SSL problems DirectAdmin on CentOS7


#1

My domain is: kopana.nl

I ran this command: SSL request

It produced this output:

Requesting new certificate order…
Processing authorization for www.kopana.nl…
Challenge is valid.
Processing authorization for kopana.nl…
Challenge is valid.
Processing authorization for smtp.kopana.nl…
Error: http://smtp.kopana.nl/.well-known/acme-challenge/letsencrypt_1539535082 is not reachable. Aborting the script.
dig output for smtp.kopana.nl:
Please make sure /.well-known alias is setup in WWW server.

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin

So I set up LetsEncrypt on my DirectAdmin panel and getting a certificate for:
kopana.nl
www.kopana.nl
mail.kopana.nl

Is just working fine. But the POP, SMTP and FTP are not working, someone an idea why?


#2

Hi @roef

there is no A-record with the domain name smtp.kopana.nl:

D:\temp>nslookup smtp.kopana.nl.
*** smtp.kopana.nl. wurde von fritz.box nicht gefunden: Non-existent domain.

So the http - challenge can’t work.

First, create a dns A entry

smtp.kopana.nl -> 148.251.209.150

Then add a vHost (or add the name smtp.kopana.nl to your existing vHost).

What client do you use?

If you have a DirectAdmin, check, if you can add the smtp - domain name to your existing certificate

https://transparencyreport.google.com/https/certificates/LzG30AyisgLsq8BgSFwo3C3EGG%2Fckq%2BzHDWM4LblWRw%3D


#3

I use DirectAdmin. When i look at my DNS settings everything points to my IP-adress. I just told my registrar to point the domain via AA records to my IP-address of my VPS. (Because it’s not possible in there control panel to do it yourself)

But something weird is happening here, because i have another VPS and I pointed my domains also to that one BUT via another registrar where I could setup the DNS settings myself and that one is just working fine. So Im confused here.

See the screenshot.


#4

Hi,

You are using directadmin and the DNS settings in the local directadmin related servers are correct. However, the official NS server is not any of the server listed in the control panel. Let’s encrypt will query the authenticive name server instead of any other servers, and the authenticative name server does not contains the correct record (since it’s not your directadmin connected nameserver)

You could do either actions below to resolve this issue:

  1. Point your domain to the directadmin nameservers (that’ll resolve the issue but might degraded your DNS performance)
  2. Add the new DNS records in the DNS provider’s control panel. Then do the verification again.

Thank you


#5

Additional to @stevenzhu

my own PC - no A setting smtp.kopana.nl, but that may be cached.

But checking via dnschecker:

You see: Nobody outside sees your smtp.kopana.nl.


#6

As your domain contains ‘smtp’, it seems you are handling e-mail. In that case I would strongly recommend option 1, because it’ll also give you SPF and DKIM records right away (if enabled in DA, DKIM seems to be off at you) which are very useful for spam filtering software to know whether mail is genuine.


#7

Thanks everyone this problem is fixed now! It was the DNS settings at the registrar.


#8

However I am encountering a new problem when trying to setup a SSL certificate for the server hostname. So I can have a secure login to the DirectAdmin panel. Check the screenshot I attached. What am I doing wrong?


#9

Hi,

Did you install the real hostname (and corresponding A records) into your dns settings?

Thank you


#10

Hello,

Thanks for the reply. On DirectAdmin everything is set up right I think so. See the attached screenshot.Is it a hosting problem again?


#11

Hi,

I mean, did you add those records into the “registrar DNS”?

The NS servers are still on your registrar.

Thank you


#12

I didn’t do that. Can I just add vps1.keeperstalent.nl in the DNS records at the registrar like a normal domain?


#13

Well there a different problem now. I set the DNS records now I am encountering a new problem. See screenshot. Sorry for the questions I am just getting started with all this.


#14

There is no running webserver. Or there is a blocking firewall or something else.

Has vps1… another ip or is this the same server? If it’s the same server, your dns A record may be wrong.

D:\temp>nslookup vps1.keeperstalent.nl.
Name: vps1.keeperstalent.nl
Address: 148.251.209.105

versus

D:\temp>nslookup keeperstalent.nl.
Name: keeperstalent.nl
Address: 5.9.130.50


#15

keeperstalent.nl is a separate website, not hosted on the VPS but by shared hosting. The owner of the VPS chose the same name for his VPS as his old website. Is this causing problems?


#16

And no just using one IP-address, for different websites.


#17

Firewall is setup fine right? Screenshot


#18

Has this machine the 148.* or the 5.9* - ip address? Or handles this machine both ip addresses?

If you use http-01 - validation, the normal setting is: Certbot runs on the machine with the webserver.

So if certbot runs on the 5.9* - ip, you can’t create a certificate with the domain name of a domain pointing to a 148.* - ip.


#19

The VPS is running on 148.* address. The other adress is running on shared hosting and has nothing to do with this machine. It is just the same name


#20

There is nothing running:

http://vps1.keeperstalent.nl/

doesn’t send an answer. Use your browser to check this.