Koozali.org: home of the SME Server

LetsEncrypt renewal fails - tried authorizations for all possible names

Offline leonp

  • *
  • 39
  • +0/-0
Hello.
Sorry, I am really very weak in this field...:-)
My Let'sEncrypt certificate is going to expire. As recommended, I run "dehydrated -c". But it tried to authorize all my mail addresses and all internal computer names ever seen on internal network. Obviously this failed.
I found that file domains.txt in the /etc/dehydrated/ directory contains about 40 names instead of 1 as per my understanding.
I deleted all unnecessary names leaving only my domain name and now dehydrated passed successfully and updated my certificates.
Although it is not a problem for me once in 3 months to restore the domains.txt content, I am curious what is incorrect? Why someone fills this domain.txt with all existing and once-existed names?
Thanks for the help.

P.S. The very similar (if not identical) list of names I found in the file /etc/openssl.conf. which says in capital letters "Don't modify this file"...:-)

Offline ReetP

  • *
  • 3,291
  • +5/-0
Re: LetsEncrypt renewal fails - tried authorizations for all possible names
« Reply #1 on: January 09, 2022, 11:48:30 AM »
Because you didn't read properly and probably enabled 'all'

https://wiki.koozali.org/Letsencrypt#Configuration

If you don't understand these things then use test mode and learn before you deploy or you may hit the limit and get blocked from further attempts.

That's what test mode is designed for.

Also, if a file tells you 'Do not modify' you can safely assume that it says it for a reason.

Don't ignore it unless you REALLY understand.

Fix the problem (lack of understanding), not the symptom.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline leonp

  • *
  • 39
  • +0/-0
Re: LetsEncrypt renewal fails - tried authorizations for all possible names
« Reply #2 on: January 09, 2022, 12:28:17 PM »
Thank you, ReetP, very much.
Looks like you were right - I tested the variable in the DB and it were set to "all".
I do not remember myself doing this - I am too weak to do this on myself.
Is it possible that this was the result of the upgrade 3 months ago from v9 to v10?
Anyway, I followed the instructions in the NOTE and it looks like everything is ok now.
THANK YOU!

Offline ReetP

  • *
  • 3,291
  • +5/-0
Re: LetsEncrypt renewal fails - tried authorizations for all possible names
« Reply #3 on: January 09, 2022, 01:07:39 PM »
The upgrade didn't touch it so it's entirely self inflicted I'm afraid.

The setting would have been carried over from v9.

So whoever set it up did it.

Pleased you got it sorted.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,166
  • +8/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: LetsEncrypt renewal fails - tried authorizations for all possible names
« Reply #4 on: January 10, 2022, 01:49:18 PM »
in http mode, the one we use, let’s Encryot will not be able to deliver a cert for a domain unless it is pointing in public dns records to your own server. 

by doing this for all internal machines on the main server you will encounter teo issues
- while counter intuitive you will need to have the domain defined as locally handled to be able to override what the public dnd says.
- you might create a security hole by disclosing to the public your internal architecture. LE publicize all delivered certs to public.  so one could know few things by seeing you have mydlinkcamera.mydomain.com cert and target you specifically.