Unable to renew lets encrypt certificate

21 posts / 0 new
Last post
#1 Thu, 09/28/2017 - 02:21
winlinux

Unable to renew lets encrypt certificate

Hi everyone, I've been facing a problem for hours. Yersterday I noticed the ssl certificate of my website (xxx.fr) had to be renewed (I thought it was automatic though...).. To avoid the Firefox warning, I wrote a redirection in a htaccess (from https to http)

So I logged in Virtualmin (Debian 8, Virtualmin 6.00) and tried to renew the LE certificate but I keep coming across those errors:

.. request failed : Web-based validation failed : Failed to request certificate : Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 171, in get_crt raise ValueError("Gave up waiting for validation") ValueError: Gave up waiting for validation

and

DNS-based validation failed : Failed to request certificate : u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.xxx.fr'}, u'type': u'dns-01'}

Any help would be greatly welcome ;-)

Thu, 09/28/2017 - 05:40
winlinux

The url http://www.xxx.fr/.well-known/acme-challenge/aSF70Pkxdwr3BxrH1goBiRVobRD... is ok.. And when I dig it, it's Ok...

dig TXT _acme-challenge.www.xxx.fr

;; ANSWER SECTION:
_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

What am I doing wrong?

Thu, 09/28/2017 - 06:29
winlinux

How comes I get this when reading values in Virtualmin > Servers > Bind DNS Servers

_acme-challenge.www.xxx.fr. 5 IN TXT 6tJCCY4oZNtFLQLzWHiORv2o011o8EGy4Rw1NjNC5e0

and I get a different value when I dig through ssh:

_acme-challenge.www.xxx.fr. 1043 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

If someone could help me, that would be great.... ;-)

Thu, 09/28/2017 - 11:26
unborn
unborn's picture

check your host name.. does hostname and hostname -f commands should give you same outpu - aslo do you do your own dns or you doing it via registar?

Configuring/troubleshooting Debian servers is always great fun

Thu, 09/28/2017 - 11:55
winlinux

Thanks for answering! Here is the output:

user@xxx:~$ hostname
zzz

user@xxx:~$ hostname -f
zzz.xxx.org

As for the dns I handle them directly via Bind...

edit: By the way, xxx.xxx.org is the name known by Virtualmin (System hostname = xxx.xxx.org)

Fri, 09/29/2017 - 08:34 (Reply to #5)
unborn
unborn's picture
  • as I mentioned zzz and zzz.xxx.org is not same.. and i think its your problem it self.

Configuring/troubleshooting Debian servers is always great fun

Thu, 09/28/2017 - 12:29
winlinux

Ok I changed the hostname and now :

ValueError: Error checking challenge: 502 {u'type': u'urn:acme:error:serverInternal', u'detail': u'The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.'}

Seems I have to wait until the end of the maintenance...

Thank you anyway for your help !

Thu, 09/28/2017 - 12:54
winlinux

Ok as I said I changed the hostname so that it gives xxx.xxx.org for both hostname and hostname -f

but there's still a problem....

dig TXT _acme-challenge.www.xxx.fr

_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

but bind does not give the same value as dig in ssh.....

_acme-challenge.www.xxx.fr. 5 IN TXT VifmnH57Yh_GEggfMikLlixnR-el68Vo9q3LN2cKJnI

Thu, 09/28/2017 - 15:56
noisemarine

hostname and hostname -f should be different , ie. exactly the way you had them at the start.

Fri, 09/29/2017 - 08:35 (Reply to #9)
unborn
unborn's picture

you are wrong.. and if you set it as you saying - you would never ever be able to deal with this issues.. do you know how bind dns works? also how domain verification and dkim works? - if so, you would know already.

Configuring/troubleshooting Debian servers is always great fun

Fri, 09/29/2017 - 18:11 (Reply to #10)
noisemarine

If we'd like to query each others credentials, well, why not at least read the man page for hostname, specifically the FQDN section.

https://manpages.debian.org/stretch/hostname/hostname.1.en.html

and then how resolution works

https://manpages.debian.org/stretch/manpages/hostname.7.en.html

Why have a -f argument at all if it is going to return the same thing as the base command? :)

All my stuff works just fine, btw.

Thu, 09/28/2017 - 16:16
winlinux

Ok but it didn't work anyway in both cases...

Thu, 09/28/2017 - 16:41
winlinux

As the https rises warning I added an urlrewriting in a htaccess to force https to http. Could it be the reason why it does not pass the Web-based validation?

Fri, 09/29/2017 - 02:15
winlinux

I found a kind of workaround, let's say it's ok, ...

Sat, 09/30/2017 - 13:13
sonix

Would you mind to share the workaround you found ?

Thu, 10/05/2017 - 22:51
lmacka

Forums are far more useful if the wisdom is shared. Please post how you fixed the problem.

Thu, 10/05/2017 - 23:32 (Reply to #16)
Joe
Joe's picture

The solution to Let's Encrypt not working is almost always DNS or some redirects getting in the way of validation. So, check your DNS, make sure you can browse to the link for the validation file (the URL looks like something like this: http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).

--

Check out the forum guidelines!

Thu, 10/12/2017 - 12:10
unborn
unborn's picture

joe just said it right - that is what I mean it about my own comment regards bind and dns.. sorry if my answer was not very clear, however I did ask... did you resolve the problem noisemarine?

Configuring/troubleshooting Debian servers is always great fun

Thu, 10/12/2017 - 12:48
Jfro

As problem the redirect https to http could be causing to fail same as more redirects in htaccess kind could, then probably a ,,,

i don't understand the http without s here ?   http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4). PORT?

Thu, 07/26/2018 - 09:55
simon.b

Hello, i have the same problem, the solution: set all redirects in the apache conf & .htaccess from "http" to "https" back to only "http" and you can request a new let's encrypt certificate and works... but is not a renew, it is a new certificate! this is a bad solution because it is manually, i have 10+ hosts and i don't have time any 3 months to make this changes manually! any know a solution to works automatically? In theory a EXCEPTION in the apache conf. and .htaccess for http://domain.tld/.well-known/acme-challeng/.

Thu, 08/09/2018 - 05:28
unborn
unborn's picture

@simon.b and others

....if you do request new cert make sure you do it every 2.5 or 2.0 months.. (authomated option) https must be valid when new request is done. If your old cert is not valid there would be an error of course and you would have to do it via http or manually.. .

Configuring/troubleshooting Debian servers is always great fun

Topic locked