LE Can't Add SSL to New Website

Hey Fellas,

'Tis the day of strange email notifications....

Seemingly at random LE is refusing to add an SSL to a new website (directory) that I create under Domains (e.g. example.org)
I checked the boxes for SSL... and it saves. However, I receive an email moments later stating the following:

Code:

server1.example.com - 08.07.2021-00:46 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d example.ORG -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d example.ORG --key-file '/var/www/clients/client1/web5/ssl/example.ORG-le.key' --fullchain-file '/var/www/clients/client1/web5/ssl/example.ORG-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi

When I click the link next to example.org on the Domains page, it can't reach the directory.
Oddly, I created multiple other websites at the same time, none of which have this problem.
Even, if I delete and re-create the website under Domains the problem persists.

 

Thanks for the LE FAQ reminder (now bookmarked).

In any case, the mystery seems to deepen.

I can reach http://example.org no problem and see the default ISPC index.html

I increased the system-log to debug level per LE FAQ instructions and it confirmed my observation that the example.org directory should be available to LE to issue a certificate:


So from there, I went to command per LE FAQ instructions and hashed out server.sh via crontab -e and then ran /usr/local/ispconfig/server/server.sh , which output:

and again while trying to create the ssl:


So, unfortunately, I still don't see the cause of the LE not issuing the certificate... :-/

 

And yes.. I verified the DNS records for example.org are identical to ones I made for other website domains that have correctly receive SSL certs.

 

Using intodns.com to compare example.org with a example-Two.org on ( <- the same server, created at the same time, and having an ssl)... the results are identical.

I disabled IPv6 a long, long time ago. :-/

 

Here you go:

Code:

[Thu 08 Jul 2021 04:24:01 PM CST] _main_domain='example.org'
[Thu 08 Jul 2021 04:24:01 PM CST] _alt_domains='no'
[Thu 08 Jul 2021 04:24:01 PM CST] Using config home:/root/.acme.sh
[Thu 08 Jul 2021 04:24:01 PM CST] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Jul 2021 04:24:01 PM CST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Jul 2021 04:24:01 PM CST] DOMAIN_PATH='/root/.acme.sh/example.org'
[Thu 08 Jul 2021 04:24:01 PM CST] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Jul 2021 04:24:01 PM CST] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Jul 2021 04:24:01 PM CST] GET
[Thu 08 Jul 2021 04:24:01 PM CST] url='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Jul 2021 04:24:01 PM CST] timeout=
[Thu 08 Jul 2021 04:24:01 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:02 PM CST] ret='0'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_NEW_AUTHZ
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu 08 Jul 2021 04:24:02 PM CST] Le_NextRenewTime
[Thu 08 Jul 2021 04:24:02 PM CST] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu 08 Jul 2021 04:24:02 PM CST] _on_before_issue
[Thu 08 Jul 2021 04:24:02 PM CST] _chk_main_domain='example.org'
[Thu 08 Jul 2021 04:24:02 PM CST] _chk_alt_domains
[Thu 08 Jul 2021 04:24:02 PM CST] Le_LocalAddress
[Thu 08 Jul 2021 04:24:02 PM CST] d='example.org'
[Thu 08 Jul 2021 04:24:02 PM CST] Check for domain='example.org'
[Thu 08 Jul 2021 04:24:02 PM CST] _currentRoot='/usr/local/ispconfig/interface/acme'
[Thu 08 Jul 2021 04:24:02 PM CST] d
[Thu 08 Jul 2021 04:24:02 PM CST] _saved_account_key_hash is not changed, skip register account.
[Thu 08 Jul 2021 04:24:02 PM CST] Read key length:4096
[Thu 08 Jul 2021 04:24:02 PM CST] Creating domain key
[Thu 08 Jul 2021 04:24:02 PM CST] Using config home:/root/.acme.sh
[Thu 08 Jul 2021 04:24:02 PM CST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Thu 08 Jul 2021 04:24:02 PM CST] Use length 4096
[Thu 08 Jul 2021 04:24:02 PM CST] Using RSA: 4096
[Thu 08 Jul 2021 04:24:03 PM CST] The domain key is here: /root/.acme.sh/example.org/example.org.key
[Thu 08 Jul 2021 04:24:03 PM CST] _createcsr
[Thu 08 Jul 2021 04:24:03 PM CST] Single domain='example.org'
[Thu 08 Jul 2021 04:24:03 PM CST] Getting domain auth token for each domain
[Thu 08 Jul 2021 04:24:03 PM CST] d
[Thu 08 Jul 2021 04:24:03 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Jul 2021 04:24:03 PM CST] payload='{"identifiers": [{"type":"dns","value":"example.org"}]}'
[Thu 08 Jul 2021 04:24:03 PM CST] RSA key
[Thu 08 Jul 2021 04:24:03 PM CST] HEAD
[Thu 08 Jul 2021 04:24:03 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu 08 Jul 2021 04:24:03 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Thu 08 Jul 2021 04:24:04 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:04 PM CST] POST
[Thu 08 Jul 2021 04:24:04 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu 08 Jul 2021 04:24:04 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:06 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:06 PM CST] code='201'
[Thu 08 Jul 2021 04:24:06 PM CST] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/118686138/10929137129'
[Thu 08 Jul 2021 04:24:06 PM CST] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/118686138/10929137129'
[Thu 08 Jul 2021 04:24:06 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/14634876659'
[Thu 08 Jul 2021 04:24:06 PM CST] payload
[Thu 08 Jul 2021 04:24:07 PM CST] POST
[Thu 08 Jul 2021 04:24:07 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/14634876659'
[Thu 08 Jul 2021 04:24:07 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:07 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:07 PM CST] code='200'
[Thu 08 Jul 2021 04:24:07 PM CST] d='example.org'
[Thu 08 Jul 2021 04:24:07 PM CST] Getting webroot for domain='example.org'
[Thu 08 Jul 2021 04:24:07 PM CST] _w='/usr/local/ispconfig/interface/acme'
[Thu 08 Jul 2021 04:24:07 PM CST] _currentRoot='/usr/local/ispconfig/interface/acme'
[Thu 08 Jul 2021 04:24:07 PM CST] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog","token":"-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ"'
[Thu 08 Jul 2021 04:24:07 PM CST] token='-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ'
[Thu 08 Jul 2021 04:24:07 PM CST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:07 PM CST] keyauthorization='-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ.NqXOrzim2Kktth33zIFNdBaxOkGmPpR75ySmInHZP9U'
[Thu 08 Jul 2021 04:24:07 PM CST] dvlist='example.org#-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ.NqXOrzim2Kktth33zIFNdBaxOkGmPpR75ySmInHZP9U#https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog#http-01#/usr/local/ispconfig/interface/acme'
[Thu 08 Jul 2021 04:24:07 PM CST] d
[Thu 08 Jul 2021 04:24:07 PM CST] vlist='example.org#-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ.NqXOrzim2Kktth33zIFNdBaxOkGmPpR75ySmInHZP9U#https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog#http-01#/usr/local/ispconfig/interface/acme,'
[Thu 08 Jul 2021 04:24:07 PM CST] d='example.org'
[Thu 08 Jul 2021 04:24:07 PM CST] ok, let's start to verify
[Thu 08 Jul 2021 04:24:08 PM CST] Verifying: example.org
[Thu 08 Jul 2021 04:24:08 PM CST] d='example.org'
[Thu 08 Jul 2021 04:24:08 PM CST] keyauthorization='-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ.NqXOrzim2Kktth33zIFNdBaxOkGmPpR75ySmInHZP9U'
[Thu 08 Jul 2021 04:24:08 PM CST] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:08 PM CST] _currentRoot='/usr/local/ispconfig/interface/acme'
[Thu 08 Jul 2021 04:24:08 PM CST] wellknown_path='/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
[Thu 08 Jul 2021 04:24:08 PM CST] writing token:-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/-53mmw52RAhx5wvatPwKV6AETk6IMcGv1iGEVqK-kBQ
[Thu 08 Jul 2021 04:24:08 PM CST] Changing owner/group of .well-known to ispconfig:ispconfig
[Thu 08 Jul 2021 04:24:08 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:08 PM CST] payload='{}'
[Thu 08 Jul 2021 04:24:08 PM CST] POST
[Thu 08 Jul 2021 04:24:08 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:08 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:08 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:08 PM CST] code='200'
[Thu 08 Jul 2021 04:24:08 PM CST] trigger validation code: 200
[Thu 08 Jul 2021 04:24:08 PM CST] sleep 2 secs to verify
[Thu 08 Jul 2021 04:24:10 PM CST] checking
[Thu 08 Jul 2021 04:24:10 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:10 PM CST] payload
[Thu 08 Jul 2021 04:24:10 PM CST] POST
[Thu 08 Jul 2021 04:24:10 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:10 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:11 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:11 PM CST] code='200'
[Thu 08 Jul 2021 04:24:11 PM CST] example.org:Verify error:DNS problem: SERVFAIL looking up A for example.org - the domain's nameservers may be malfunctioning
[Thu 08 Jul 2021 04:24:11 PM CST] pid
[Thu 08 Jul 2021 04:24:11 PM CST] No need to restore nginx, skip.
[Thu 08 Jul 2021 04:24:11 PM CST] _clearupdns
[Thu 08 Jul 2021 04:24:11 PM CST] dns_entries
[Thu 08 Jul 2021 04:24:11 PM CST] skip dns.
[Thu 08 Jul 2021 04:24:11 PM CST] _on_issue_err
[Thu 08 Jul 2021 04:24:11 PM CST] Please check log file for more details: /var/log/ispconfig/acme.log
[Thu 08 Jul 2021 04:24:11 PM CST] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:11 PM CST] payload='{}'
[Thu 08 Jul 2021 04:24:11 PM CST] POST
[Thu 08 Jul 2021 04:24:11 PM CST] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/14634876659/Zm4Dog'
[Thu 08 Jul 2021 04:24:11 PM CST] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Thu 08 Jul 2021 04:24:12 PM CST] _ret='0'
[Thu 08 Jul 2021 04:24:12 PM CST] code='400'

 

The error log in screenshot you show in message #3 states verify error: DNS Problem. You seem to have tested DNS works, but it does not.

Code:

$ host yourdomain.org NS1.somehostingcompany.COM
Using domain server:
Name: NS1.somehostingcompany.COM
Address: 47.242.166.176#53
Aliases:

www.yourdomain.org has address 47.242.166.176

The authoritative name server does answer correctly. Othere name servers do not:

Code:

$ host www.yourdomain.org 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host www.yourdomain.org not found: 2(SERVFAIL)

See here: https://dnschecker.org/#A/yourdomain.org
Perhaps this is new entry and has not yet had time to propagate around the world?

 

i have owned the domain for multiple years... I will double check godaddy.com settings

However, I just visit https://dnschecker.org/#A/yourdomain.org as suggested.. things look ok

 

That image shows some name servers that do not resolve your domain name. That is precicely the reason you can not get LE certificate. How can you think

 

My bad... I was running out the door... rushing through things... back for the moment...

And 'YES" you guys are correct... I compared example.org to example-two.org and you it clearly shows a difference in the propagation...

Unfortunately, this is even more confusing because... I have owned example.org for years.. no clue as to why it hasn't propagated.

 

The ns1 and ns2 have the same IP-number. Looks like you have only one name server. This may be a problem if that one name server is not up 100% of the time. Can you not add a second name server?

 

A second nameserver is on my to-do list, for after the server begins earning a revenue to support itself. If necessary, I can eat the cost earlier. However, isn't this a problem that hosting provider and/or domain registrar should be able to troubleshoot?

 

They should be able to troubleshoot. What I have checked seems all OK, except the only one name server thing.
I assume the name server host is under your control? Monitor the name server log there, does it receive the queries and does it answer always.

 

Yup, under my control...

Noob question.. which log is the nameserver log. I am on the Monitor page, don't see a specific nameserver log