Hello,

 

i was unable to add a new domain with froxlor version 0.10.29.1. No own dns server is used, instead external 1.1.1.1 and 1.0.0.1 is used. I got an error:

he domains DNS does not include any of the chosen IP addresses. Let's Encrypt certificate generation not possible.

other domains that created before with version 0.10.28.x are working and in .acme/... certificates are created, also they are available in /etc/ssl/custom-froxlor. So what's happend?

Setting the panel-domain tables entry for domian letsencrypt and run

php /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug

creates the certificates in /root/.acme.sh, but they are not present in /etc/ssl/custom-froxlor.

 

Any suggestions?

Well, the error says it all...the domain does not point to any of the IPs assigned to it

This also happened to me. What I did was first create the domain without SSL, and once done, this will add a A record for the new domain to the DNS and then I was able to create the certificate SSL with Let's encrypt.

So basically I have to do it in two steps, this behavior I think is different when Froxlor was using certbot, I remember creating my previous domains and SSL certificates in one step. It's not a big deal but I just thought it was worth to mention.

Is it also your case @d00p?

Thanks,

 

I am also having some trouble to understand this.

Actually my web server is on an internal network and there is a proxy/router/port-forwarder in front of it. So the public IP (listed in DNS A record) will never be assigned to the webserver.

How does this prevent getting a let's encrypt certificate?

As of my understanding it's a challange-response where let's encrypt is fetching some token from my webserver (which will work). Just Froxlor does not know the actual public IP. In my case it's even a dynamic IP so the DNS A record is changing every now and then.

3 minutes ago, Rainer Meier said:

I am also having some trouble to understand this.

Actually my web server is on an internal network and there is a proxy/router/port-forwarder in front of it. So the public IP (listed in DNS A record) will never be assigned to the webserver.

How does this prevent getting a let's encrypt certificate?

As of my understanding it's a challange-response where let's encrypt is fetching some token from my webserver (which will work). Just Froxlor does not know the actual public IP. In my case it's even a dynamic IP so the DNS A record is changing every now and then.

Actually just digged in the code in the hope to be able to override the check and found it in lib/Froxlor/Api/Commands/Domains.php:284. Turns out the check can be disabled also in settings. So I found the related switch in Settings -> SSL Settings => "Validate DNS of domains when using Let's Encrypt".

Turn off this option and it will work.