Problem with letsencrypt on cresh installed Virtualmin GPL

14 posts / 0 new
Last post
#1 Fri, 05/26/2017 - 03:19
hvillemoes

Problem with letsencrypt on cresh installed Virtualmin GPL

Hi

I have a freshly installed Centos 7 (minimum) with a freshly installed Virtualmin 5.07 I have created a virtual host with the same name as the server hostname. I then request a letsencrypt certificate, but get this error message:


Request Certificate
In domain agurk8.agurk.dk
Requesting a certificate for agurk8.agurk.dk, www.agurk8.agurk.dk from Let's Encrypt ..
.. request failed : Failed to request certificate :

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.agurk8.agurk.dk...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: www.agurk8.agurk.dk challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'ya1oUQ_Aq7N80rMs50ec1KSomIPI2X5qJSDZL9IufYA.TjN41DClPidgQNjpQJrSas4AgXBe04JkzvB9Vz5RJGo', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/E5gD_XH3CZxo2w0gPVuoxeu6NcRs2glrFveXNtskYB8/1229952579', u'token': u'ya1oUQ_Aq7N80rMs50ec1KSomIPI2X5qJSDZL9IufYA', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.agurk8.agurk.dk'}, u'type': u'dns-01'}

On the other hand, when I request the only verification file:

[root@agurk8 ~]# cat /home/agurk8/public_html/.well-known/acme-challenge/mRjvVyxpCoWc5Qq-iWqnk6bcPH5q5hOgeRmGJleAxmc
mRjvVyxpCoWc5Qq-iWqnk6bcPH5q5hOgeRmGJleAxmc.TjN41DClPidgQNjpQJrSas4AgXBe04JkzvB9Vz5RJGo[root@agurk8 ~]#
[root@agurk8 ~]#

I get this result in the browser using URL: http://...../.well-known/acme-challenge/mRjvVyxpCoWc5Qq-iWqnk6bcPH5q5hOgeRmGJleAxmc mRjvVyxpCoWc5Qq-iWqnk6bcPH5q5hOgeRmGJleAxmc.TjN41DClPidgQNjpQJrSas4AgXBe04JkzvB9Vz5RJGo

So why does letsencrypt not verify ?

Any hint is wellcome. The status "already registered" is caused by previous tries.

Thanks

Sat, 05/27/2017 - 18:34
Joe
Joe's picture

There's multiple problems. The primary one is that Let's Encrypt cannot reach your server; I would guess DNS is wrong or not propagated. Make sure your DNS records are resolving and pointing to the right IP address.

Make sure you don't have any authentication or redirects or anything preventing LE from reaching that file. It sounds like it's working, since you're able to browse to it from your browser...do you perhaps have a hosts file entry and so your client machine isn't needing to lookup the DNS record?

The already registered thing likely means you'll need to wait a few minutes for the throttling to back off. LE throttles when you make multiple requests in a short time to reduce abuse.

--

Check out the forum guidelines!

Sat, 06/03/2017 - 18:41
No Expert

I have a similar problem, as above.

Two things to note:
(1) I manually installed let's encypt before it was included in Webmin. That means I have these folders /opt/letsencrypt and /root/.local/share/letsencrypt.
However there is no etc/letsencrypt and I cannot see an installed package with that name Do I need to delete those folders?

(2) The certificate is correctly generated for the non-www site, but fails for the www site. Not sure why.

The message is below. Appreciate any help.

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying example.com...
example.com verified!
Verifying www.example.com...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: www.example.com challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'YkGkhxgnUkUiz7foGEzKj6QcoGrELBAsJhXFbzNZmk0._sOilf-gQQab6sKqTu6ssIxYID_44t4FeSMpqquHG7o', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/LrHzZIMvgjccYMENfJFCAN16Lt5RblrDX9iYC_KqBAM/1275068815', u'token': u'YkGkhxgnUkUiz7foGEzKj6QcoGrELBAsJhXFbzNZmk0', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com'}, u'type': u'dns-01'}
Sun, 06/04/2017 - 01:34
ksihota

I'm having a similar issue with a couple of domains. Other domains have worked fine.

I have removed htaccess files and checked for redirects to https:// I have also verified that I can reach a test.txt file placed in acme-challenge dir http://www.xxxxxx.com/.well-known/acme-challenge/test.txt

Data is being written there. I have also tried only domain.com, www.domain.com and mail.domain.com individually, as a group, in different order. Using a domain that had worked previously I was able to add mail.olddomain.com to the existing certificate witho no problem. These are all domains hosted on the same server. Centos 7

From what I can see all the domains are set up the same and that inlcudes the virtual host sections in httpd.conf file The 2 domain I am having trouble with were the latest to be moved over but have had a few days for DNS to resolve. The DNS records are the same for these and the other domains that had worked previously.

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying xxxxxxx.com...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: xxxxxxx.com challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'cTmnUmISwo1eEAzC_McNfHH_J015bGuOGS5JoHe0XVg.QVdezGGgjj5Malo5q754X9NF_gcBY0MSMZqIb37v-nk', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/UDyX0_gYWQcoiESscGSfFqivJ2hxxSsIYYICXhUGu8w/1276925665', u'token': u'cTmnUmISwo1eEAzC_McNfHH_J015bGuOGS5JoHe0XVg', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xxxxxxx.com'}, u'type': u'dns-01'}
Thu, 06/08/2017 - 05:09 (Reply to #4)
adelphia
adelphia's picture

I can state I'm having this issue on my one and only website (which I'm trying to sort aliases out too). The information shown above suggests that for some unknown reason, LE via Web and Virtualmin is now trying to use DNS resolution and searching for a specific TXT entry in your DNS. I hate this method with Let'sEncrypt as the data changes every time you try to reissue or renew which makes copying and therefor pasting the code as a TXT entry in your site is obsolete as soon as you save it.

Chris: Adelphia Interactive
Desktop: Windows 10 Pro x64
Server: Ubuntu 16.0.4.2LTS
Webmin/Virtualmin: Latest (daily updates)

Wed, 06/07/2017 - 17:08
No Expert

Hi ksihota,

did you have any luck with this?

Thanks

Fri, 06/09/2017 - 00:18 (Reply to #6)
ksihota

I'm still fighting with it. I only have about 3 tries before it locks me out and I have to wait for a reset to try again. I was hoping that someone with some experience with the system would provide some insight. I really don't undertand how the challenge works or what the error message I get actually means. I have read some discussions about timing but am not clear if that has any bearing on this issue.

Thu, 06/08/2017 - 04:51
webbiz

any udpates ?

Thu, 06/08/2017 - 05:02
adelphia
adelphia's picture

Sorry to add to the end of this but it's the only way I can ask this. How do I start a new topic and post it? I've managed to start a new topic and enter all the info (I actually tried twice, thank god for cut and paste, and remembering to do it) but it just allows me to "save" and "preview" but not "post" option. After clicking "save" it takes me to the site's homepage. Am I doing something wrong (and sorry for hijacking/interrupting this thread)?

Chris: Adelphia Interactive
Desktop: Windows 10 Pro x64
Server: Ubuntu 16.0.4.2LTS
Webmin/Virtualmin: Latest (daily updates)

Fri, 06/09/2017 - 00:11 (Reply to #9)
ksihota
  • Make sure you are logged in
  • Select Create New Topic
  • Enter the info
  • Select Save

When you select Save it should Post it. If you want to verify what it will display like Preview it first and select Save when you are ready.

Fri, 06/09/2017 - 04:52 (Reply to #10)
adelphia
adelphia's picture

OK, I'll try again but I'm not too hopeful. Do new posts/topics have to be approved by moderators before they are posted? Here goes...

Nope! It says it's posted but it hasn't...

Chris: Adelphia Interactive
Desktop: Windows 10 Pro x64
Server: Ubuntu 16.0.4.2LTS
Webmin/Virtualmin: Latest (daily updates)

Fri, 06/09/2017 - 11:28 (Reply to #11)
ksihota

@Adelphia - Maybe it has something to do with the Mollom privacy policy

Sat, 06/10/2017 - 05:24 (Reply to #12)
adelphia
adelphia's picture

What I may do is post it here, see if it works and if it does delete it as it has nothing to do with this. As far as I can tell there is nothing in it that infringes on the Mollom privacy policy but it maybe I refer to Plesk, but if that's the case, this wouldn't post either.

Chris: Adelphia Interactive
Desktop: Windows 10 Pro x64
Server: Ubuntu 16.0.4.2LTS
Webmin/Virtualmin: Latest (daily updates)

Fri, 06/09/2017 - 11:27
ksihota

I think I found out what my issue was.

I took a closer look at my Virtual Hosts records in the httpd.conf file. And realized that I had not enabled IP6 on the accounts that were not working. I went and enabled it on one and tried gettting a new Let'sEncrypt certificate and it worked. Now I just need to try this on the other domains.

EDIT: Tried with a second account and it worked fine as soon as I enabled the IPv6 shared address under Change IP Address for the virtual server.

Topic locked