SSL Certificate not working?

Centaro · May 10, 2020, 10:52pm

Hi everyone!

I tried following @Joe’s tutorial on YouTube so my website runs over https … but I failed miserably!

When asking for Let’s Encrypt certificates, VM defaults to my domain and its www, mail, autoconfig and autodiscover subdomains … those are not in the tutorial and I am not in fact sure how to use the latter 3 (yes, not even the mail subdomain) …

Let’s Encrypt gives several errors when requesting certs for the latter 3:

- The following errors were reported by the server:

   Domain: autoconfig.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   autoconfig.site.com - check that a DNS record exists for
   this domain

   Domain: autodiscover.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   autodiscover.site.com - check that a DNS record exists for
   this domain

   Domain: mail.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for mail.site.com
   - check that a DNS record exists for this domain

and trying to pass the DNS-based validation:

- The following errors were reported by the server:

   Domain: autoconfig.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.autoconfig.site.com (http://_acme-challenge.autoconfig.giganteazul.com/) - check that a DNS
   record exists for this domain

   Domain: autodiscover.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.autodiscover.site.com (http://_acme-challenge.autodiscover.giganteazul.com/) - check that a DNS
   record exists for this domain

   Domain: mail.site.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.mail.site.com (http://_acme-challenge.mail.giganteazul.com/) - check that a DNS record
   exists for this domain

I don’t have any records at my registrar that point to any of those subdomains … I don’t know what the point would be with two of them, but I guess one of them I will be using when I try to set up my mail server.

Anyway… I just went for the second option and listed my domain and the www subdomain. (Which is the default in @Joe’s videotutorial) Success! The request at Let’s Encrypt is comes through! Now the theory says my site is running HTTPS … I wish!!

I don’t know what the problem is. I have tried installing a WordPress plug-in that forces SSL, but it did not do the trick.

I have run a test on https://www.ssllabs.com/ and the results were negative:

Short version:

Assessment failed: Unable to connect to the server

Long version:

Assessment failed: Unable to connect to the server

**Known Problems**

There are some errors that we cannot fix properly in the current version. They will be addressed in the next generation version, which is currently being developed.

* **No secure protocols supported** - if you get this message, but you know that the site supports SSL, wait until the cache expires on its own, then try again, making sure the hostname you enter uses the "www" prefix (e.g., "www.ssllabs.com", not just "ssllabs.com").
* **no more data allowed for version 1 certificate** - the certificate is invalid; it is declared as version 1, but uses extensions, which were introduced in version 3. Browsers might ignore this problem, but our parser is strict and refuses to proceed. We'll try to find a different parser to avoid this problem.
* **Failed to obtain certificate** and **Internal Error** - errors of this type will often be reported for servers that use connection rate limits or block connections in response to unusual traffic. Problems of this type are very difficult to diagnose. If you have access to the server being tested, before reporting a problem to us, please check that there is no rate limiting or IDS in place.
* **NetScaler issues** - some NetScaler versions appear to reject SSL handshakes that do not include certain suites or handshakes that use a few suites. If the test is failing and there is a NetScaler load balancer in place, that's most likely the reason.
* **Unexpected failure** - our tests are designed to fail when unusual results are observed. This usually happens when there are multiple TLS servers behind the same IP address. In such cases we can't provide accurate results, which is why we fail.

**Common Error Messages**

* **Connect timed out** - server did not respond to our connection request, sometimes before we are dynamically blocked when our tests are detected
* **No route to host** - unable to reach the server
* **Unable to connect to server** - failed to connect to the server, it usually happens due to firewall restrictions
* **Connection reset** - we got disconnected from the server
* **Unrecognized SSL message, plaintext connection?** - the server responded with plain-text HTTP on HTTPS port
* **Received fatal alert: handshake_failure** - this is either a faulty SSL server or some other server listening on port 443; if the SSL version of the web site works in your browser, please report this issue to us
* **Failed to communicate with the secure server** - No secure protocol supported. Possibly this server only supports a draft version of TLS 1.3

If I go to my BIND DNS server and look in the master zone for my site … it shows that I have 1 record for certificate authorities but 0 records for SSL certificates … which doesn’t look right.

adamjedgar · May 11, 2020, 4:47am

Hi,
the nxdomain error explains what is wrong…you do not have the correct dns entries for mail.site.com.

I havent been able to get autodiscover and autodetect working in virtualmin so i dont use either of them at present.

Just understand that you must first ensure that your dns resolves exactly as you have it in your domain registrar records.

Virtualmin has a place where it describes pretty well what dns records you should be using for your domain hosted on the virtualmin system.

If your dns is hosted outside of your virtualmin system (say for example by the registrar or cloudflare) the helpful Virtulamin suggestoins for dns records can be found by going to Virtualmin>Server Configuration>Suggested DNS records (if you have dns domain turned off in Virtualmin>Virtual server>Edit Virtual Server>Enabled features.

virtualmin tends to offer far too many A records (better to use CNAME where possible), but this is fine if you only have a handful of domains on a server. if you had lots, and the server ipaddress needed changing for some reason, then going through manually changing so many A records for a heap of domains would be a big task.

Centaro · May 11, 2020, 11:38pm

Hi @adamjedgar

Suggested DNS records is not present under Server Configuration, so I guess I am using “DNS domain” on VMin, but I do not know what you mean under “DNS domain” … do you mean BIND?

I am trying to create the records for mail, but that is not really the answer I am looking for in this post.

Centaro · May 12, 2020, 12:24am

Solved it … just had to forward the ports.

To all noobs : make sure you forward the ports for the services you want to run

adamjedgar · May 12, 2020, 7:16pm

The reason i said that is because there are two setups…one using bind and one without.
Newbie should choose the option not to use bind and provide your own dns. It causes complications. Best to initially use offsite dns provided by registrar.

Port forwarding is obvious…i didnt mention that because its a given. I usually control that like dns from outside of virtualmin for good reason. Anyway, glad you got it working.

system · May 16, 2020, 7:21pm

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.