Author Topic: Major Cert issue/delete problem  (Read 6259 times)

0 Members and 3 Guests are viewing this topic.

Offline
***
Major Cert issue/delete problem
« on: January 09, 2021, 12:18:08 PM »
After deleting a cert from the server, it remained active on the www.  Deleting the cert from the addon domain removed it from the server but all online ssl tests indicated that the cert was active for another 71 days.  That was 12 hours ago.  This morning still listed as active.  But it is absent from the CP.  And a new on throws a dns error.

I had to restore my entire server from a linode back up to get my site back.

Bad very bad.
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem .1031
« Reply #1 on: January 09, 2021, 02:10:00 PM »
I just tried adding a new addon domain.  Then I tried adding a cert.  Getting the same error ....dns domain doesnt point to this server.  And of course it does point to my server.
« Last Edit: January 09, 2021, 02:15:30 PM by Namaste »
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem
« Reply #2 on: January 09, 2021, 05:30:45 PM »
Changed the hostname to the same hostname thinking that might resolve issues.  Now admin GUI has no cert.  What is the problem with certs?
Listen to everything Pixelpadre says.

Offline
***
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem
« Reply #4 on: January 10, 2021, 12:47:33 PM »
Cannot resolve cert problem on my server.  So I spun up another server on Linode (this time with cent7) and tried to generate a cert.  No go.   Same error stating DNS does not point to this server.   The dns does point to the server.  Is this a LE problem or a CWP problem?  I have lots of certs that are coming up for renewal and its not going to happen.

I cannot delete the certs either.  When I try to delete one, it disappears from the list of certs but remains active on the web.  PLEASE PLEASE will someone look into this problem.

I suppose there is a small chance that Linode is the problem but I dont think that is possible.
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem
« Reply #5 on: January 10, 2021, 01:19:49 PM »
OK, some developments.

If I create a new domain and cert at the same time.......cert is generate.  hurray!

BUT

If I create a domain with no cert and then try to create a cert AutoSSL (FREE), I get the DNS not pointing error.

So, this now is looking like at web panel problem. 
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem
« Reply #6 on: January 10, 2021, 02:01:34 PM »
I just discovered that I have websites that never renewed on Dec 21.   So this problem goes back as far as Dec 21 and most likely even earlier.  This problem exists on all 3 of my servers.
Listen to everything Pixelpadre says.

Offline
***
Re: Major Cert issue/delete problem
« Reply #7 on: January 12, 2021, 01:29:39 PM »
So here is the reason why......firewall was enabled with filtering for USA only.  Great, I knew that once before but forgot.

BUT.  There is a hole in the firewall that allows cert creation at the time of domain addon.   BUT that hole is closed in any subsequent attempts to create/renew a cert on an existing domain.

So.......this seems to be a HUGE inconsistency that needs to be explored.  It ought to be one way or the other but not both.  Either no certs possible or both cert creations allowed. 

Just my humble opinion.
Listen to everything Pixelpadre says.

Re: Major Cert issue/delete problem
« Reply #8 on: January 12, 2021, 02:49:30 PM »
It's a PITA but Let'sEncrypt uses dynamic IP/CDN locations for cert renewal. They even use servers that are notorious for harbouring scammers/hackers/scanners, such as AWS, Digital Ocean, Hetzner and Contabo (to name a few). On some of my VPS, I need to temporarily disable CSF to renew certs. The downside of choosing a free SSL cert provider. :(

Offline
***
Re: Major Cert issue/delete problem
« Reply #9 on: January 12, 2021, 03:59:42 PM »
It's a PITA but Let'sEncrypt uses dynamic IP/CDN locations for cert renewal. They even use servers that are notorious for harbouring scammers/hackers/scanners, such as AWS, Digital Ocean, Hetzner and Contabo (to name a few). On some of my VPS, I need to temporarily disable CSF to renew certs. The downside of choosing a free SSL cert provider. :(

It seems that LE changes their server IPs regularly.  Therefore it cannot be white listed.  As long as anyone has no LE country blocks, the certs will renew or create. 

The thing that I dont get is that if I create a new addon domain I can create a new cert at the same time WITHOUT DISABLING THE FIREWALL.   But if I want to renew I get the dns doesn not point error. 

We need to investigate this:

Quote
So you have to open your firewall.

But you can restrict the access to the folder /.well-known/acme-challenge/

There your ACME-Client creats a special file which Letsencrypt loads.
Listen to everything Pixelpadre says.

Re: Major Cert issue/delete problem
« Reply #10 on: January 12, 2021, 04:09:14 PM »
It seems that LE changes their server IPs regularly.
This is the key issue.
If they would publish up-to-date IPs that are used, then it becomes nearly trivial to whitelist them, even if changed regularly.