letsencrypt missing some serveraliases for a website and not including them in the SAN

Discussion in 'ISPConfig 3 Priority Support' started by webguyz, Jan 11, 2025 at 5:43 AM.

  1. webguyz

    webguyz Active Member HowtoForge Supporter

    Have a customer who has 20 different aliasdomain for a single website. All add on domain have enties with www. and just the
    ServerAlias www.acme.com acme.com
    inside the /etc/apache2/sites-available/acme.com.vhost
    So thats actually aound 40 different domains that have to get get added to the SAN section of the SSL certificate. When I remove letsEncrypt and re-install it is missing some dns entries for a few of the domain.

    Is there a limit as to how many serverlaises can get added to a letsencrypt SSL cert. Where is the list of all the actual domains that are to be included. using certbot so I have /root/.acme.sh but I don't see where the list of serveraliases reside.

    This website is a shopping cart type website and they want different domains to redirect to different parts of the store. When you go to a domain that not included in the cert I get a net::ERR_CERT_COMMON_NAME_INVALID.

    Thanks!
     
    webguyz, Jan 11, 2025 at 5:43 AM
    #1
  2. webguyz

    webguyz Active Member HowtoForge Supporter

    Checking further it appears Le_Alt = entry in the conf file for the main website name is missing many domain entries and thats the problem. How to extra serveraliases get entered on the line in the .conf file in /root/.acme.sh/xxxxx.com.conf
     
    webguyz, Jan 11, 2025 at 5:50 AM
    #2
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    letsencrypt can have up to 100 names on the certificate, so your number is not a problem.

    what does this actually mean? that they're not on the certificate? or that A / AAAA records don't exist for them?

    if the latter, that's obviously the problem, if the domain doesn't resolve, how is letsencrypt supposed to validate the domain?
    create the missing dns records and recreate the certificate.

    otherwise, double-check the aliasdomain settings, make sure that 'do not include in letscencrypt certificate' is not checked, and that auto-subdomain is set as appropriate. then double-check the dns resolution for the missing domains, both the domain and www subdomain (if used), and also any specific subdomain used, eg shop.mydomain.ltd.. also, if you're using a subdomain like that as an aliasdomain, and the auto-subdomain is set to www, it will also be trying to validate the domain www.shop.mydomain.tld
     
    nhybgtvfr, Jan 11, 2025 at 8:07 AM
    #3
    till likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see Let's Encrypt error FAQ. It lists which prerequisites must be met to get a LE cert and it also explains how to use dbeug mode to get further details on why some of the domains are not in the LE cert:

    https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

    1) They must point to the server with an A or AAAA Record.
    2) You must add them as subdomain or alias domains to the website and ensure not to exclude them from the LE cert; there is a checkbox for that.
    There is no editing of any config file needed, so please d not mess with the certbot config, it will ´just make things worse. And do not uninstall or reinstall certbot. Follow the Let's Encrypt error FAQ.
     
    till, Jan 11, 2025 at 8:21 AM
    #4
  5. remkoh

    remkoh Active Member HowtoForge Supporter

    Or CNAME record
     
    remkoh, Jan 11, 2025 at 1:56 PM
    #5
    till likes this.
  6. webguyz

    webguyz Active Member HowtoForge Supporter

    Thanks all for the explainations. All DNS A entries are 100 percent. There are aliasdomains for all the xtra domains. Once I saw the acme.log error log I realized there were domains not being added to the cert and that led me to the /root/.acme.sh/xxxx.com.conf file and half the domain entries in the Le_Alt = field were missing!
    The question becomes did something getting corrupted so the entries are missing. Do those entries in that field Le_Alt get added and subtracted when aliasdomains are created or deleted. Was going to test adding aliasdomains and then checking that xxxxx.com.conf file and see if they get added to the domain chain. Or does someone know and can tell me my theory is correct or not.

    Thanks for all the great support all!!
     
    webguyz, Jan 11, 2025 at 4:44 PM
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jan 11, 2025 at 5:32 PM
    #7
  8. webguyz

    webguyz Active Member HowtoForge Supporter

    I can ping the missing aliasdomains from both Master as well as the slave server and they resolve to the correct IP. What kind of dns verification does letsencrypt do? For half the aliasdomain entries it says it can't verify but they all have A records No (AAAA) as I don't run IPV6. Do I have to add something?

    13.01.2025-22:49 - WARNING - Could not verify domain xxxxxxxxxxxx, so excluding it from letsencrypt request.
    13.01.2025-22:49 - WARNING - Could not verify domain xxxxxxxxxxxx, so excluding it from letsencrypt request.
    13.01.2025-22:49 - WARNING - Could not verify domain xxxxxxxxxxxx, so excluding it from letsencrypt request.
     
    webguyz, Jan 14, 2025 at 6:24 AM
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This message is from ISPConfig and not Let's Encrypt. ISPConfig tries to reach the domain on HTTP using the exact verification, that Let's Encrypt will do, which means it tries to reach a token file in the acme-challenge folder; if it can't, then it gets excluded.

    So either the domains point to a different server or they do not always point to the right server (multiple A-Records like round-robin records or split brains situation in DNS where different DNS servers return different IP addresses) or you closed port 80 or you rewrote URL's manually in a way that prevents requests to reach the acme challenge folder.

    If you do not want ISPConfig to test the domains, then disable Let's Encrypt check as described in the LE error FAQ. But be aware that you cert will then fail completely for all domains if a single domain is unreachable.
     
    till, Jan 14, 2025 at 7:49 AM
    #9
  10. webguyz

    webguyz Active Member HowtoForge Supporter

    Till,
    The customer has a redirect.php as the document default. The aliasdomain settings points to the main website with no reidrect but then a redirect occurs once it gets to the server via redirect.php
     
    webguyz, Jan 14, 2025 at 6:50 PM
    #10
  11. webguyz

    webguyz Active Member HowtoForge Supporter

    Another question. If ISPConfig is using HTTP verification should I not have a /.well-known/acme-challenge folder in my main website? I do not have that and checked with ls . to make sure I picked up hidden folders. The logs suggest cerbot is using dns for verification. So I'm confused.
     
    webguyz, Jan 14, 2025 at 6:53 PM
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess it depends how you set that up exactly. You can test Let's Encrypt verification like this:

    1) Create a test file:

    Code:
    echo "hello acme" > /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt
    Now you can test it on the server like this:

    Code:
    curl http://yourdomain.tld/.well-known/acme-challenge/hello.txt
    Replace yourdomain.tld with the domain name you want to test, the result should be "hallo acme". You can also test this using a web browser. if you would get redirected instead, then you must change that redirect to exclude all requests to URLs that start with /.well-known/acme-challenge/

    Then you must have set up your SSL certs manually, ISPConfig doe snot support DNS verification.
     
    till, Jan 14, 2025 at 7:05 PM
    #12
  13. webguyz

    webguyz Active Member HowtoForge Supporter

    Ok, I tried the acme.txt test and it worked. But on my server /usr/local/ispconfig/interface/acme/.well-known/acme-challenge folder is empty. Shouldn't the aliasdomains that were verified be in that folder?
     
    webguyz, Jan 14, 2025 at 7:19 PM
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    That's correct, it should be empty as the acme client creates a challenge file there and removes it also after a very short time.

    No.
     
    till, Jan 14, 2025 at 7:30 PM
    #14
  15. webguyz

    webguyz Active Member HowtoForge Supporter

    Got it. Now that I have enough info we can try to fix this mess.
    Thanks all.
     
    webguyz, Jan 14, 2025 at 7:32 PM
    #15

Share This Page