Correct domain name, incorrect hostname in output

Please fill out the fields below so we can help you better.

My domain is: hoenink.nl

I ran this command:
#!/bin/sh

DOMAIN_DEFAUT=hoenink.nl
PEM_FOLDER="/etc/letsencrypt/live/${DOMAIN_DEFAUT}/“
LOG_FOLDER=”/usr/local/bin/letsencrypt_auto/script/logs"
DATE=$(date +"%d-%m-%y")
LOG_FILE="${LOG_FOLDER}/${DATE}.log"

Retrieve certificate - DELETE --dry-run AFTER THE TEST RUN WORKED

letsencrypt renew --manual-public-ip-logging-ok --agree-tos --force-renew> $LOG_FILE 2>&1

Check that everything went fine

LE_STATUS=$?

if [ “$LE_STATUS” != 0 ]; then
echo Automated Get certificate failed:
cat $LOG_FILE
exit 1
fi

Generate a passphrase - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED

PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30) >> $LOG_FILE 2>&1

Transform the pem files into a OS X Valid p12 file - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED

openssl pkcs12 -export -inkey “${PEM_FOLDER}privkey.pem” -in “${PEM_FOLDER}cert.pem” -certfile “${PEM_FOLDER}fullchain.pem” -out “${PEM_FOLDER}letsencrypt_sslcert.p12” -passout pass:$PASS >> $LOG_FILE 2>&1

import the p12 file in keychain - UNCOMMENT THE NEXT LINE AFTER THE TEST RUN WORKED

security import “${PEM_FOLDER}letsencrypt_sslcert.p12” -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.$

It produced this output:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hoenink.nl/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

The operating system my web server runs on is (include version):
MacOS 10.10.5 with Server 5.0.15

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

Problem describtion:
Before the upgrade to MacOS Yosemite the let’s encrypt renewal script worked great!
I could then ran once a 3 month the script and the new script has been installed directly without user’s interaction.

After the upgrade to MacOS Yosemite the script ran weird.
I’ve manually inserted the domainname “hoenink.nl”, but the output shows https://server.server.server.hoenink.loc/

Why and where did the lets encrypt use the LOCAL domain name?
Also the local domain name is incorrect (it is server.hoenink.loc).
How can I fix that so that the lets encrypt will use the domain name that I assign in the script?

Hi @appleman,

You should review your Redirect/Rewrite rules, in your Apache conf or in some .htaccess because some of these rules are redirecting .well-known/* uris to https://server.server.server.hoenink.loc/.well-known/*

$ curl -IkL  http://www.hoenink.nl/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Date: Thu, 07 Sep 2017 08:30:22 GMT
Server: Apache/2.4.16 (Unix) OpenSSL/0.9.8zg
Content-Length: 195
Location: https://server.server.server.hoenink.loc/.well-known/acme-challenge/test
Content-Type: text/html;charset=utf-8

curl: (6) Couldn't resolve host 'server.server.server.hoenink.loc'

Cheers,
sahsanu

1 Like

Thank you for your response!
I’ve found the issue.
It is the incorrect .well-known redirects of Apple Mac OS.

The fix is here: [Solved] Apple server proxy blocks access to .well-known

The cleanest solution I found was to create a new custom proxy site for apples apache serviceproxy:

/Library/Server/Web/Config/Proxy/apache_serviceproxy_customsites_letsencrypt.conf:
ProxyPass /.well-known/acme-challenge http://127.0.0.1:34543/.well-known/acme-challenge
ProxyPassReverse /.well-known/acme-challenge http://127.0.0.1:34543/.well-known/acme-challenge

That file is automatically loaded by the proxy thru the file /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf

After I added the file I restarted the proxy thru launchctl:
sudo launchctl stop com.apple.serviceproxy because the proxy itself doesn’t restart when the web service is restarted.

Thank to DDJarod

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.