Let's Encrypt autorenewal fails

Let's Encrypt auto-renewal failed with error:

An error occurred requesting a new certificate for mywebsite.com from Let's Encrypt :

An unexpected error occurred: The request message was malformed :: CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591 Please see the logfiles in /var/log/letsencrypt for more details.

CentOS 6.8 runs OpenSSL 1.0.1 and can not be upgraded to 1.0.2.

How can I resolve this issue? Also, what is the best way to work around this problem?

Thank you, Ivan



You may have to upgrade OpenSSL manually, by downloading and compiling it from the source. If Let's Encrypt doesn't accept certs from older versions, there isn't much Virtualmin can do :-(

Thanks, we're looking into this.

Based on Ivan2's description above, it sounds like it works using Virtualmin's internal support (which comes from the Python package).

And earlier versions of the official Let's Encrypt tool may see this particular issue. We'll look into the best way to handle that.

Is the issue here that the acme_tiny.py client built into Webmin is no longer compatible with the Let's Encrypt service?

I had some connection issues so it seems i polluted the topic with a bunch of posts.
So to make it clear, we have found a solution for the issue:

Solution: The issue was that before VIrtualmin added letsencrypt support we installed the default letsencrypt client. Then after partial support was added, we configured VIrtualmin to use letsencrypt command line too (/etc/letsecrypt). It was not updated for long time and caused the error. We changed virtuamin config to not use the letsencrypt tool (in virtualmin config), but then complained its to command line tool that is "master" for these websites. After deleting /etc/letsencrypt dir, all works!

Ok, cool. I'm actually a bit surprised that this worked, because when you delete /etc/letsencrypt you will force generation of a new account key. And I'm not sure if the Let's Encrypt service requires that the same account be used for future renewals of domains.