Cannot generate SSL for domain, no hostnames work.

Troy · June 12, 2024, 12:28pm

Trying to add via GUI results in the same error, doesn’t matter if the hostname is just the domain, www, mail or wildcard. Fails every time. Tried via CLI with debug on for more info.

[root@p101 ~]# env DEBUG=1 cpcmd -d site232 letsencrypt:append '*.customerdomain.com'
DEBUG  : SSL challenge attempt: dns (*.customerdomain.com)
DEBUG  : Setting DNS TXT record _acme-challenge.customerdomain.com with value gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c
DEBUG  : _acme-challenge.customerdomain.com pdns dirty
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 1/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 2/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 3/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 4/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 5/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 6/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 7/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 8/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 9/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 10/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 11/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 12/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 13/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 14/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 15/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 16/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 17/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 18/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 19/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 20/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 21/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 22/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 23/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 24/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 25/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 26/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 27/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 28/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 29/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com' added asynchronously to ns1.lithiumdns.net - got `' want `gGJznJ8OunXz0kqVOfn9W0U76CGqSno6IdJGoW3Ee9c' - wait 30/30
DEBUG  : SUCCESS! SSL challenge response: *.customerdomain.com (dns) - VALID
ERROR  : Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
         0. Error_Reporter::add_error("Failed to append hostnames. Hostnames missing from new certificate: %s", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/log_wrapper.php:62]
         1. error("Failed to append hostnames. Hostnames missing from new certificate: %s", "*.customerdomain.com")
            [/usr/local/apnscp/lib/modules/letsencrypt.php:396]
         2. Letsencrypt_Module->request(["*.customerdomain.com"], false)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
----------------------------------------

msaladna · June 12, 2024, 4:51pm

Resolved on edge? Let’s Encrypt updated their issuing hierarchy on June 6.

Troy · June 12, 2024, 5:01pm

Nope.

[root@p101 ~]# env DEBUG=1 cpcmd -d site232 letsencrypt:append '*.customerdomain.com'
DEBUG  : *.customerdomain.com already resolved by dns
ERROR  : Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
         0. Error_Reporter::add_error("Failed to append hostnames. Hostnames missing from new certificate: %s", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("Failed to append hostnames. Hostnames missing from new certificate: %s", "*.customerdomain.com")
            [/usr/local/apnscp/lib/modules/letsencrypt.php:396]
         2. Letsencrypt_Module->request(["*.customerdomain.com"], false)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
----------------------------------------

Troy · June 12, 2024, 5:01pm

That was after migrating to edge-major and doing a full upcp.

Troy · June 12, 2024, 5:04pm

Well, that error is misleading. The SSL certificate appears to be installed but I’m not sure how or when since I literally did the edge / upcp and tried to install it.

msaladna · June 12, 2024, 5:04pm

What’s the authorityKeyIdentifier and issuer.CN value from this?

cpcmd -d siteXX ssl:parse-certificate "$(cpcmd -d siteXX ssl:get-certificate server.crt)"

Edit: if it rejects now, the authority fingerprint is now reported, so that will be sufficient.

Troy · July 29, 2024, 11:54pm

Happening again, different account and server.

[root@p108 ~]# env DEBUG=1 cpcmd -d site151 letsencrypt:append '*.customerdomain.com.com'
DEBUG  : SSL challenge attempt: dns (*.customerdomain.com.com)
DEBUG  : Setting DNS TXT record _acme-challenge.customerdomain.com.com with value XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI
DEBUG  : _acme-challenge.customerdomain.com.com pdns dirty
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 1/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 2/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 3/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 4/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 5/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 6/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 7/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 8/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 9/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 10/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 11/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 12/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 13/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 14/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 15/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 16/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 17/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 18/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 19/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 20/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 21/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 22/30
^[[1;2RDEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 23/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 24/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 25/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 26/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 27/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 28/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 29/30
DEBUG  : DNS record `_acme-challenge.customerdomain.com.com' added asynchronously to ns2.lithiumdns.net - got `' want `XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI' - wait 30/30
WARNING: Opcenter\Crypto\Letsencrypt\AcmeDispatcher::solve(): dns challenge failed: Challenge failed (response: {"type":"dns-01","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/383574585017\/rS233Q","status":"invalid","validated":"2024-07-29T23:49:56Z","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customerdomain.com.com - check that a DNS record exists for this domain","status":400},"token":"DYx2F61VbZEBUL8c4MzdfY_tBSYuLHzXPq2iKe_sBCY"}).
ERROR  : Letsencrypt_Module::request(): Opcenter\Crypto\Letsencrypt\AcmeDispatcher::solve(): dns challenge failed: Challenge failed (response: {"type":"dns-01","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/383574585017\/rS233Q","status":"invalid","validated":"2024-07-29T23:49:56Z","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customerdomain.com.com - check that a DNS record exists for this domain","status":400},"token":"DYx2F61VbZEBUL8c4MzdfY_tBSYuLHzXPq2iKe_sBCY"}).
         0. Error_Reporter::add_error("Opcenter\Crypto\Letsencrypt\AcmeDispatcher::solve(): dns challenge failed: Challenge failed (response: {"type":"dns-01","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/383574585017\/rS233Q","status":"invalid","validated":"2024-07-29T23:49:56Z","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customerdomain.com.com - check that a DNS record exists for this domain","status":400},"token":"DYx2F61VbZEBUL8c4MzdfY_tBSYuLHzXPq2iKe_sBCY"}).")
            [/usr/local/apnscp/lib/Module/Support/Letsencrypt.php:267]
         1. Module\Support\Letsencrypt->requestReal(["*.customerdomain.com.com"], "site151", true)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:390]
         2. Letsencrypt_Module->request(["*.customerdomain.com.com"], true)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Letsencrypt_Module::request(): Opcenter\Crypto\Letsencrypt\AcmeDispatcher::solve(): dns challenge failed: Challenge failed (response: {"type":"dns-01","url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/383574585017\/rS233Q","status":"invalid","validated":"2024-07-29T23:49:56Z","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.customerdomain.com.com - check that a DNS record exists for this domain","status":400},"token":"XXX"}).
----------------------------------------

[root@p108 ~]# cpcmd -d site151 ssl:parse-certificate "$(cpcmd -d site151 ssl:get-certificate server.crt)"
ERROR  : DataStream::pipeline(): Ssl_Module::get_certificate(): certificate `server.crt' does not exist
         0. Error_Reporter::merge_buffer([[message:"Ssl_Module::get_certificate(): certificate `server.crt' does not exist", severity:16, caller:"Ssl_Module::get_certificate", bt:"         0B. Error_Reporter::add_error("certificate `%s' does not exist", ["server.crt"])            [/usr/local/apnscp/lib/log_wrapper.php:72]         1B. error("certificate `%s' does not exist", "server.crt")            [/usr/local/apnscp/lib/modules/ssl.php:680]         2B. Ssl_Module->get_certificate("server.crt")            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]         3B. Module\Skeleton\Standard->_invoke("get_certificate", ["server.crt"])            [/usr/local/apnscp/lib/apnscpfunction.php:992]         4B. apnscpFunctionInterceptor->call("ssl_get_certificate", ["server.crt"])            [/usr/local/apnscp/lib/lservicelib8.pht:1184]         5B. ListenerService\Daemon->process_backend_data(<binary>)            [/usr/local/apnscp/lib/lservicelib8.pht:1101]         6B. ListenerService\Daemon->client_processing_loop()            [/usr/local/apnscp/lib/lservicelib8.pht:1057]         7B. ListenerService\Daemon->spawn()            [/usr/local/apnscp/lib/lservicelib8.pht:865]         8B. ListenerService\Daemon->findWorker(0)            [/usr/local/apnscp/lib/lservicelib8.pht:1410]         9B. ListenerService\Daemon->dispatch(Socket)            [/usr/local/apnscp/lib/lservicelib8.pht:1282]        10B. ListenerService\Daemon->master()            [/usr/local/apnscp/lib/lservicelib8.pht:1230]        11B. ListenerService\Daemon->create_master_socket_server()            [/usr/local/apnscp/lib/lservicelib8.pht:293]        12B. ListenerService\Daemon->start()            [/usr/local/apnscp/lib/lservicelib8.pht:171]        13B. ListenerService\Daemon->__construct()            [/usr/local/apnscp/lib/lservicelib8.pht:1463]        14B. ListenerService\Daemon::init()            [/usr/local/apnscp/lib/lservice.php:28]"]])
            [/usr/local/apnscp/lib/datastream.php:312]
         1. DataStream->unpack("EO:12:"apnscpObject":8:{s:7:"command";s:19:"ssl_get_certificate";s:4:"args";a:1:{i:0;s:10:"server.crt";}s:5:"error";b:0;s:10:"session_id";s:32:"XXX";s:13:"returned_data";b:0;s:7:"options";N;s:12:"error_buffer";a:1:{i:0;a:4:{s:7:"message";s:70:"Ssl_Module::get_certificate(): certificate `server.crt' does not exist";s:8:"severity";i:16;s:6:"caller";s:27:"Ssl_Module::get_certificate";s:2:"bt";s:1780:"         0B. Error_Reporter::add_error("certificate `%s' does not exist", ["server.crt"])            [/usr/local/apnscp/lib/log_wrapper.php:72]         1B. error("certificate `%s' does not exist", "server.crt")            [/usr/local/apnscp/lib/modules/ssl.php:680]         2B. Ssl_Module->get_certificate("server.crt")            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]         3B. Module\Skeleton\Standard->_invoke("get_certificate", ["server.crt"])            [/usr/local/apnscp/lib/apnscpfunction.php:992]         4B. apnscpFunctionInterceptor->call("ssl_get_certificate", ["server.crt"])            [/usr/local/apnscp/lib/lservicelib8.pht:1184]         5B. ListenerService\Daemon->process_backend_data(<binary>)            [/usr/local/apnscp/lib/lservicelib8.pht:1101]         6B. ListenerService\Daemon->client_processing_loop()            [/usr/local/apnscp/lib/lservicelib8.pht:1057]         7B. ListenerService\Daemon->spawn()            [/usr/local/apnscp/lib/lservicelib8.pht:865]         8B. ListenerService\Daemon->findWorker(0)            [/usr/local/apnscp/lib/lservicelib8.pht:1410]         9B. ListenerService\Daemon->dispatch(Socket)            [/usr/local/apnscp/lib/lservicelib8.pht:1282]        10B. ListenerService\Daemon->master()            [/usr/local/apnscp/lib/lservicelib8.pht:1230]        11B. ListenerService\Daemon->create_master_socket_server()            [/usr/local/apnscp/lib/lservicelib8.pht:293]        12B. ListenerService\Daemon->start()            [/usr/local/apnscp/lib/lservicelib8.pht:171]        13B. ListenerService\Daemon->__construct()            [/usr/local/apnscp/lib/lservicelib8.pht:1463]        14B. ListenerService\Daemon::init()            [/usr/local/apnscp/lib/lservice.php:28]";}}s:16:"apnscpObjectip";s:14:"184.170.161.33";}")
            [/usr/local/apnscp/lib/datastream.php:405]
         2. DataStream->pipeline(<binary>)
            [/usr/local/apnscp/lib/datastream.php:394]
         3. DataStream->query("ssl_get_certificate", "server.crt")
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:200]
         4. Module\Skeleton\Standard->query("ssl_get_certificate", "server.crt")
            [/usr/local/apnscp/lib/modules/ssl.php:664]
         5. Ssl_Module->get_certificate("server.crt")
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         6. Module\Skeleton\Standard->_invoke("get_certificate", ["server.crt"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         7. apnscpFunctionInterceptor->call("ssl_get_certificate", ["server.crt"])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         8. CLI\__call("ssl_get_certificate", ["server.crt"])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         9. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: DataStream::pipeline(): Ssl_Module::get_certificate(): certificate `server.crt' does not exist
----------------------------------------
ERROR: DataStream::pipeline(): Ssl_Module::get_certificate(): certificate `server.crt' does not exist
ERROR  : Opcenter\Crypto\Ssl::parse(): no certificate!
         0. Error_Reporter::add_error("no certificate!", )
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("no certificate!")
            [/usr/local/apnscp/lib/Opcenter/Crypto/Ssl.php:111]
         2. Opcenter\Crypto\Ssl::parse("")
            [/usr/local/apnscp/lib/modules/ssl.php:400]
         3. Ssl_Module->parse_certificate("")
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("parse_certificate", [""])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("ssl_parse_certificate", [""])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("ssl_parse_certificate", [""])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: DataStream::pipeline(): Ssl_Module::get_certificate(): certificate `server.crt' does not exist
----------------------------------------
ERROR: DataStream::pipeline(): Ssl_Module::get_certificate(): certificate `server.crt' does not exist
ERROR  : Opcenter\Crypto\Ssl::parse(): no certificate!
         0. Error_Reporter::add_error("no certificate!", )
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("no certificate!")
            [/usr/local/apnscp/lib/Opcenter/Crypto/Ssl.php:111]
         2. Opcenter\Crypto\Ssl::parse("")
            [/usr/local/apnscp/lib/modules/ssl.php:400]
         3. Ssl_Module->parse_certificate("")
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("parse_certificate", [""])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("ssl_parse_certificate", [""])
            [/usr/local/apnscp/lib/CLI/cmd.php:62]
         6. CLI\__call("ssl_parse_certificate", [""])
            [/usr/local/apnscp/lib/CLI/cmd.php:581]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
ERROR: Opcenter\Crypto\Ssl::parse(): no certificate!
----------------------------------------

ERROR: Opcenter\Crypto\Ssl::parse(): no certificate!

Troy · July 29, 2024, 11:57pm

Unbound confirmed:

;; ANSWER SECTION:
_acme-challenge.customerdomain1.com.	0	IN	TXT	"XsaKIL0wvO7iRzQNhx-tE7QWfzf1ZktsfXtEYeQjJyI"

Troy · August 7, 2024, 7:45pm

Any thoughts on this? IS there something I can do manually to address the issue of “server.crt does not exist”?

msaladna · August 8, 2024, 10:58am

A change was introduced mid-June to report the signer’s key ID upon rejection. This change was implemented in response to Let’s Encrypt authority diversification on June 6.

Run the request as env DEBUG=1 cpcmd -d siteXX letsencrypt:renew to see which intermediate signing authority’s fingerprint is returned. This fingerprint is not listed in [letsencrypt] => keyid thus denying replacement.

Troy · August 11, 2024, 3:09am

No go…

WARNING: Letsencrypt_Module::renew(): Certificate is not Let's Encrypt
----------------------------------------
MESSAGE SUMMARY
Reporter level: WARNING
WARNING: Letsencrypt_Module::renew(): Certificate is not Let's Encrypt
----------------------------------------

~]# env DEBUG=1 cpcmd -d site151 letsencrypt:append '*.customerdomain.com'DEBUG  : *.customerdomain.com already resolved by dns
DEBUG  : Rejecting certificate. Authority fingerprint `keyid:BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
' does not match acceptable values
ERROR  : Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
         0. Error_Reporter::add_error("Failed to append hostnames. Hostnames missing from new certificate: %s", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/log_wrapper.php:72]
         1. error("Failed to append hostnames. Hostnames missing from new certificate: %s", "*.customerdomain.com")
            [/usr/local/apnscp/lib/modules/letsencrypt.php:396]
         2. Letsencrypt_Module->request(["*.customerdomain.com"], true)
            [/usr/local/apnscp/lib/modules/letsencrypt.php:505]
         3. Letsencrypt_Module->append([*.customerdomain.com:0])
            [/usr/local/apnscp/lib/Module/Skeleton/Standard.php:145]
         4. Module\Skeleton\Standard->_invoke("append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/apnscpfunction.php:992]
         5. apnscpFunctionInterceptor->call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:55]
         6. CLI\__call("letsencrypt_append", ["*.customerdomain.com"])
            [/usr/local/apnscp/lib/CLI/cmd.php:574]
         7. CLI\main()
            [/usr/local/apnscp/bin/cmd:7]
----------------------------------------
MESSAGE SUMMARY
Reporter level: ERROR
DEBUG: Rejecting certificate. Authority fingerprint `keyid:BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
' does not match acceptable values
ERROR: Letsencrypt_Module::request(): Failed to append hostnames. Hostnames missing from new certificate: *.customerdomain.com
----------------------------------------

msaladna · August 11, 2024, 4:41pm

Added R10 and R11 authorities in edge. In the future this diagnostic has been altered to a warning, so it will be easier to recognize.

A maintenance release will be out later this week.