Ubuntu 16.04
Summary: When a website is created with the same hostname as the server, the let's encrypt challenge process fails.
What happens: Parsing account key... Parsing CSR... Registering account... Already registered! Verifying mydomain.com... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 203, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 199, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 128, in get_crt wellknown_path, wellknown_url)) ValueError: Wrote file to /home/user/public_html/.well-known/acme-challenge/xxxchallengestringxxx, but couldn't download http://mydomain.com/.well-known/acme-challenge/xxchallengestringxxx
What was expected: The challenge to succeed
Causes: The hostname of the server resolves to 127.0.0.1, due to the /etc/hosts. The website in apache is listening on 192.168.x.x address for both port 80 and 443, the port 80 website redirects to the port 443 website.
It looks like the letsencrypt client tries to download the file locally first to verify it's there? It will never be able to download the challenge file in this scenario because it's requesting on 127.0.0.1, but the website is only listening on 192.168.x.x. I do see the access attempts in /var/log/apache2/other_vhosts_access.log which seems to verify this.
Solutions: If I comment out the whole "check that the file is in place" block of acme_tiny.py, my cert is successfully requested.
Comments
Submitted by JamieCameron on Wed, 07/13/2016 - 08:58 Comment #1
The next release of Webmin will make that local check in acme_tiny.py optional, which will solve this problem.
That said, I recommend that you don't have a mismatch between IPs in /etc/hosts and in DNS.
Submitted by JamieCameron on Wed, 07/13/2016 - 09:00 Comment #2