New SSL Cert issues

I have Cyberpanel running on 2 servers, 1 is the website the other handles emails. On my email server which has been running fine for the last 6 months i have had issues with one of the mail.domains issuing a self signed SSL. I have therefore logged in to check and when trying to issue a mail.domain it fails and issues self signed. I checked all other domains on this cyberpanel install and they all have Lets Encrypt SSL certs. I have double checked all DNS and everything is fine. I proceeded to re issue a mail.domain SSL cert on a test domain that already had a lets encrypt cert and it failed and issued a self signed!

Realising that Cyberpanel has since upgraded from the 2.1 i was running i upgraded to the latest and tried again but no difference.

Can anyone please help, it seems that something has stopped working in the last 2 weeks causing SSL certs to fail. I haven’t changed anything, infact i haven’t logged into cyberpanel for over 3 months until today!

Log for reference: actual domain substituted to domain.com

[05.13.2022_12-48-16] Trying to obtain SSL for: mail.domain.com and: www.mail.domain.com
[05.13.2022_12-48-16] /root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[05.13.2022_12-48-22] Failed to obtain SSL for: mail.domain.com and: www.mail.domain.com
[05.13.2022_12-48-22] Trying to obtain SSL for: mail.domain.com
[05.13.2022_12-48-28] Failed to obtain SSL, issuing self-signed SSL for: mail.domain.com
[05.13.2022_12-48-29] Websites matching query does not exist. [installSSLForDomain:72]
[05.13.2022_12-48-29] Self signed SSL issued for mail.domain.com.

i was deploy new server … and the cert error :frowning: i thought something wrong with my server…
i was waiting released of my limitation then i will re check

Please do two thing first show me your vhost configurations and second run this

/root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt

and show me out out

The command you said to run is exactly what the server ran and failed on, so unsure what will be achieved by just running it again when it has clearly failed already.

Whats the usual support reply timeframe? Its been 3 days and nothing from the devs, usually got quicker and better responses via Facebook group which we are banned from using now!

I hate to say it but is there anyone i could provide access details to who could guarantee me they can sort the issue, id be happy to pay a small fee. Im currently unwell and getting my head around this right now isnt easy and i have a client who is unable to use there emails.

If you run this command and show me the response will get the exact error although it is failed by the way here in the community a lot of people are helping each other like @MyIDKaTePe @die2mrw007 @Dreamer and they can also guide you.

1 Like

The command output is necessary for us to know the reason in failing to grant valid SSL. The output will display the reason for the cause and we should correct the same to solve this issue.

1 Like

@shoaibkk and @die2mrw007 sorry makes sense now.

Ran line in terminal and got the following:

/root/.acme.sh/acme.sh --issue -d mail.domain.com -d www.mail.domain.com --cert-file /etc/letsencrypt/live/mail.domain.com/cert.pem --key-file /etc/letsencrypt/live/mail.domain.com/privkey.pem --fullchain-file /etc/letsencrypt/live/mail.domain.com/fullchain.pem -w /usr/local/lsws/Example/html -k ec-256 --force --server letsencrypt
[Tue 17 May 2022 10:14:55 PM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue 17 May 2022 10:14:55 PM UTC] Multi domain=‘DNS:mail.domain.com,DNS:www.mail.domain.com’
[Tue 17 May 2022 10:14:55 PM UTC] Getting domain auth token for each domain
[Tue 17 May 2022 10:14:57 PM UTC] Getting webroot for domain=‘mail.domain.com
[Tue 17 May 2022 10:14:57 PM UTC] Getting webroot for domain=‘www.mail.domain.com
[Tue 17 May 2022 10:14:57 PM UTC] Verifying: mail.domain.com
[Tue 17 May 2022 10:14:58 PM UTC] Pending, The CA is processing your order, please just wait. (1/30)
[Tue 17 May 2022 10:15:01 PM UTC] mail.domain.com:Verify error:123.456.789.101: Fetching 404.html: Redirect loop detected
[Tue 17 May 2022 10:15:01 PM UTC] Please add ‘–debug’ or ‘–log’ to check more details.
[Tue 17 May 2022 10:15:01 PM UTC] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

My vhost configuration im unable to locate, have been away from server for a few months and been going through some issues so my mind isnt upto speed. If there is an easy way to find the vhost config please do tell.

Im guessing the errors reported can provide enough info on whats wrong?

Side note the domain is hosted on a cyberpanel install on 1 server and the mail.domain is on another cyberpanel server, essentially i run the website and email on separate servers, DNS is configured accordingly and has worked until recently and for many domains.

Just found the vHost Conf in Cyberpanel for the domain:

docRoot /home/domain.com/mail.domain.com
vhDomain $VH_NAME
vhAliases www.$VH_NAME
adminEmails myadminemail@gmail.com
enableGzip 1
enableIpGeo 1

index {
useServer 0
indexFiles index.php, index.html
}

errorlog $VH_ROOT/logs/domain.com.error_log {
useServer 0
logLevel WARN
rollingSize 10M
}

accesslog $VH_ROOT/logs/domain.com.access_log {
useServer 0
logFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-Agent}i””
logHeaders 5
rollingSize 10M
keepDays 10
compressArchive 1
}

phpIniOverride {

}

module cache {
storagePath $VH_ROOT/lscache
}

errorpage 403 {
url 403.html
}

errorpage 404 {
url 404.html
}

errorpage 500 {
url 500.html
}

scripthandler {
add lsapi:flare26584116 php
}

extprocessor flare26584116 {
type lsapi
address UDS://tmp/lshttpd/flare26584116.sock
maxConns 10
env LSAPI_CHILDREN=10
initTimeout 60
retryTimeout 0
persistConn 1
pcKeepAliveTimeout 1
respBuffer 0
autoStart 1
path /usr/local/lsws/lsphp73/bin/lsphp
extUser flare2658
extGroup flare2658
memSoftLimit 2047M
memHardLimit 2047M
procSoftLimit 400
procHardLimit 500
}

rewrite {
enable 1
autoLoadHtaccess 1
}

vhssl {
keyFile /etc/letsencrypt/live/mail.domain.com/privkey.pem
certFile /etc/letsencrypt/live/mail.domain.com/fullchain.pem
certChain 1
sslProtocol 24
enableECDHE 1
renegProtection 1
sslSessionCache 1
enableSpdy 15
enableStapling 1
ocspRespMaxAge 86400
}

The error log you pasted here mentions that it detected a redirect loop

You can navigate to “websites > List domains” in the side menu of cyberpanel.

There you will find all the mail subdomains listed, open filemanager of the respective mail domain you wish to have the ssl

create a new file named .htaccess

Paste these codes inside this .htaccess file

#301 https redirects to without WWW
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Restart the server and try to issue the ssl again using the ssh commands

Hi, thanks for the info. I have created the .htaccess file and saved it with the code provided. Restarted the server and re ran the SSH line and i still get the exact same error. I even added a 404.html file to the public_html and the mail.domain folder just incase and reran the SSH line and still get the exact same error again.

What concerns me is that ALL my mail.domains were working perfectly fine until recently when this particular domain auto renewed and failed.

I manually renewed another ‘test’ domain and it also failed.

So something somewhere has stopped working as it did work before and i havent changed anything, i literally havent even been on the server since the initial working SSL was setup.

I have a number of mail.domains that have currently got 84 days left on there current running SSL’s so i believe it cant have been that long ago that they would have auto renewed perfectly fine and all the mail domains are setup exactly the same albeit the actual domain name.

Are you using cloudflare? If so try disable proxy and issue SSL.

1 Like

I do use Cloudflare but never use proxies on mail domains

It just gets better!!!

My server i use that has the actual websites of my domains im no longer able to log into because the SSL cert is no longer valid!

Seems this SSL renewal issue has happened on my other server aswel!

Is there anyone in support that can help me? This has been a week now since i created this topic for support!

There is something broken in cyberpanel because SSL was working and for some reason has decided to break yet i havent even logged into the server to change anything or even run updates!

I did read just now that a few weeks ago letsencrypt changed somethign so im guessing this is the cause but i have since updated my email server running cyberpanel and SSL is still not working. Does anyone know what this letsencrypt change was? What should i do to fix cyberpanel so SSL will now work?

PLEASE ANYONE???

1 Like

Further info, using terminal/putty i have tried to renew another domain and it worked with the same command line, the difference in the output is this one says the domain is already verified, (skip http-01). So it seems the 2 domains i am having issues with on my email server are trying to verify and failing giving the redirect loop detected error. I have checked all files on the working domain against the 2 non working and everything is identical, including the way there dns is all setup, so confused!

Further info again, i have visited the file manager for the domain.com and mail.domain.com on my email server and fixed permissions via the file manager which i saw changed some file permissions as i saw in the debug output that it was skip[ping the removal of the acme-challenge files and folders and yet when i go look for them they dont exist so it seems its having an issue creating these folders/files for the challenge to complete, however despite fixing the file permissions it still fails exactly the same!

i found the url of the acme-challenge and the challenge file is there as per debug. When i try to goto the url in a browser window it does return 404.html too many redirects!

I even added a html and a php file in the same directory and tried to access via browser and got the same 404 redirect error, so something is protecting this folder?

So what on Cyberpanel is causing this to happen?

@die2mrw007
Right, in the root directory under /home/ i have the following:

/home/domain.com/mail.domain.com

and

/home/mail.domain.com

the acme-challenge file is being put in the /home/mail.domain.com/.well-known/acme-challenge folder and when i try and access mail.domain.com/.well-known/acme-challenge/any file i put in this location i get the 404 redirect error

BUT if i copy the contents of the /.well-known/ folder then visit mail.domain.com/.well-known/acme-challenge/any file in here the file will show in browser with no redirect errors.

Now i remember last year when i first started using Cyberpanel the /home/ directory handled the mail domain differently to how it does now so im wondering if this is part of the issue.

Either way it seems there is an issue with where the acme-challenge file is placed or i need ot make the location readable?

Can anyone now enlighten me on how to fix this?

I am wondering how the mail.domain is placed at /home/mail.domain. Thats not normal.

When you create a website (add domain in cyberpanel), it will ask whether you need to create a mail domain and when you select that option, the mail domain is created at /home/domain-name/mail-domain

Any info on how you got your maildomain placed at /home/maildomain? If that is so, then you need to provide the required permissions too so that its accessible by acme autorenewal script.

1 Like

I recall at somepoint last year cyberpanel used to do it this way then one day it didnt!

I would be open to someone looking into the server, potentially i have the same issue on my other server than handles the websites aswell but i currently cannot sign into it as the login page fails SSL and hangs on signing in.

What info do you need and where/how should i send it to you?

You can send it on private message to me here. The cyberpanel login details and SSH login info