Let's Encrypt Certificate

Since I’m still very new to Axigen, I’m not sure how to properly configure it to “Generate a new SSL from Let’s Encrypt”. I’ve been using them for quite a while and know how to create one manually, but if I can configure Axigen to autorenew it, that would be great! I’ve read through https://www.axigen.com/documentation/managing-ssl-certificates-p21594182 and https://www.axigen.com/documentation/lets-encrypt-support-p10649619, but don’t see the exact steps that will let me set it up correctly. Last time, I was able to manually add my Let’s Encrypt cert, but I’d like to take advantage of the advertised capability if I can.

When I tried via the GUI, it keeps giving me an error “The SSL certificate could not be generated!” (I’ve tried both domain.com as well as webmail.domain.com (both of which can be resolved by a DNS query) for the hostname and get the same results.)

Is there a document that I’m missing that can walk me through the steps? I also looked at the logs and found:

Log Info

2020-04-06 20:59:38 -0600 08 Server JOBLOG:7000001B: LetsE: Acme job executing
2020-04-06 20:59:38 -0600 08 Server JOBLOG:7000001B: LetsE: Found current request
2020-04-06 20:59:38 -0600 08 Server JOBLOG:7000001B: LetsE: AcmeInitState for domain.com executing
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Response code 200
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Account location is https://acme-v02.api.letsencrypt.org/acme/acct/75829518, TOS URI is https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-04-06 20:59:39 -0600 02 Server JOBLOG:7000001B: LetsE: Acme init state completed, moving to reg state
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Job step action => Proceeding to next state
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: AcmeRegState for domain.com executing
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Response code 201
2020-04-06 20:59:39 -0600 02 Server JOBLOG:7000001B: LetsE: Acme reg state completed, moving to challenge state
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Job step action => Proceeding to next state
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: AcmeChallengeState for domain.com executing
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Response code 200
2020-04-06 20:59:39 -0600 08 Server JOBLOG:7000001B: LetsE: Job step action => Waiting is needed, going to sleep
2020-04-06 20:59:54 -0600 08 Server JOBLOG:7000001C: LetsE: Acme job executing
2020-04-06 20:59:54 -0600 08 Server JOBLOG:7000001C: LetsE: AcmeChallengeState for domain.com executing
2020-04-06 20:59:54 -0600 02 Server JOBLOG:7000001C: LetsE: Acme challenge state failed, perhaps domain.com cannot be accessed by the letsencrypt servers?
2020-04-06 20:59:54 -0600 02 Server JOBLOG:7000001C: LetsE: Issuance Job for domain.com abandoned!
2020-04-06 20:59:54 -0600 02 Server JOBLOG:7000001C: LetsE: last protocol errType All OK!
2020-04-06 20:59:54 -0600 02 Server JOBLOG:7000001C: LetsE: last protocol errDetail All OK!
2020-04-06 20:59:54 -0600 02 Server JOBLOG:7000001C: LetsE: Job step action => Cannot complete current work item, abandoning
2020-04-06 21:00:09 -0600 08 Server JOBLOG:7000001D: LetsE: Acme job executing
2020-04-06 21:00:09 -0600 08 Server JOBLOG:7000001D: LetsE: Nothing to do, going to sleep

I saw in the log " Acme challenge state failed, perhaps domain.com cannot be accessed by the letsencrypt servers?"
I’m wondering if I’ve got something incorrectly configured so that Let’s Encrypt can’t communicate with my domain, but I’ve confirmed that I have the ports open on my firewall, even port 80". I can do it manually, but (so far) not with the Axigen Server.

Please note that port 80 of axigen must be accessible from internet. (ping.eu)
Also you need to check DNS A record of email server to resolve it from internet.

Hello @Mohammad. Yes, as I mentioned, I already checked that. But, per your suggestion, I went ahead and double-checked using the testing system:

image

Make sure that auto redirection to port 443 is not active.
You can find this setting in below address
Webmail>edit port443>ssl setting

Also please test you can open webmail with http using domain address from internet.

Also please search in below log file for “letse”.
[Axigen working directory]> logs> everything.txt

Well, I think you’re on the right track. redirection was turned on, but I’ve now turned it off. But I also see that in my WebMail, both of the Port 80 listeners are disabled and when try to enable it, I get an “Address already in use!” message. And when I try to open up webmail over port 80, it is still redirecting to 443.

And when I use the netstat command, I see:
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
Can not obtain ownership information

So it does look like there is something listening on port 80, but not Axigen. I’ve turned off my IIS and even restarted Axigen, but it keeps throwing the same error.

Yes, please see original post with the log information.

Since my cert expired today, I had to resort to doing it manually. Maybe in three months, I’ll be able to figure out how to get it renew from within Axigen.

Okay - it’s time to renew my SSL certificate and I would really like to go back to using Let’s Encrypt as ZeroSSL has changed and is no longer using Let’s Encrypt for the CA.

I’ve upgraded to the latest and greatest Axigen version, but still having issues. Here is the error log:

Error Log:

2020-10-12 13:02:10 -0600 08 Server JOBLOG:70000007: LetsE: Acme job executing
2020-10-12 13:02:10 -0600 08 Server JOBLOG:70000007: LetsE: Found current request
2020-10-12 13:02:10 -0600 08 Server JOBLOG:70000007: LetsE: AcmeInitState for my.domain executing
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Response code 200
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Account location is https://acme-v02.api.letsencrypt.org/acme/acct/75829518, TOS URI is https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2020-10-12 13:02:11 -0600 02 Server JOBLOG:70000007: LetsE: Acme init state completed, moving to reg state
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Job step action => Proceeding to next state
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: AcmeRegState for my.domain executing
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Response code 201
2020-10-12 13:02:11 -0600 02 Server JOBLOG:70000007: LetsE: Acme reg state completed, moving to challenge state
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Job step action => Proceeding to next state
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: AcmeChallengeState for my.domain executing
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Response code 200
2020-10-12 13:02:11 -0600 08 Server JOBLOG:70000007: LetsE: Job step action => Waiting is needed, going to sleep
2020-10-12 13:02:26 -0600 08 Server JOBLOG:70000008: LetsE: Acme job executing
2020-10-12 13:02:26 -0600 08 Server JOBLOG:70000008: LetsE: AcmeChallengeState for my.domain executing
2020-10-12 13:02:26 -0600 02 Server JOBLOG:70000008: LetsE: Acme challenge state failed, perhaps my.domain cannot be accessed by the letsencrypt servers?
2020-10-12 13:02:26 -0600 02 Server JOBLOG:70000008: LetsE: Issuance Job for my.domain abandoned!
2020-10-12 13:02:26 -0600 02 Server JOBLOG:70000008: LetsE: last protocol errType All OK!
2020-10-12 13:02:26 -0600 02 Server JOBLOG:70000008: LetsE: last protocol errDetail All OK!
2020-10-12 13:02:26 -0600 02 Server JOBLOG:70000008: LetsE: Job step action => Cannot complete current work item, abandoning
2020-10-12 13:02:41 -0600 08 Server JOBLOG:70000009: LetsE: Acme job executing
2020-10-12 13:02:41 -0600 08 Server JOBLOG:70000009: LetsE: Nothing to do, going to sleep

What’s interesting is that it appears that Let’s Encrypt can’t get to my server. When I go to my Axigen WebMail (Admin), it says that port 80 is disabled, but when I try to enable it, it shows a message saying, “Address already in use!” I know for a fact that my ports are forwarded to my server, but when I use a port checker, it’s showing as blocked. I think that Axigen has port 80 disabled somehow. When I do a NetStat -ab, it shows “Can not obtain ownership information” for port 80, but correctly shows axigen.exe for the other ports (25, 443, etc.) When I pull the PID for port 80, it shows as System.

I know this should be easy, so what am I doing wrong? Has anyone been able to get this to work on a Windows box directly from WebAdmin?

I finally figured it out and wanted to pass along just in case others had the same issue.

As I mentioned before, although Windows showed that there was a listener going on port 80, I couldn’t get a cert. (Let’s Encrypt it needs to validate the domain.) What I learned was that Axigen was not the listener and could not be enabled: Since Axigen was not the listener on port 80, it could not obtain the certificate from Let’s Encrypt via Axigen.

So what I decided to do was bind the non-SSL Listener to port 8080 and it enabled without a problem. I then forwarded port 80 to 8080 on my router.

image

Once I did that, I was able to have Axigen generate a new SSL certificate, which I then bound to the different listeners.

This is interesting - could you recheck and see if port 80 is still owned by System?

If yes, what do you obtain when you try to run the following command:

telnet localhost 80

and press several times ENTER key.

HTH,
Ioan

Yep, still owned by System, but when I do the telnet to port 80 as you asked, something does answer and I get a blank screen. I hit the ENTER key several times and finally the CRTL+C and get:

When telneting from a remote computer on the local network, I just get the standard “Connecting To server…Could not open connection to the host, on port 80: Connect failed” message like there isn’t a listener.

Well, it seems you have the answer: the owner of port 80 is Microsoft-HTTPAPI which seems to be related to WAMP ( a Windows web development environment).

I’ll let you the “pleasure” to hunt and identify the real culprit.

BR,
Ioan

1 Like