reply here.
Back
Top