Unable to renew lets encrypt certificate - was working for previous update

Hello,

On one server using virtualmin and lets encrypt since one year : - automatic update fails - manual update fails

Virtualmin : 6.05 gpl (automatic certificate update fails with previous version)

Webmin : 1.900

Domains that need certificate :

What have changed :

  • automatic update renewal fails

  • manual update fails :

-- first time : "ssl.CertificateError: hostname 'mail.domain.tld' doesn't match either of 'domain.tld', 'www.domain.tld' "

-- now : " ssl.CertificateError: hostname 'www.domain.tld' doesn't match 'domain.tld' "

I'm trying to solve it as mail, server ... gives certificate security warnings to users.

Thanks,

Eric

Status: 
Active

Comments

All ubuntu packages are up to date.

In "Domain names listed here", checked (was conf for automatic update) :

domain.tld
www.domain.tld
mail.domain.tld
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 250, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 246, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
    resp = urlopen(wellknown_url)
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 435, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 467, in error
    result = self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 654, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1195, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib/python2.7/httplib.py", line 1057, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1097, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1053, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 859, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1278, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 601, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 838, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 276, in match_hostname
    % (hostname, dnsnames[0]))
ssl.CertificateError: hostname 'mail.domain.tld' doesn't match 'domain.tld'

DNS-based validation failed : Failed to request certificate :

Gave up waiting for validation

After first renewal fails : update "Domain names listed here" to :

domain.tld
www.domain.tld

Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 250, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 246, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
    resp = urlopen(wellknown_url)
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 435, in open
    response = meth(req, response)
  File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/python2.7/urllib2.py", line 467, in error
    result = self._call_chain(*args)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 654, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1195, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib/python2.7/httplib.py", line 1057, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1097, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1053, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 859, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1278, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 601, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 838, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 276, in match_hostname
    % (hostname, dnsnames[0]))
ssl.CertificateError: hostname 'www.domain.tld' doesn't match 'domain.tld'

DNS-based validation failed : Failed to request certificate :

Gave up waiting for validation

Web server : apache 2.4

without mail.domain.tld (only domain.tld and www.domain.tld in "Domain names listed here" ) : test OK

  • keep all redirections

without mail.domain.tld (only domain.tld and www.domain.tld in "Domain names listed here" ) : test OK

It seems to always fails when mail.domain.tld is added in "Domain names listed here" with or without any redirection.

mail.domain.tld is the DNS name for mail server.

test with :

certbot --apache -d domain.tld -d www.domain.tld -d mail.domain.tld

= OK

A ServerAlias for mail.domain.tld was added in vhost config.

Recheck with virtualmin LetsEncrypt renewal request for the 3 domains and original config for redirections : OK.

mail.domain.tld alias is now needed in virtualhost?

It was OK without it until last update

Thanks,

Eric

PS : See here if Ubuntu 16.04 updated package is needed. https://community.letsencrypt.org/t/how-to-install-certbot-at-ubuntu-16-...

PS2 : I have tryed to update certificates through Virtualmin with last certbot package installed. It was KO, before using certbot from command line

Howdy -- we're unfortunately not seeing this particular issue on our systems, though there are a variety of reasons a particular domain can fail.

Is it possible to share the actual domain in question? That would help with the troubleshooting.

Hello,

Should I send the domain by private mail ?

Thanks,

Eric