Let's Encrypt SSL will not renew - site now down! SOLVED 12/15/2017

14 posts / 0 new
Last post
#1 Thu, 12/14/2017 - 17:48
samrich

Let's Encrypt SSL will not renew - site now down! SOLVED 12/15/2017

Anyone,

Running the following: Webmin: 1.870 Virtualmin: 6.02 OS: CentOS 7.4.1708 All packages are up to date

Have a domain that failed to renew the Let's Encrypt cert. So upon trying manually I get the following:

Requesting a certificate for MYXXXXDOMAIN.com, www.MYXXXXDOMAIN.com from Let's Encrypt .. .. request failed : Web-based validation failed : Failed to request certificate : MYXXXXDOMAIN.com challenge did not pass: Fetching https://MYXXXXDOMAIN.com/acme-challenge/7L83W9Zy_sAWB-87PuBmwB2_TlNJSEiN... Error getting validation data DNS-based validation failed : Failed to request certificate : Error requesting challenges: Error creating new authz :: Too many failed authorizations recently.

Can someone tell me if this is a Virtualmin issue or a Let's Encrypt issue?

Thu, 12/14/2017 - 18:09
noisemarine

Do MYXXXXDOMAIN.com and www.MYXXXXDOMAIN.com both resolve properly? Try pinging each and make sure they go to the correct IP address. Then try visiting each in a browser. Do they get to the correct site? If either of these things fail, you need to fix them.

Thu, 12/14/2017 - 18:32
samrich

So, ping of both works resolves correctly.

When visiting in each in a browser, the www.MYXXXXDOMAIN.com redirects to https://MYXXXXDOMAIN.com as expected. However, the results fail in the browser because the browser does not like the fact that the SSL cert is expired.

Would removing SSL from the domain and restarting Virtualmin, then test access to the domain, upon success re-add the SSL and attempt to request a certificate work?

Thu, 12/14/2017 - 18:42
noisemarine

Just install the cert as new instead of renew. It should handle the redirect to https properly in that case.

Thu, 12/14/2017 - 19:53
samrich

Well, that didn't work. Different error this time:

Requesting a certificate for MYXXXXDOMAIN.com, www.MYXXXXDOMAIN.com from Let's Encrypt .. .. request failed : Web-based validation failed : Failed to request certificate : MYXXXXDOMAIN.com challenge did not pass: Fetching https://MYXXXXDOMAIN.com/acme-challenge/A7p_chcczOaNPLpfydIZ3IX-KVLD7izB... Error getting validation data DNS-based validation failed : Failed to request certificate : Undefined subroutine &main::get_bind_zone_for_domain called at /usr/libexec/webmin/webmin/letsencrypt-dns.pl line 24. MYXXXXDOMAIN.com challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.MYXXXXDOMAIN.com

Thu, 12/14/2017 - 23:10 (Reply to #5)
Joe
Joe's picture

This second error indicates it fell back to the DNS method of validating your certificate because the website validation method didn't work.

Something is weird about the web-based validation. It should be going to .well-known/acme-challenge/blahblahblah but there is no .well-known in that path. Do you have some redirects in place for that domain? Make sure you can browse to the .well-known directory on all of the domains you're requesting a certificate for. It shouldn't matter that the cert is expired. That's a red herring; what matters is that it can be reached at all, which this error indicates it cannot.

--

Check out the forum guidelines!

Thu, 05/24/2018 - 19:19 (Reply to #6)
WNYmathGuy
WNYmathGuy's picture

Need some attention over on https://www.virtualmin.com/node/57241 when you get a chance. :)

-- I'm remarkably average

Thu, 12/14/2017 - 22:16
noisemarine

What domains do you have listed in the "Request certificate for" box on the LE page? Are you using the default "Domains associated with this server" or "Domain names listed here"? Whatever you have listed in there MUST have working DNS and website for LE to be able to do its thing. If you've got odd names like listed above, use the "Domain names listed here" option and put each name in there you need.

Fri, 12/15/2017 - 03:29
Matth
Matth's picture

Have you check that DNS is ok for that domain ? Does it point to the proper IP address ?

If you have made recent changes on the domain, you can check if the DNS propagation is ok.

You can also, for test purpose or work around disable the HTTPS redirect and verify you access properly the website.

Do you see a .well-known folder at the root of the web site? This where the data are stored to request the certificate.

Matth

Fri, 12/15/2017 - 10:47
samrich

Joe,

When viewing Virtualmin -> selected domain -> Server Configuration -> Website Redirects I see two in the list: URL path Type Destination /(?!.well-known) Redirect to URL https://MYXXXXDOMAIN.com/$1 ^/(?!.well-known) Redirect to URL https://MYXXXXDOMAIN.com/$1

Not sure why there are two. Checking some of the other domains on the same server I only see one redirect for them, the second one above.

noisemarine, In the "Request certificate for" box on the LE page, it is set to "Domains associated with this server". There are two domains listed" MYXXXXDOMAIN.com www.MYXXXXDOMAIN.com

I can ping both domains and they resolve to the correct IP address. So that would imply the DNS is good.

Matth, Ping works and no DNS changes in 6 months. I do see a .well-known folder in the public_html directory, which is the root of the website for this domain. User and owner are set to the owner of the virtual server and the rights are 755.

Fri, 12/15/2017 - 10:54
samrich

All,

SOLVED!!!! SOLVED!!!!!

Looks like the issue was that there were two redirects for the .well-known:

wrong ---> /(?!.well-known)

correct ---> ^/(?!.well-known)

Not sure how this happened but glad the site is back up.

Thanks for the help!

Fri, 12/15/2017 - 16:04
atleast
atleast's picture

I use this code to redirect to https : RewriteRule ^(.*)$ https://domain.com/$1 [R,L]

I need to add code so that letsencrypt is not forced to https as it works with http Do you think this code will add an exception to letsencrypt?

RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/

Sun, 12/17/2017 - 01:45
Matth
Matth's picture

Hi all,

On my side here is how it works:

RedirectMatch ^/(?!.well-known)(.*)$ https://hop.ducorporation.com/$1

With this redirect you can request a certificate with let's encrypt and you'll access the site only with https.

It's effectively very important that let's encrypt can access the .well-know folder with http to be able to perform the certificate enrollment.

kind regards

Matth

Matth

Wed, 05/23/2018 - 21:24
WNYmathGuy
WNYmathGuy's picture

This is going over my head a bit, but I'm having a similar but different problem with 2 Virtualmin virtual servers. About to post a new topic.

-- I'm remarkably average

Topic locked