Related products version: DigitalOcean Droplet (Ubuntu 18.04 LTS)
Hello.
Previously, I faced a dilemma which is to create and activate the SSL Certificate for the main Virtual Server from Virtualmin. And I was advised to wait a few days to let the DNS propagate since it’s a new configuration. Indeed, I was finally able to successfully activate the SSL Certificate for the main domain “mydomain.com”.
But, I am facing a new problem of the same kind which is the impossibility of activating the Let’s encrypt SSL Certificate for subdomains like that of “emm.mydomain.com” created for this main domain “mydomain.com”.
And the result is the following failure.
So why this worry about installing the Let’s Encrypt SSL Certificate for the “emm.mydomain.com” subdomain when I did successfully install the main domain “mydomain.com”???
First off, let DNS propagate as before, but also temporarily disable SSL for domain as while you’re waiting you’ve exceeded the allowed retry quota from Let’s Encrypt.
Gotta give it a break before retrying again.
*** Lying in bed, not quite like Brian Wilson did… Oh ha! ***
I waited for 2 days and I try again but it’s the same:
Requesting a certificate for erp.mydomain.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for erp.mydomain.com
Using the webroot path /home/mydomain/domains/erp.mydomain.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. erp.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://erp.mydomain.com/.well-known/acme-challenge/_Z8fBA7PAmJ-3zUsRMfoTINplJnEJrlLFhPIpjfQLD4 [46.101.24.243]: "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n <meta charset=\"utf-8\">\n <meta name=\"viewport\" content=\"width=device-w"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: erp.mydomain.com
Type: unauthorized
Detail: Invalid response from
http://erp.mydomain.com/.well-known/acme-challenge/_Z8fBA7PAmJ-3zUsRMfoTINplJnEJrlLFhPIpjfQLD4
[46.101.24.243]: "<!DOCTYPE html>\n<html lang=\"en\">\n <head>\n
<meta charset=\"utf-8\">\n <meta name=\"viewport\"
content=\"width=device-w"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for erp.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. erp.mydomain.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.erp.mydomain.com - check that a DNS record exists for this domain
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: erp.mydomain.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.erp.mydomain.com - check that a DNS record exists for
this domain
Don’t you think the error comes from somewhere else ???
Otherwise, how to understand that I managed to activate the SSL Certificate at the level of the Main Domain, but impossible so far to succeed in activating it at the level of the subdomains yet already indeed created at the level of the space management of Domain Names of my Server on DigitalOcean ???
What you may try is requesting wildcard certificate by ticking Also request wildcard certificate? checkbox, in case you host DNS locally. Try few times in a row, as sometimes it just fails.
If you’re seeing an error “There were too many requests of a given type”, there is no reason to wait, as this can be worked around by changing the list of domains for which you’re requesting a certificate for.
When I try to check the Also request wildcard certificate? checkbox, I get another type of error which is as follows:
Requesting a certificate for erp.mydomain.com, *.erp.mydomain.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Wildcard hostname *.erp.mydomain.com can only be validated in DNS mode DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for erp.mydomain.com
dns-01 challenge for erp.mydomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. erp.mydomain.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.erp.mydomain.com - check that a DNS record exists for this domain, erp.mydomain.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.erp.mydomain.com - check that a DNS record exists for this domain
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: erp.mydomain.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.erp.mydomain.com - check that a DNS record exists for
this domain
Domain: erp.mydomain.com
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.erp.mydomain.com - check that a DNS record exists for
this domain
And when I try to check the Also request wildcard certificate? checkbox on the main domain, I get another type of error which is as follows:
*… request failed : Web-based validation failed : Wildcard hostname .mydomain.com can only be validated in DNS mode DNS-based validation failed :
Requesting a certificate for mydomain.com, *.mydomain.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Wildcard hostname *.mydomain.com can only be validated in DNS mode DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
But how to change the list of domains knowing that the site files are already online and that the only current concern is the inability of these sites to support HTPPS (SSL) ???
For DNS validation to work you should host your DNS. At the moment it’s hosted on ns1.digitalocean.com., ns2.digitalocean.com., ns3.digitalocean.com.. You could create glue records in control panel of your domain registrar to point to ns1.example.tld and ns2.example.tld with your server’s IP.
If this is all hard to do, then you would need to manually add those sub-domain records to your current DNS by creating an A/AAAA record pointing to your server’s IP.
Also, double check that nothing redirects for the validation URL, i.e. manually create http://erp.example.tld/.well-known/acme-challenge/my-file.txt and see if you can open it in a browser.
This has already been configured for a few days in the Domain Name Server configuration space on DigitalOcean.
I created it manually and still it doesn’t show up in the Web Browser. The page returns a 404 error yet I created this “my-file.txt” file after creating a new “.well-known” directory in which I created another “acme-challenge” directory.
The DNS ns1.mydomain.com and ns2.mydomain.com were initially configured. But I changed it since last week to those from DigitalOcean: ns1.digitalocean.com., ns2.digitalocean.com., ns3.digitalocean.com. . So I no longer use the DNS ns1.mydomain.com and ns2.mydomain.com but rather those of DigitalOcean as a replacement.
I don’t understand what you mean because I created the “my-file.txt” file in the .well-known directory and acme-challenge in the “File Manager” of the sub-domain “erp.mydomain.com” but yet it returns a 404 error. So how to fix this so that SSL Certificate support at the subdomain level finally works???
They obviously aren’t hosting their own DNS locally. No point making it even harder to validate.
OP, you have to fix web validation. Don’t bother wasting time on DNS validation, it cannot work if you aren’t hosting DNS on your Virtualmin server. (That’s fine. Web validation is preferred, and what is tried first…but, you’ve got something sucking up requests to .well-known, or your DNS records are pointing to the wrong IP.)
To be clear: Requesting a wildcard definitely won’t work.
What are you asking me very clearly as a solution and in a simple way to solve this because I understand absolutely nothing of what you have just said ???
If not, how to fix the web validation as you say ??? Is this in DigitalOcean space???
Otherwise, when I try to do, nslookup erp.mydomain.com, I see that it returns the IP address 46.101.24.243 which is indeed the IP Address of the main Domain Name: mydomain.com and the DigitalOcean Web Server:
nslookup erp.mydomain.com
Serveur : gpon.net
Address: 192.168.1.1
Réponse ne faisant pas autorité :
Nom : erp.mydomain.com
Address: 46.101.24.243
So, why this problem of SSL support at the level of Sub-domains ???
You have a web application running on that domain. You have configured redirects or proxy rules for that web application. Those redirects or proxy rules are sucking up requests to .well-known path.
That cannot happen if you want Let’s Encrypt to be able to validate your domain. You have to fix that. Add an exclusion for the .well-known path so that it can be served from the filesystem and not by your web app.
Thank you once again for your assistance. But, how do you add an exclusion for the .well-known path so that the SSL Certificate finally works on both the main Domain and its different Subdomains ???
Finally, I deleted the Virtual Servers of each Subdomain to recreate some, and it worked. The SSL Certificate has been taken into account now. Thanks to everyone.