My domain is:
croatianwine.online (corrected)

I ran this command:
On DirectAdmin, I requested an SSL certificate for the domains:
croatianwine.online
mail.croatianwine.online
www.croatianwine.online
croatianwine.be
mail.croatianwine.be
www.croatianwine.be
croatianwine.nl
mail.croatianwine.nl
www.croatianwine.nl
croatianwines.online
mail.croatianwines.online
www.croatianwines.online
On SSH, as root, I performed the following command to force the request to process immediately instead of waiting on DA to do it a minute later

da taskq

Next, I checked if the domains are actually being requested

ps -aux | grep letsenc

It produced this output:
#da taskq
2024/12/09 11:31:52 info executing task task=action=ssl&data=action%3Dsave%26background%3Dauto%26certificate%3D%26city%3D%26company%3D%26country%3D%26division%3D%26domain%3Dcroatianwine.online%26encryption%3Dsha256%26find_matching_key%3Dyes%26keysize%3Dsecp384r1%26le_select0%3Dcroatianwine.online%26le_select11%3Dwww.croatianwine.be%26le_select12%3Dcroatianwine.nl%26le_select14%3Dmail.croatianwine.nl%26le_select17%3Dwww.croatianwine.nl%26le_select18%3Dcroatianwines.online%26le_select2%3Dmail.croatianwine.online%26le_select20%3Dmail.croatianwines.online%26le_select23%3Dwww.croatianwines.online%26le_select5%3Dwww.croatianwine.online%26le_select6%3Dcroatianwine.be%26le_select8%3Dmail.croatianwine.be%26le_wc_select0%3Dcroatianwine.online%26le_wc_select1%3D%2A.croatianwine.online%26name%3Dcroatianwine.online%26province%3D%26request%3Dletsencrypt%26submit%3DSave%26type%3Dcreate&domain=croatianwine.online&username=croatianwi&value=letsencrypt
2024/12/09 11:33:53 info finished task duration=2m0.832310763s task=action=ssl&data=action%3Dsave%26background%3Dauto%26certificate%3D%26city%3D%26company%3D%26country%3D%26division%3D%26domain%3Dcroatianwine.online%26encryption%3Dsha256%26find_matching_key%3Dyes%26keysize%3Dsecp384r1%26le_select0%3Dcroatianwine.online%26le_select11%3Dwww.croatianwine.be%26le_select12%3Dcroatianwine.nl%26le_select14%3Dmail.croatianwine.nl%26le_select17%3Dwww.croatianwine.nl%26le_select18%3Dcroatianwines.online%26le_select2%3Dmail.croatianwine.online%26le_select20%3Dmail.croatianwines.online%26le_select23%3Dwww.croatianwines.online%26le_select5%3Dwww.croatianwine.online%26le_select6%3Dcroatianwine.be%26le_select8%3Dmail.croatianwine.be%26le_wc_select0%3Dcroatianwine.online%26le_wc_select1%3D%2A.croatianwine.online%26name%3Dcroatianwine.online%26province%3D%26request%3Dletsencrypt%26submit%3DSave%26type%3Dcreate&domain=croatianwine.online&username=croatianwi&value=letsencrypt

ps -aux | grep letsenc

root 959865 0.0 0.1 15456 3808 ? S 11:47 0:00 /bin/bash /usr/local/directadmin/scripts/letsencrypt.sh request croatianwine.online secp384r1 /usr/local/directadmin/data/users/croatianwi/domains/croatianwine.online.ssltmpfFqsWN
root 960104 0.0 0.1 76680 6596 ? S 11:47 0:00 curl --connect-timeout 40 -k --silent --resolve mail.croatianwine.nl:80:87.250.144.181 --resolve mail.croatianwine.nl:443:87.250.144.181 -I -L -X GET http://mail.croatianwine.nl/.well-known/acme-challenge/letsencrypt_ea2d3a99fcf06d58214a76a896a8a23a
root 960157 0.0 0.0 12216 1272 pts/0 S+ 11:48 0:00 grep --color=auto letsenc

My web server is (include version):
Server 1:
Apache/2.4.58
Server 2:
Apache/2.4.62

The operating system my web server runs on is (include version):
Server 1:
CentOS Linux release 7.9.2009 (Core)
Server 2:
AlmaLinux release 8.10 (Cerulean Leopard)

My hosting provider, if applicable, is:
TransIP

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Server 1:
DirectAdmin v.1.668 36debccde2264f4a5f60098255cfa174f333d36d
Server 2:
DirectAdmin v.1.671 efccf013fdfb99bde3d45532090d73ff5d99e860

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Server 1:
lego version 953d5c85145b6a2b9a52f2d919faf23e04a359b3 linux/amd64
Server 2:
lego version 4.17.4-SNAPSHOT-8164e09c linux/amd64

Dear LetsEncrypt forum,

We manage the DNS from all of the domainnames including their subdomains
When requesting an SSL for the domains, the expected behavior is that we can request all but www.croatianwine.online
The actual behavior is that only the following domains can receive an SSL certificate:
Subject: LetsEncrypt request successful
LetsEncrypt request successful for:
mail.croatianwine.online
mail.croatianwines.online
www.croatianwine.be
www.croatianwine.nl
Cannot find domain in the certificate.
However, subdomains have been found instead. Proceeding with them.
Today at 11:16

This is unexpected behavior as stated above, so I split the www.domains and domains from the mail.domains and pointed those to Server 2 (vps18.jk.nl), leaving mail.domains on Server 1 (vps04.jk.nl) and then changing the DNS accordingly.
However, even after these steps have been applied succesfully and confirmed through ping commands from different, independent servers and my office computer, I still cannot request an SSL for all but the www.croatianwine.online and the mail.domains. Instead, vps18.jk.nl can only request the following ones:
Subject: LetsEncrypt request successful
LetsEncrypt request successful for:
www.croatianwine.be
www.croatianwine.nl
Cannot find domain in the certificate.
Not setting up Mail SNI.
Today at 11:48

We fully manage the servers, we fully manage the DNS, we are not on a blacklist (Let's Debug) so I have no clue why either server can't request an SSL for their expected domains. I've reverted the changes back now to vps04.jk.nl, confirmed the IPv4 and IPv6 changed back succesfully, deleted any existing certificates, requested an SSL certificate just now for the expected domains which are all but the domain www.croatianwine.online but it still doesn't work. At least this time it shows what the error is due to a different error due to rate limit. I will request it again this time without www.

Subject: Error with LetsEncrypt request
croatianwine.online was skipped due to unreachable http://croatianwine.online/.well-known/acme-challenge/letsencrypt_c1df02124a3e67811c285e03f2c0fd15 file.
croatianwine.be was skipped due to unreachable http://croatianwine.be/.well-known/acme-challenge/letsencrypt_61547dc3d99be074333c2a18d4312e4d file.
croatianwine.nl was skipped due to unreachable http://croatianwine.nl/.well-known/acme-challenge/letsencrypt_dcc5ee9534dfdae2793ccd4b4b9dfd43 file.
croatianwines.online was skipped due to unreachable http://croatianwines.online/.well-known/acme-challenge/letsencrypt_fb62314cf29518eaa42ed1c24e153fb8 file.
mail.croatianwine.be was skipped due to unreachable http://mail.croatianwine.be/.well-known/acme-challenge/letsencrypt_902bd5bee9e3f249a165d311438408e8 file.
mail.croatianwine.nl was skipped due to unreachable http://mail.croatianwine.nl/.well-known/acme-challenge/letsencrypt_35f6ff80b5f1b98f178a014df14f876b file.
www.croatianwine.online was skipped due to unreachable http://www.croatianwine.online/.well-known/acme-challenge/letsencrypt_c41fa227e828a10339116f18f4553863 file.
www.croatianwines.online was skipped due to unreachable http://www.croatianwines.online/.well-known/acme-challenge/letsencrypt_548b15fdfbd05d54de5cb935b98db560 file.
2024/12/09 12:18:21 [INFO] [mail.croatianwine.online, mail.croatianwines.online, www.croatianwine.be, www.croatianwine.nl] acme: Obtaining SAN certificate
2024/12/09 12:18:22 Could not obtain certificates:
acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2024-12-10 18:45:55 UTC: see Rate Limits - Let's Encrypt
Failed to issue new certificate
Today at 12:18

Issuing new certificates this time without attempting any of the mail.domains

ps -aux | grep lets

root 16103 0.0 0.0 115676 1896 ? S 12:24 0:00 /bin/bash /usr/local/directadmin/scripts/letsencrypt.sh request croatianwine.online secp384r1 /usr/local/directadmin/data/users/croatianwi/domains/croatianwine.online.ssltmpN7fe8N
root 16161 0.9 0.1 270020 6696 ? S 12:24 0:00 curl --connect-timeout 40 -k --silent --resolve croatianwine.online:80:2a01:7c8:fff7:317::1 --resolve croatianwine.online:443:2a01:7c8:fff7:317::1 -I -L -X GET http://croatianwine.online/.well-known/acme-challenge/letsencrypt_4ef545a12f74ae45dad304d531ca5d48
root 16199 0.0 0.0 110800 908 pts/0 S+ 12:24 0:00 grep --color=auto lets

That is the correct IPv6 address from vps04.jk.nl

LetsEncrypt request successful for:
www.croatianwine.be
www.croatianwine.nl
Cannot find domain in the certificate.
Not setting up Mail SNI.

Kind regards,

Patrick

Unfortunately, I've used the wrong domain in my original post and it should have been:

croatianwine.online

Do you expect the DNS entries for that failing domain to be different than the apex for that?

croatianwine.online. 0 IN A 136.144.156.99
croatianwine.online. 0 IN AAAA 2a01:7c8:fff7:317::1

www.croatianwine.online. 0 IN A 104.17.156.30
www.croatianwine.online. 0 IN A 104.16.8.49
www.croatianwine.online. 0 IN AAAA 2606:4700::6811:9c1e
www.croatianwine.online. 0 IN AAAA 2606:4700::6810:831

You don't need to keep re-creating the cert. If it is not working as expected there is a configuration problem on your server. Did you setup the DirectAdmin system? If not, you should discuss this with them.

Dear Mike,

I am not sure what you mean with "the apex", but I expect both DA servers to be able to generate a certificate with croatianwine.online as the main certificate with every other domain and subdomain following that one.

[Album] imgur.com

Yes, I expect www.croatianwine.online to be different. It's a CNAME to 51461.shops.webshopapp.com.

So why isn't the certificate working for any of the other domains? Not even croatianwine.online itself can get the certificate

I am not a DirectAdmin expert. Maybe ask them for help.

But, in the latest screen I see two Certificate Hosts. One named www.croatianwine.be and one for .nl. You did get a cert with both of those names. See: crt.sh | 15680968646 In fact, you got 3 certs with those two names today.

If you want other host names (domain names) in that cert don't you need to have them in the "Hosts" section?

And by "apex" I meant apex domain name. Example: croatianwine.be is the apex domain for www.croatianwine.be. I saw your croatianwine.online was using Cloudflare so thought you would know that term.

Thank you for your response.

Yes, croatianwine.online is the apex domain. www.croatianwine.online is the webshop all other domains and subdomains refer to. But I have no clue why it won't request certificates to the other domains, even when I control them and succesfully ping to. I'll ask the DA forum, but I have a feeling I might get referred back here considering it's 2 seperate servers with the same issue.

Regards,

Patrick

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.