My domain is:
friendr.nl
I ran this command:
/usr/local/directadmin/scripts/letsencrypt.sh renew friendr.nl 4096
It produced this output:
2020/07/28 13:49:27 [INFO] [friendr.nl, www.friendr.nl] acme: Obtaining SAN certificate
2020/07/28 13:49:29 [INFO] [friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:29 [INFO] [www.friendr.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: use http-01 solver
2020/07/28 13:49:29 [INFO] [www.friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/28 13:49:29 [INFO] [www.friendr.nl] acme: use http-01 solver
2020/07/28 13:49:29 [INFO] [friendr.nl] acme: Trying to solve HTTP-01
2020/07/28 13:49:34 [INFO] [www.friendr.nl] acme: Trying to solve HTTP-01
2020/07/28 13:49:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947194
2020/07/28 13:49:41 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:41 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/6163947200
2020/07/28 13:49:41 Could not obtain certificates:
error: one or more domains had a problem:
[friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://friendr.nl/.well-known/acme-challenge/WgPEy9Rk9MBYz2juXsgT3pTZNlcev2YRqAzMoq0g2Kk [84.22.106.78]: β\n\n404 Not Found\n\n
Not Found \nThβ, url:
[www.friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://www.friendr.nl/.well-known/acme-challenge/423i_uXwz299l1hL1Cym7X8cVXL34bRjd7wnHQsOh50 [84.22.106.78]: β\n\n404 Not Found\n\nNot Found \nThβ, url:
Certificate generation failed.
My web server is (include version):
CentOS 6
with DirectAdmin
The operating system my web server runs on is (include version):
Apache 2.4.43
My hosting provider, if applicable, is:
Tilaa
I can login to a root shell on my machine (yes or no, or I donβt know):
Yes
Iβm using a control panel to manage my site:
DirectAdmin 1.61.3
Since a couple of days I started getting βError during automated certificate renewal for friendr.nlβ (and several other domains) in de DirectAdmin message log.
Iβve never had this problem before so what could have changed this? Probably an update but I canβt know which one.
To test I deleted the .well-known/acme-challenge/ directories. I then did the following command line request.
/usr/local/directadmin/scripts/letsencrypt.sh renew friendr.nl 4096
This is what I tried:
I checked the directory and found a /.well-known/acme-challenge/letsencrypt_1595936966 file which I can access through http.
So thereβs no problem in writing permissions. But letsencrypt is looking for /.well-known/acme-challenge/WgPEy9Rk9MBYz2juXsgT3pTZNlcev2YRqAzMoq0g2Kk but only wrote /.well-known/acme-challenge/letsencrypt_1595936966.
This is where my knowledge stops. Please helpβ¦
_az
July 29, 2020, 9:22am
2
Reading through http://files.directadmin.com/services/all/letsencrypt.sh , it seems like the script uses /var/www/html/
as the webroot where it places the .well-known/acme-challenge/
files.
This seems to be combined with an alias for /.well-known
(configured in /etc/httpd/conf/extra/httpd-alias.conf
) which ensures that all domains use the same location for that path.
Is that letsencrypt_1595936966
file in /var/www/html/.well-known/acme-challenge/
, or somewhere else?
1 Like
Big thanks for your reply. When looking in the /var/www/html/.well-known/acme-challenge directory and found a bunch of letsencrypt_************* files created on the 25th this month. Not sure why the 25th though because the errors started the day before on the 24th.
The letsencrypt_1595936966 was in the expected directory at /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge
I have multiple domains running on the server.
_az
July 29, 2020, 10:35am
4
Right.
I'm not a DirectAdmin user, but I believe think that the letsencrypt.sh
script expects /.well-known
to be globally aliased to /var/www/html/.well-known/
. (Regardless of what domain it is).
If you look in the script and search for "webroot", you'll see it's hardcoded to use that path.
This seems to be corroborated by Troubleshooting Let's Encrypt Errors | Directadmin Docs .
So when it comes to your server, my first impression is that the alias has somehow unconfigured itself.
1 Like
Hereβs the whole log
staging=yes bash -x ./letsencrypt.sh request friendr.nl
++ /usr/bin/id -u
MYUID=0
β[β 0 β!=β 0 β]β
LEGO=/usr/local/bin/lego
DNS_SERVER=8.8.8.8
DNS6_SERVER=2001:4860:4860::8888
NEW_IP=1.1.1.1
NEW6_IP=2606:4700:4700::1111
DA_IPV6=false
TASK_QUEUE=/usr/local/directadmin/data/task.queue.cb
LEGO_DATA_PATH=/usr/local/directadmin/data/.lego
β[β 2 -lt 2 β]β
β[β 2 -lt 3 β]β
KEY_SIZE=ec256
ECC_USED=true
ECC=secp384r1
KEY_SIZE=
β[β ββ = secp384r1 β]β
β[β ββ = prime256v1 β]β
β[β ββ = 4096 β]β
β[β ββ = 2048 β]β
β[β ββ = 8192 β]β
ECC=prime256v1
KEY_SIZE=ec256
ECC_USED=true
DA_BIN=/usr/local/directadmin/directadmin
β[β β!β -s /usr/local/directadmin/directadmin β]β
β[β request = present β]β
β[β request = cleanup β]β
grep -m1 -q β^ipv6=1$β
/usr/local/directadmin/directadmin c
CURL=/usr/local/bin/curl
β[β β!β -x /usr/local/bin/curl β]β
DIG=/usr/bin/dig
β[β β!β -x /usr/bin/dig β]β
β[β yes = yes β]β
API_URI=acme-staging-v02.api.letsencrypt.org
API=https://acme-staging-v02.api.letsencrypt.org
CHALLENGETYPE=http
GENERAL_TIMEOUT=40
CURL_OPTIONS=ββconnect-timeout 40 -k --silentβ
++ uname
OS=Linux
OPENSSL=/usr/bin/openssl
++ date +%s
TIMESTAMP=1596019631
++ cut -d= -f2
++ grep β^letsencrypt=β
++ /usr/local/directadmin/directadmin c
LETSENCRYPT_OPTION=2
++ cut -d= -f2
++ grep β^secure_access_group=β
++ /usr/local/directadmin/directadmin c
ACCESS_GROUP_OPTION=access
FILE_CHOWN=diradmin:mail
FILE_CHMOD=640
β[β access β!=β ββ β]β
FILE_CHOWN=diradmin:access
β[β β!β -x /usr/local/bin/lego β]β
DOCUMENT_ROOT=
WELLKNOWN_PATH=/var/www/html/.well-known/acme-challenge
β[β β!β -z ββ β]β
APPEND_SERVER=β-s https://acme-staging-v02.api.letsencrypt.org/directory β
++ hostname -f
SERVER_HOSTNAME=maakhierjewebsite01.cloud.tilaa.com
β[β -z maakhierjewebsite01.cloud.tilaa.com β]β
β[β β!β -s /usr/local/directadmin/data/users/admin/user.conf β]β
ADMIN_USERCONF=/usr/local/directadmin/data/users/admin/user.conf
β[β β!β -z /usr/local/directadmin/data/users/admin/user.conf β]β
β[β -s /usr/local/directadmin/data/users/admin/user.conf β]β
++ cut -d, -f1
++ cut -d= -f2
++ grep -m1 β^email=β /usr/local/directadmin/data/users/admin/user.conf
EMAIL=admin@maakhierjewebsite.nl
β[β -z admin@maakhierjewebsite.nl β]β
DOMAIN=friendr.nl
β[β ββ β!=β yes β]β
FOUNDDOMAIN=0
++ tr , β β
++ echo friendr.nl
for TDOMAIN in βecho "${DOMAIN}" | tr '\'','\'' '\'' '\''
β
DOMAIN_NAME_FOUND=friendr.nl
++ perl -p0 -e βs#.#\.#g β
++ echo friendr.nl
DOMAIN_ESCAPED=βfriendr.nlβ
grep -m1 -q β^friendr.nl:β /etc/virtual/domainowners
++ cut '-d β -f2
++ grep -m1 β^friendr.nl:β /etc/virtual/domainowners
USER=admin
HOSTNAME=0
FOUNDDOMAIN=1
break
β[β 1 -eq 0 β]β
CSR_CF_FILE=
DA_USERDIR=/usr/local/directadmin/data/users/admin
DA_CONFDIR=/usr/local/directadmin/conf
HOSTNAME_DIR=/var/www/html
β[β β!β -d /usr/local/directadmin/data/users/admin β]β
β[β β!β -d /usr/local/directadmin/conf β]β
β[β 0 -eq 0 β]β
DNSPROVIDER_FALLBACK=/usr/local/directadmin/data/users/admin/domains/friendr.nl.dnsprovider
β[β -s /usr/local/directadmin/data/users/admin/domains/friendr.nl.dnsprovider β]β
KEY=/usr/local/directadmin/data/users/admin/domains/friendr.nl.key
CERT=/usr/local/directadmin/data/users/admin/domains/friendr.nl.cert
CACERT=/usr/local/directadmin/data/users/admin/domains/friendr.nl.cacert
β[β ββ β!=β ββ β]β
grep -m1 -q β^letsencrypt=2$β
/usr/local/directadmin/directadmin c
++ cut -d: -f6
++ grep -m1 β^admin:β /etc/passwd
USER_HOMEDIR=/home/admin
DOMAIN_DIR=/home/admin/domains/friendr.nl/public_html
WELLKNOWN_PATH=/home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge
β[β -s /usr/local/directadmin/data/users/admin/domains/friendr.nl.cert β]β
β[β request = renew β]β
β[β request = request β]β
grep -m1 -q ,
echo friendr.nl
β[β -s ββ β]β
β[β -s /usr/local/directadmin/data/users/admin/domains/friendr.nl.cert β]β
grep -m1 -q βSubject Alternative Name:β
/usr/bin/openssl x509 -text -noout -in /usr/local/directadmin/data/users/admin/domains/friendr.nl.cert
++ perl -p0 -e βs|DNS:||gβ
++ tr -d β β
++ grep DNS:
++ grep -m1 βSubject Alternative Name:β -A1
++ /usr/bin/openssl x509 -text -noout -in /usr/local/directadmin/data/users/admin/domains/friendr.nl.cert
DOMAIN=friendr.nl,www.friendr.nl
β[β β!β -e /home/admin/domains/friendr.nl/public_html β]β
grep -m1 -q ,
echo friendr.nl,www.friendr.nl
++ perl -p0 -e βs/,/ -d /gβ
++ echo friendr.nl,www.friendr.nl
DOMAINS=βfriendr.nl -d www.friendr.nlβ
DOMAIN_FLAG=β-d friendr.nl -d www.friendr.nlβ
++ cut -d, -f1
++ echo friendr.nl,www.friendr.nl
FIRST_DOMAIN=friendr.nl
CHALLENGETYPE=http
β[β -s /usr/local/directadmin/data/users/admin/domains/friendr.nl.dnsprovider β]β
β[β β!β -z ββ β]β
grep -m1 -q β*.β
echo β-d friendr.nl -d www.friendr.nlβ
++ perl -p0 -e βs/^*.//gβ
++ perl -p0 -e βs/,/ /gβ
++ echo friendr.nl,www.friendr.nl
for domain_name in βecho ${DOMAIN} | perl -p0 -e "s/,/ /g" | perl -p0 -e "s/^\*.//g"
β
caa_check friendr.nl
CAA_OK=true
++ tail -n1
++ grep -v β.$β
++ /usr/bin/dig @8.8.8.8 AAAA friendr.nl +short
IP_TO_RESOLV=
β[β 0 -eq 9 β]β
++ awk -F. β{b=$NF;for(i=NF-1;i>0;iβ){b=$i FS b;print b}}β
++ echo friendr.nl
for i in βecho ${1} | awk -F'\''.'\'' '\''{b=$NF;for(i=NF-1;i>0;i--){b=$i FS b;print b}}'\''
β
grep -m1 -q -F β issue
/usr/bin/dig CAA friendr.nl @8.8.8.8 +short
grep -m1 -q -F β SERVFAIL
/usr/bin/dig CAA friendr.nl @8.8.8.8
true
β[β http = http β]β
challenge_check friendr.nl
β[β β!β -d /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge β]β
touch /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
chmod 644 /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
chown webapps:webapps /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
CURL_RESOLV_OPTIONS=
++ tail -n1
++ grep -v β.$β
++ /usr/bin/dig @8.8.8.8 AAAA friendr.nl +short
IP_TO_RESOLV=
β[β 0 -eq 9 β]β
grep -m1 -q :
echo ββ
IP_TO_RESOLV=
β[β -z ββ β]β
++ tail -n1
++ /usr/bin/dig @8.8.8.8 friendr.nl +short
IP_TO_RESOLV=84.22.106.78
++ tail -n1
++ /usr/bin/dig friendr.nl +short
CURRENT_RESOLV=84.22.106.78
β[β -z 84.22.106.78 β]β
β[β -x /sbin/ping6 β]β
β[β -x /usr/sbin/ping6 β]β
false
ping6 -q -c 1 -W 1 friendr.nl
++ tail -n1
++ /usr/bin/dig @8.8.8.8 friendr.nl +short
IP_TO_RESOLV=84.22.106.78
++ tail -n1
++ /usr/bin/dig friendr.nl +short
CURRENT_RESOLV=84.22.106.78
β[β β!β -z 84.22.106.78 β]β
grep -m1 -q resolve
/usr/local/bin/curl --help
CURL_RESOLV_OPTIONS=ββresolve friendr.nl:80:84.22.106.78 --resolve friendr.nl:443:84.22.106.78β
grep -m1 -q βHTTP.*200β
/usr/local/bin/curl --connect-timeout 40 -k --silent --resolve friendr.nl:80:84.22.106.78 --resolve friendr.nl:443:84.22.106.78 -I -L -X GET http://friendr.nl/.well-known/acme-challenge/letsencrypt_1596019631
β[β ββ = silent β]β
β[β -s /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631 β]β
for domain_name in βecho ${DOMAIN} | perl -p0 -e "s/,/ /g" | perl -p0 -e "s/^\*.//g"
β
caa_check www.friendr.nl
CAA_OK=true
++ tail -n1
++ grep -v β.$β
++ /usr/bin/dig @8.8.8.8 AAAA www.friendr.nl +short
IP_TO_RESOLV=
β[β 0 -eq 9 β]β
++ awk -F. β{b=$NF;for(i=NF-1;i>0;iβ){b=$i FS b;print b}}β
++ echo www.friendr.nl
for i in βecho ${1} | awk -F'\''.'\'' '\''{b=$NF;for(i=NF-1;i>0;i--){b=$i FS b;print b}}'\''
β
grep -m1 -q -F β issue
/usr/bin/dig CAA friendr.nl @8.8.8.8 +short
grep -m1 -q -F β SERVFAIL
/usr/bin/dig CAA friendr.nl @8.8.8.8
for i in βecho ${1} | awk -F'\''.'\'' '\''{b=$NF;for(i=NF-1;i>0;i--){b=$i FS b;print b}}'\''
β
grep -m1 -q -F β issue
/usr/bin/dig CAA www.friendr.nl @8.8.8.8 +short
grep -m1 -q -F β SERVFAIL
/usr/bin/dig CAA www.friendr.nl @8.8.8.8
true
β[β http = http β]β
challenge_check www.friendr.nl
β[β β!β -d /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge β]β
touch /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
chmod 644 /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
chown webapps:webapps /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631
CURL_RESOLV_OPTIONS=
++ tail -n1
++ grep -v β.$β
++ /usr/bin/dig @8.8.8.8 AAAA www.friendr.nl +short
IP_TO_RESOLV=
β[β 0 -eq 9 β]β
grep -m1 -q :
echo ββ
IP_TO_RESOLV=
β[β -z ββ β]β
++ tail -n1
++ /usr/bin/dig @8.8.8.8 www.friendr.nl +short
IP_TO_RESOLV=84.22.106.78
++ tail -n1
++ /usr/bin/dig www.friendr.nl +short
CURRENT_RESOLV=84.22.106.78
β[β -z 84.22.106.78 β]β
β[β -x /sbin/ping6 β]β
β[β -x /usr/sbin/ping6 β]β
false
ping6 -q -c 1 -W 1 www.friendr.nl
++ tail -n1
++ /usr/bin/dig @8.8.8.8 www.friendr.nl +short
IP_TO_RESOLV=84.22.106.78
++ tail -n1
++ /usr/bin/dig www.friendr.nl +short
CURRENT_RESOLV=84.22.106.78
β[β β!β -z 84.22.106.78 β]β
grep -m1 -q resolve
/usr/local/bin/curl --help
CURL_RESOLV_OPTIONS=ββresolve www.friendr.nl:80:84.22.106.78 --resolve www.friendr.nl:443:84.22.106.78β
grep -m1 -q βHTTP.*200β
/usr/local/bin/curl --connect-timeout 40 -k --silent --resolve www.friendr.nl:80:84.22.106.78 --resolve www.friendr.nl:443:84.22.106.78 -I -L -X GET http://www.friendr.nl/.well-known/acme-challenge/letsencrypt_1596019631
β[β ββ = silent β]β
β[β -s /home/admin/domains/friendr.nl/public_html/.well-known/acme-challenge/letsencrypt_1596019631 β]β
β[β request = request_full β]β
β[β request = request_single β]β
β[β request = request β]β
/usr/local/bin/lego --path /usr/local/directadmin/data/.lego --dns.resolvers 8.8.8.8 --accept-tos -s https://acme-staging-v02.api.letsencrypt.org/directory -m admin@maakhierjewebsite.nl --http --http.webroot /var/www/html -d friendr.nl -d www.friendr.nl --key-type ec256 run --no-bundle
2020/07/29 12:47:12 No key found for account admin@maakhierjewebsite.nl. Generating a P256 key.
2020/07/29 12:47:12 Saved key to /usr/local/directadmin/data/.lego/accounts/acme-staging-v02.api.letsencrypt.org/admin@maakhierjewebsite.nl/keys/admin@maakhierjewebsite.nl.key
2020/07/29 12:47:13 [INFO] acme: Registering account for admin@maakhierjewebsite.nl
!!! HEADS UP !!!
Your account credentials have been saved in your Letβs Encrypt
configuration directory at β/usr/local/directadmin/data/.lego/accountsβ.
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Letβs Encrypt so making regular
backups of this folder is ideal.
2020/07/29 12:47:13 [INFO] [friendr.nl, www.friendr.nl] acme: Obtaining SAN certificate
2020/07/29 12:47:14 [INFO] [friendr.nl] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866755
2020/07/29 12:47:14 [INFO] [www.friendr.nl] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866756
2020/07/29 12:47:14 [INFO] [friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/29 12:47:14 [INFO] [friendr.nl] acme: use http-01 solver
2020/07/29 12:47:14 [INFO] [www.friendr.nl] acme: Could not find solver for: tls-alpn-01
2020/07/29 12:47:14 [INFO] [www.friendr.nl] acme: use http-01 solver
2020/07/29 12:47:14 [INFO] [friendr.nl] acme: Trying to solve HTTP-01
2020/07/29 12:47:19 [INFO] [www.friendr.nl] acme: Trying to solve HTTP-01
2020/07/29 12:47:25 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866755
2020/07/29 12:47:25 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866755
2020/07/29 12:47:25 [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866756
2020/07/29 12:47:26 [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/84866756
2020/07/29 12:47:26 Could not obtain certificates:
error: one or more domains had a problem:
[friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://friendr.nl/.well-known/acme-challenge/v8lKLFtxnymju82qap-vQndEdixXaaICh0nj4qQWcMM [84.22.106.78]: β\n\n404 Not Found\n\n
Not Found \nThβ, url:
[www.friendr.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from
http://www.friendr.nl/.well-known/acme-challenge/OWPNn1qH63WDbWOO84m46l0Za1YY9Sv4mAmOSrqD7CA [84.22.106.78]: β\n\n404 Not Found\n\n
Not Found \nThβ, url:
β[β 1 -eq 0 β]β
echo βCertificate generation failed.β
Certificate generation failed.
exit 1
Iβve downgraded letsencrypt from version 2.0.7 to 1.1.42 and itβs working again!
This is partially good news. Good in that itβs all working again. But bad because I canβt upgrade letsencrypt any longer.
Iβve been trying to compare the code from different versions and Iβm by far no professional programmer, but could it have to do with a piece of code in 1.1.42 starting with β#We need the domain to match in /etc/virtual/domainownersβ on line 188?
system
Closed
August 28, 2020, 11:12am
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.