Let's Encrypt certificate renewal failed!

Two months ago, using virtualmin's Let's Encrypt feature, I requested and was issued a certificate for [domain].com and www.[domain].com.

Today virtualmin tried to renew the certificate. It requested a certificate for THREE domain names: [domain].com, www.[domain].com, and mail.[domain].com This despite the fact that "Manage SSL Certificate | Current SSL certificate details" showed "Web server hostname" as "[domain].com" and "Other domain names" as "[domain].com | www.[domain].com"

The renewal attempt failed and I received an error message from webmin that "An error occurred requesting a new certificate for [domain].com, www.[domain].com, mail.[domain].com from Let's Encrypt". Note that the list includes "mail.[domain].com", a subdomain not previously covered or requested to be covered by the existing certificate.

Farther down in the text of the error message it said: "ValueError: mail.[domain].com challenge did not pass" because it could not retrieve "http://mail.[domain].com/.well-known/acme-challenge/*****************"

This is result not surprising, because I have Apache set up to redirect any request to port 80 for that domain if the hostname is not "[domain].com or "www.[domain].com".

On closer examination of the "Let's Encrypt" tab for this domain I noticed that the default selection beside "Request certificate for" now said "Domains associated with this server [domain].com www.[domain].com mail.[domain].com".

I am quite sure that that is not what the selection listed when I first set up the certificates, because I did not change the default and if it had included "mail.[domain].com" then the request would have failed for the same reason it did today.

I found I could resolve the problem if I selected "Domains listed here" instead, listed just [domain].com and www.[domain].com, and clicked on "Request certificate." The request was processed, and the error emails stopped.

It took me a while to figure out what was happening and how to fix it. In the meantime my inbox was flooded with these emailed error messages every five minutes for more than 5 hours.

It seems to me that there has been some silent, slipstream change in the way this functionality works, so that the "mail.*" subdomain gets added to the list of the default "Domains associated with this server" selection in the form, even if it was not there when the existing certificate was requested, and the renewal functionality then tries to add that subdomain when a certificate that does not apply to it is renewed.

I have three other domains to which a "Let's Encrypt" certificate has been added using virtualmin functionality. For two of the domains certificates that were set up on about March 2nd and were not yet due for renewal. When I took a look at them, one of them had also had a "mail." subdomain added to the selected "Domains associated with this server". That is also a domain for which I have Apache set up to redirect any request received on port 80 if the hostname is a subdomain other than "www". Virtualmin renewed that certificate on or about March 2nd. If it had tried to add the "mail.*" subdomain to the certificate at that time, that renewal would have failed just as the request for[domain].com did today.

So it appears this silent change occurred as a result of some update to virtualmin that occurred after March 2nd.

Why was this silent change made? Why did virtualmin start requesting a certificate that covers the mail.* subdomain even though I had not asked for that originally and the existing certificate did not cover it?

On the two other domains I have with "Let's Encrypt" certificates (domains, btw, for which Apache is not configured to redirect non-"www" wildcard subdomains) the "mail.*" subdomain does NOT appear in the "Domains associated with this server" list on the Let's Encrypt tab for that domain. On one of those domains the certificate was set up on or about March 2nd. On the other it was set up this past week.

What is it about the configuration of a virtual server that determines whether the "mail.*" gets added to the "Domains associated with this server" select on the "Let's Encrypt" tab?

Status: 
Closed (fixed)

Comments

Welshman's picture
Submitted by Welshman on Sun, 04/09/2017 - 05:24

Hi, yeah I have noticed this as well.

As you say a work around is to choose the domains manually.

Although I have found out today as a domain of mine expired that sub domains are no longer working even though the request went through fine.

https://dediclub.com is fine but https://support.dediclub.com throws up a browser error that it expired yesterday but it has been renewed.

Any ideas what is going on.

after too many failed let's encrypt tries LE temporarily blocks your client from renewing for that domain temporarily. This is NOT a small bug and virt needs to get on the stick and push out a fix pronto..do not want for the next release do a x.x.x release and fix LE.

Welshman's picture
Submitted by Welshman on Sun, 04/09/2017 - 08:01

Sorted my sub domain problem, seems I had a LE cert setup on the sub domain, renewed that and all is tickety Boo.

Yeah unfortunately you'll need to perform a workaround for this issue, but the next Virtualmin release will correct this problem.

I expect a new Virtualmin release soon, I'll follow up with Jamie and Joe to see when that is planned.

Joe's picture
Submitted by Joe on Mon, 04/10/2017 - 01:00 Pro Licensee

Status: Active » Fixed

I've rolled out 5.07-3 which should fix this issue. Please re-open if the problem persists after upgrading.

I know exacly what You feel :)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.