Submitted by chrisj on Thu, 02/23/2017 - 05:44
This is Virtualmin 5.05.
I actually discovered this due to getting the following for other virtual servers on same server.
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 203, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 199, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 109, in get_crt
raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
ValueError: Error requesting challenges: 429 {
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new authz :: Too many currently pending authorizations.",
"status": 429
So I needed to find out why we were rate limited by Lets Encrypt. After switching on webmin debugging I found this..
root@vm4-public5:/var/webmin# grep 'openssl' webmin.debug
16285 [23/Feb/2017 10:48:10.065470] - - webmin CMD "cmd=openssl genrsa 2048 "
16285 [23/Feb/2017 10:48:10.146934] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/354582_16285_2_collectinfo.pl -out /tmp/.webmin/121049_16285_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
17115 [23/Feb/2017 10:53:06.267448] - - webmin CMD "cmd=openssl genrsa 2048 "
17115 [23/Feb/2017 10:53:06.551387] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/912262_17115_2_collectinfo.pl -out /tmp/.webmin/336970_17115_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
17869 [23/Feb/2017 10:58:11.001328] - - webmin CMD "cmd=openssl genrsa 2048 "
17869 [23/Feb/2017 10:58:11.331386] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/849276_17869_2_collectinfo.pl -out /tmp/.webmin/365606_17869_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
18529 [23/Feb/2017 11:03:07.634896] - - webmin CMD "cmd=openssl genrsa 2048 "
18529 [23/Feb/2017 11:03:07.818002] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/248200_18529_2_collectinfo.pl -out /tmp/.webmin/333915_18529_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
19350 [23/Feb/2017 11:08:13.479060] - - webmin CMD "cmd=openssl genrsa 2048 "
19350 [23/Feb/2017 11:08:13.779454] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/475743_19350_2_collectinfo.pl -out /tmp/.webmin/127040_19350_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
20199 [23/Feb/2017 11:13:04.486950] - - webmin CMD "cmd=openssl genrsa 2048 "
20199 [23/Feb/2017 11:13:04.609519] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/229844_20199_2_collectinfo.pl -out /tmp/.webmin/665444_20199_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
20675 [23/Feb/2017 11:14:03.296873] root 172.16.0.20 webmin CMD "cmd=openssl genrsa 2048 "
20675 [23/Feb/2017 11:14:03.555035] root 172.16.0.20 webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/54510_20675_1_letsencrypt.cgi -out /tmp/.webmin/550793_20675_3_letsencrypt.cgi -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
The domain elearning.domain.org (which is disabled) is trying to have its certifcate renewed, but is failing... (yes I changed the domain name to mask the real one)
If you need more detail let me know Thanks
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Thu, 02/23/2017 - 23:43 Comment #1
Have you tried upgrading to Virtualmin 5.06? It adds a backoff if the Let's Encrypt renewal fails.
Submitted by chrisj on Fri, 02/24/2017 - 03:53 Comment #2
I did upgrade, but then there were issues with 5.06 so I downgraded back to 5.05.
To be fair, what's the point in backing off? The website is disabled and so could never satisfy the Lets Encrypt site validator regardless of if it was rate limited?
Surely it shouldn't try to renew?
Submitted by JamieCameron on Fri, 02/24/2017 - 18:15 Comment #3
Sorry, I missed that part of your bug report - I thought to issue was the rate of failed renewals.
The next release of Virtualmin (5.07) will fix the problem of attempting to renew the cert for a disabled domain.
Submitted by JamieCameron on Fri, 02/24/2017 - 18:15 Comment #4