Cannot generate SSL for domain, no hostnames work.

Trying to add via GUI results in the same error, doesn’t matter if the hostname is just the domain, www, mail or wildcard. Fails every time. Tried via CLI with debug on for more info.

[root@p101 ~]# env DEBUG=1 cpcmd -d site232 letsencrypt:append '*.customerdomain.com'
DEBUG  : SSL challenge attempt: dns (*.customerdomain.com)
DEBUG  : Setting DNS TXT record _acme-challenge.customerdomain.com with value gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c
DEBUG  : _acme-challenge.customerdomain.com pdns dirty
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 1/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 2/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 3/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 4/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 5/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 6/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 7/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 8/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 9/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 10/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 11/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 12/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 13/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 14/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 15/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 16/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 17/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 18/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 19/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 20/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 21/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 22/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 23/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 24/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 25/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 26/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 27/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 28/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 29/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 30/30
DEBUG  : SUCCESS! SSL challenge response: *.customerdomain.com (dns) - VALID
ERROR  : Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
         0. Error_Reporter::add_error("Failed to append hostnames. Hostnames missing from new certificate: %s", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/log_wrapper.php:62]
         1. error("Failed to append hostnames. Hostnames missing from new certificate: %s", "*.customerdomain.com")
            [/usr/local/apnscp/lib/modules/letsencrypt.php:396]
         2. Letsencrypt_Module->request(["*.customerdomain.com"], false)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
----------------------------------------

Resolved on edge? Let’s Encrypt updated their issuing hierarchy on June 6.

Nope.

[root@p101 ~]# env DEBUG=1 cpcmd -d site232 letsencrypt:append '*.customerdomain.com'
DEBUG  : *.customerdomain.com already resolved by dns
ERROR  : Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
         0. Error_Reporter::add_error("Failed to append hostnames. Hostnames missing from new certificate: %s", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("Failed to append hostnames. Hostnames missing from new certificate: %s", "*.customerdomain.com")
            [/usr/local/apnscp/lib/modules/letsencrypt.php:396]
         2. Letsencrypt_Module->request(["*.customerdomain.com"], false)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
----------------------------------------

That was after migrating to edge-major and doing a full upcp.

Well, that error is misleading. The SSL certificate appears to be installed but I’m not sure how or when since I literally did the edge / upcp and tried to install it.

What’s the authorityKeyIdentifier and issuer.CN value from this?

cpcmd -d siteXX ssl:parse-certificate "$(cpcmd -d siteXX ssl:get-certificate server.crt)"

Edit: if it rejects now, the authority fingerprint is now reported, so that will be sufficient.