Great problems on a webserver with live 309 sites!


#1

Hello, I’m new to this forum and i use lets encrypt on all of my directadmin webservers.
Today at 10:30 am i got a phone call from a customer with the domain derksmontage.nl that he could not reach his site because of an SSL problem? He tried going to http://domain.nl and that worked for him. I checked his certificate in directadmin and did an renewel (that worked just fine) but i got more calls during the day and i saw all the domains (309 ) were having the same problem!

I updated the Centos7 plugins and did a full reboot and that helped for a few minutes… a friend told me that i hit the limit of domain renewals… but i did not renew any domains? (maybe automatic?) but there is no way to tell? He looked for logs and did removals, re-installations and reboots but still i have the error that when i go to www.derksmontage.nl (example domain) the SSL cert is telling me that wordpress.speedy-networks.com (that cert is okay) is not the proper name for this domain…

How can I fix this? I did an request for 1000+ renewals per week but i need this problem to go away asap as i get calls from upset customers every half an hour! Please support me!

My domain is: wordpress.speedy-networks.com

I run my own dedicated webserver (unmanaged) with SSH access.

I’m using a control panel called DirectAdmin in the latest version

Best regards, Erik


#2

The error with https://www.sslshopper.com/ssl-checker.html#hostname=ict-arnhem.nl is: None of the common names in the certificate match the name that was entered (ict-arnhem.nl). You may receive an error when accessing this site in a web browser.


#3

Hi @erik854

yep, I see it:

CN=wordpress.speedy-networks.com, 05.12.2018 - 05.03.2019 wordpress.speedy-networks.com - 1 entry

If you have such a problem, your webserver configuration looks broken. The content of derksmontage.nl looks ok, but the certificate is wrong.

Looks like DirectAdmin has installed the same certificate on every vHost.

But I don’t use DirectAdmin. Perhaps it’s a bug there, so DirectAdmin must fix it. Do you have there options to check your list of active certificates? And is it possible that you say:

This domain should use this certificate?

Perhaps you should - additional - ask in a DirectAdmin-Forum. These systems (DirectAdmin, cPanel, Plesk) have their own rules and limitations.


#4

I made a ticket with directadmin but they have no luck either… :frowning:


#5

I agree, this sounds lik a serious, very serious webserver configuration problem. Like all virtual hosts just disappeared.

In any case, this doesn’t seem to be directly related to Let’s Encrypt certificates in my opinion. For example, the domain derksmontage.nl has got 5 certificates issued this month: one, two, three, four and five. If renewing a certificate successfully doesn’t fix your problem, renewing it four times more probably doesn’t help you any further.

I wish you best of luck with your server management, but I don’t think our community is the place to get things fixed.

By the way, the domain ict-arnhem.nl never had a SSL certificate: https://crt.sh/?q=%ict-arnhem.nl


#6

Okay, I sudo certbot delete and removed everything from Letsencrypt with rm-rf and did an .build update of directadmin and restarted some services and BAM it worked again!? Could it be that Lets Encrypt refreshed or did something with my hostname? I cant believe its working again… so i will test some more…!


#7

Uhhhh, I don’t think you should be running Certbot on a DirectAdmin server.

Web hosting panels tend to manage their virtual host configuration in very specific ways, and using Certbot’s certificate installers are very likely to totally mess things up. At least, that’s the case on cPanel.

Can you clarify whether you installed certificates using DirectAdmin UI, or using Certbot?


#8

You use certbot and Directadmin?

This sounds terrible.


#9

I first installed directadmin with Letsencrypt offcourse but when this failed i tried a lot of things… incl. CertBot over SSH. But the de-installation did not fix it on its own… i believe the reinstallation and rebuild did the trick? how can i test this proper? I did go to https://www.sslshopper.com/ssl-checker.html#hostname=derksmontage.nl for a lot of sites and they are all on “The cert. will expire in 89 days” but the Hostname is correctly listed in the certificate this time! Is this fixed…??


#10

Uninstalling Certbot does not automatically undo the configuration changes that it’s made to your web server. So if Certbot and DirectAdmin had a conflict that resulted in corrupted web server configuration files, uninstalling Certbot would probably not be enough to resolve that conflict by itself.


#11

I really cant understand it that much, and i dont want to try another server reboot at this moment, but fact is that it still works fine, every check i do with https://www.sslshopper.com or with https://www.ssllabs.com checks out just fine. I checked a few sites on 4 diffrent connections and on 3 pc’s. For now; Fixed! :slight_smile:


#12

It seems that people here agree that using both Certbot and DirectAdmin to request certificates on the same server could indeed break your web server configuration in a way that would be best solved by recreating the configuration (not just by uninstalling Certbot). While we don’t know the specific details, Certbot with --apache, --nginx, or -i is not designed to be used in conjunction with a control panel-managed web server configuration.


#13

Yes i understand. I know see the server is running apache and nginx is disabled…


#14

Server reboots on Linux servers are almost never the best solution, if any. It probably means you could have fixed it another way, but you just don’t know that (in my opinion, better) way and you resort to drastic measures.