Autorenew with DirectAdmin fails

When setting up Let’s Encrypt certificates with DirectAdmin everything works. But after renewal, only the domain mail.zvss.nl gets a wrong certificate name, namely the host name of the (shared) host: vps-17562-5233.tilaa.cloud

My guess is that this is due to some reverse DNS, but I’m not sure. Any help is greatly appreciated.

My domain is: zvss.nl

I ran this command: I didn’t. DirectAdmin does it automatically.

It produced this output: n/a

My web server is (include version): Apache/2.4.39 (Unix)

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: tilaa.com (I run a VPS)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know. certbot doesn’t exist on my machine. There is certutil, but I don’t know the version.

1 Like

Hi @vrep

looks like your configuration of mail… is buggy.

Your main domain ( https://check-your-website.server-daten.de/?q=zvss.nl ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
zvss.nl A 185.24.220.9 Woerden/Provincie Utrecht/Netherlands (NL) - Tilaa B.V. Hostname: vps-17562-5233.tilaa.cloud yes 1 0
AAAA yes
www.zvss.nl A 185.24.220.9 Woerden/Provincie Utrecht/Netherlands (NL) - Tilaa B.V. Hostname: vps-17562-5233.tilaa.cloud yes 1 0
AAAA 2a02:2770:9:0:21a:4aff:fef2:4703 Woerden/Provincie Utrecht/Netherlands (NL) - Tilaa B.V. yes

Your subdomain ( https://check-your-website.server-daten.de/?q=mail.zvss.nl ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mail.zvss.nl A 185.24.220.9 Woerden/Provincie Utrecht/Netherlands (NL) - Tilaa B.V. Hostname: vps-17562-5233.tilaa.cloud yes 1 0
AAAA 2a02:2770:9:0:21a:4aff:fef2:4703 Woerden/Provincie Utrecht/Netherlands (NL) - Tilaa B.V. yes
www.mail.zvss.nl Name Error yes 1 0

Your main domain has some errors, but works.

But your subdomain:

Domainname Http-Status redirect Sec. G
http://mail.zvss.nl/
185.24.220.9 200 0.047 H
http://mail.zvss.nl/
2a02:2770:9:0:21a:4aff:fef2:4703 500 0.033 S
Internal Server Error
https://mail.zvss.nl/
185.24.220.9 200 3.673 N
Certificate error: RemoteCertificateNameMismatch
https://mail.zvss.nl/
2a02:2770:9:0:21a:4aff:fef2:4703 500 3.986 N
Internal Server Error
Certificate error: RemoteCertificateNameMismatch

Ipv6 crashes with a http status 500.

And ipv4 has CN=vps-17562-5233.tilaa.cloud, ipv6 has CN=michielmeijers.nl

So different vHosts answers (ipv4 vs. ipv6).

The ipv4 cert:

CN=vps-17562-5233.tilaa.cloud
	25.08.2019
	23.11.2019
expires in 87 days	vps-17562-5233.tilaa.cloud - 1 entry

The ipv6 is completely different:

CN=michielmeijers.nl
	03.08.2019
	01.11.2019
expires in 65 days	fixwiz.nl, ftp.fixwiz.nl, ftp.meijersconsultancy.eu, ftp.michielmeijers.nl, 
ftp.mmmusicproductions.nl, mail.fixwiz.nl, mail.meijersconsultancy.eu, mail.michielmeijers.nl, 
mail.mmmusicproductions.nl, meijersconsultancy.eu, michielmeijers.nl, mmmusicproductions.nl, 
smtp.fixwiz.nl, smtp.meijersconsultancy.eu, smtp.michielmeijers.nl, smtp.mmmusicproductions.nl, 
www.fixwiz.nl, www.meijersconsultancy.eu, www.michielmeijers.nl, www.mmmusicproductions.nl - 
20 entries

Check the vHost configuration of mail…

1 Like

Thank you so much @jurgenauer! For your quick and elaborate answer.

Just to be clear a few more questions. My current VirtualHost settings are:

<VirtualHost 185.24.220.9:80 [2a02:2770:9:0:21a:4aff:fef2:4703]:80 >
	ServerName www.zvss.nl
	ServerAlias www.zvss.nl zvss.nl  zvlss.nl www.zvlss.nl
	ServerAdmin webmaster@zvss.nl
[cutoff]

I’m guessing the proper settings should be:

<VirtualHost 185.24.220.9:80 [2a02:2770:9:0:21a:4aff:fef2:4703]:80 >
	ServerName www.zvss.nl
	ServerAlias www.zvss.nl zvss.nl  zvlss.nl www.zvlss.nl mail.zvss.nl mail.zvlss.nl
	ServerAdmin webmaster@zvss.nl
[cutoff]

So with "mail.zvss.nl mail.zvlss.nl " added in the ServerAlias line. Is that correct?

1 Like

That’s required. But not only your port 80, same with your port 443.

And perhaps it’s easier to use

<VirtualHost *:80 >
...
<VirtualHost *:443 >

so all ip addresses are catched.

PS: No ServerName/Alias -> the standard vHost is used.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.