Let's encrypt autorenewal not working?

24 posts / 0 new
Last post
#1 Tue, 08/08/2017 - 04:21
marceld202

Let's encrypt autorenewal not working?

Hi,

I use VirtualMin with great pleasure.

I like how easy I can install and maintain my SSL certificates now using let's encrypt. However, I had set let's encrypt to autorenew every 2 months on all my sites. Today I woke up to non-working sites. I checked the certificates and it said 'Last renewal date: 3.03 months ago'.

So, I requested the certificates again and everything is working now.

How can I actually autorenew the certificates in the future? I would like to renew it every 2 months, but clearly that is not working. Am I missing something, a cronjob I need to configure maybe?

Thanks a lot in advance!

Fri, 08/11/2017 - 15:40
Joe
Joe's picture

Do you have the current version of Webmin (1.851) and Virtualmin virtual-server module (5.99 or 6.0)? There have been some issues where LE folks changed the way things worked causing our client to fail in some cases. But, I think it's all been fixed.

I believe these jobs use the Webmin cron, rather than system cron, but I might be wrong. I've never needed to babysit it, though. It should Just Work(tm).

--

Check out the forum guidelines!

Thu, 08/17/2017 - 01:57
marceld202

Hi, I upgraded everything less then 1 month ago, but I will check again and upgrade everything to see if it resolves the issues. Thanks for your help!

Sat, 09/23/2017 - 06:53
marceld202

Hey Guys,

This is still nog working. Someone PLEASE HELP! This is really annoying, I have to manually renew all the time.

I have upgraded everything to the latest version since I last posted my issue here. I have auto renew set to 2 months. Still nothing renews after 2 months.

What can I do?

Sysinfo:

Operating system Ubuntu Linux 14.04.1 Webmin version 1.852 Usermin version 1.720 Virtualmin version 6.00 Theme version Authentic Theme 18.49-9 Time on system Saturday, September 23, 2017 1:53 PM Kernel and CPU Linux 3.13.0-32-generic on x86_64

Any help will be very much appreciated!

Sun, 09/24/2017 - 18:05 (Reply to #4)
Joe
Joe's picture

I don't know. I'm not able to reproduce this...my certs are auto-renewing on all of my servers.

Have you turned off status collection in Virtualmin? Let's Encrypt happens as part of that scheduled job, so it has to be enabled. If it's too resource intensive to have it running all the time, you can make it very rarely (like once every 4 hours or something).

--

Check out the forum guidelines!

Mon, 09/25/2017 - 01:14
marceld202

Hi Joe, Thanks for your help. Where can I see if status collection is enabled?

Mon, 09/25/2017 - 03:12 (Reply to #6)
noisemarine

Virtualmin -> System Settings -> Virtualmin Configuration, about 3/4 of the way down the page.

Tue, 09/26/2017 - 02:19
marceld202

It is set to run every 5 minutes.. How can I verify if it actually is running? Is there a way to manually fire the virtualmin autorenew job from console? That way I could create a custom cronjob for the autorenewal.

There must be some kind of fix or work around for this I hope :/

Thanks for your help!

Tue, 09/26/2017 - 05:17 (Reply to #8)
Joe
Joe's picture

We can't fix it until we know why it isn't working. You're the first person to report it (that I know of).

You can check Webmin->Webmin->Webmin Configuration->Webmin Scheduled Functions to see if there's a "System Status" job ("scheduled_collect_system_info" is the actual function being called).

You could try turning the scheduled job off and back on, though if you see that job and it is scheduled to run every 300 seconds in the Webmin module, it seems likely not to change anything...but, I guess it's worth a shot.

You can try restarting Webmin (as these scheduled jobs run as part of the Webmin daemon).

You can check the Webmin logs for clues. Those are in /var/webmin/miniserv.error (the error log) and /var/webmin/webmin.log (the actions log). You may be able to increase logging around this topic, I'm not sure what logging hooks we have in there.

This particular function is a Webmin function, it is not a cron job and there is no command you can run to trigger it, so running it outside of Webmin isn't possible (well, we can write a script to run it manually if it comes to that, but that may not actually tell us anything useful...the

--

Check out the forum guidelines!

Tue, 09/26/2017 - 16:08 (Reply to #9)
noisemarine

'You can check Webmin->Webmin->Webmin Configuration->Webmin Scheduled Functions to see if there's a "System Status" job ("scheduled_collect_system_info" is the actual function being called).'

That's interesting. I don't have that job. I don't see a way to add another job to the list.

My install is Debian 9 from the beta 6 installer a couple of months ago. I have all updates other than the recent virtualmin-lamp-stack and awstats packages.

Tue, 09/26/2017 - 17:10 (Reply to #10)
Joe
Joe's picture

That is surprising.

But, disabling and re-enabling the status collection in Virtualmin will likely create it. Do you see other jobs in the list? There should be several.

If that doesn't solve it, I'll ask Jamie how we can force its re-creation (but, I think it'll solve it).

--

Check out the forum guidelines!

Wed, 09/27/2017 - 08:08 (Reply to #11)
noisemarine

I have many other jobs there. I tried disabling and re-enabling status collection but I didn't get the 'scheduled_collect_system_info' job.

In any case, I checked my oldest website and the LE cert updated a couple of weeks ago. However it's actually being called, renewal seems to be working. I was mainly curious that if I didn't have that job, would my LE certs fail, also.

Wed, 09/27/2017 - 05:22
marceld202

Hi, thanks for your help.

So I checked everything. In opposition to @noisemarine, I do have the scheduled function listed under Webmin > Webmin configuration. I have now changed the interval to 600 seconds instead of 300 and re-saved the scheduled job. It seems to make no difference since it has been 10 minutes and the let's encrypt certificates are still not renewed.

I also checked the suggested log files. The error log shows mainly 2 errors (repeatetly): - [IP.AD.DR.ES] Document follows: This web server is running in SSL mode. Try the URL ..... AND - No passwd entry for user 'MainUserName'

Can this password entry error explain the problem? I now remember that I have disabled (a while ago) any rights for my main server user (for security). So the user Shell under Webmin > User and Groups is set to /bin/false. Should I change that to /bin/sh?

Also, the error says 'No password entry for user 'UserX'. However, UserX is non-existent. Is the scheduled webmin job for status collection trying to run as UserX, while that user does not exist anymore?

Lastly, I have disabled the usermin service, that can't be the cause right?

Wed, 09/27/2017 - 05:33
marceld202

One more thing: if I go to my virtual server details it says 'Administration username' = 'UserX'. However, UserX does not exist. I changed that a long time ago to another username. Why is it still saying username is UserX, and how can I change /fix that?

Wed, 09/27/2017 - 05:44
marceld202

Update: if I go into Virtualmin > List virtual servers I can see that my main server has the correct Username. All the subservers have an old Username, which does not exist anymore. Can this be the cause? How can I update the sub-servers to use the main-server Username?

Wed, 09/27/2017 - 07:49
Eskes

Check if site is only HTTPS? Change t to allow HTTP and test. Might even be a redirect of all to HTTPS. However if manual renew working this not the isue.

Wed, 09/27/2017 - 15:46
marceld202

I'm pretty sure it is related to the wrong user being used for the subservers. The miniserv log is full with the error 'No passwd entry for user UserX'. If I tail the log the error shows up every X minutes, so it defenitely is some kind of interval, maybe the status update interval which should do the let's encrypte auto-renew.

How can I change the user that is being used for this status update scheduled job? Or how can I change the administration user for my virtual sub-servers?

Thu, 09/28/2017 - 04:24
marceld202

Great news! I resolved the issue! As I expected myself it was because of the user that executed the scheduled job did not exist. What I did now is, I recreated the missing user. After that, the auto renew worked.

However, I'd rather not have to use this user. So my question comes down again to: how can I change the administration user used for SUB-servers. Or how can I change the user that executes the scheduled jobs?

Please help!

Fri, 09/29/2017 - 03:57 (Reply to #18)
Joe
Joe's picture

That's bug-like. If it's reproducible we should open a ticket so Jamie can take a look at it.

--

Check out the forum guidelines!

Fri, 09/29/2017 - 04:24
marceld202

In my situation, I have done this:
- I had a VPS where the virtualmin main user was named 'UserServer1'
- I have copied the entire VPS. Then I logged into the new VPS and I renamed UserServer1 to UserServer2.
- Now my in Virtualmin on my new VPS, the main website says 'Administrator user is UserServer2'. However, all the sub-servers say 'Administrator user is UserServer1'.
- The scheduled jobs seem to execute as UserServer1 while it should execute as UserServer2.

The easy fix will be for me to rename UserServer2 back to UserServer1, since that's the user associated to the subservers and used for the scheduled status collection job. However, I would rather have names that make sense to me and stick to UserServer2 as username.

I don't know if you can reproduce this, the clone was made on a way older version of Virtualmin, so not sure if it still exist. However, I would rather know how I can change the username in a way it also changes the username for all my subservers.

I guess an easy reproduce is to create a virtual server, then create a couple sub-servers. After that, change username of main server. Sub servers will still use the old username, while they should use the new main server username instead. But I am not sure this issue is related to the wrong user executing the scheduled status collection job.

Two straight forward questions:
1) Is it possible to manually overwrite the subserver administration user somehow?
2) Is it possible to manually change the user that is being used to execute the webmin scheduled functions?

Hopefully someone can answer these questions?

Sun, 10/01/2017 - 13:09 (Reply to #20)
Joe
Joe's picture

"1) Is it possible to manually overwrite the subserver administration user somehow? 2) Is it possible to manually change the user that is being used to execute the webmin scheduled functions?"

You won't need to do both. Doing 1 will take care of the second, I'm almost certain.

You can directly edit the metadata for Virtualmin in /etc/webmin/virtual-server/domains/$ID where ID is the identifier for the domain. You can find that with this command:

# virtualmin list-domains --domain apatest.virtualmin.com --id-only

The user and group fields specify the username and the group name. If you change these, you'll want to make sure the UID/GID is correct throughout your domain home. After making any changes to Virtuamin configs, you'll need to restart Webmin (service webmin restart). Note that databases and some other stuff may also need to be updated in some way (in terms of permissions and ownership), but Virtualmin should have already taken care of all of this...so I'm still not at all sure what went wrong where.

I'd recommend taking it one baby step at a time. Things are weird, and in a state I don't understand...so, let's try updating the user information in the Virtualmin config, and then see what the situation looks like from there.

--

Check out the forum guidelines!

Tue, 10/10/2017 - 05:23
marceld202

Thanks a lot for your help! I have now changed for all the subservers the username and group to the same as the main servers username and group. After that, autorenew works. I don't know how these subservers got a differrent username then the mainserver, must have something to do with cloning the server and then changing the username. However, I have the fix now. It seems like there are no consequences of changing this manually. Thanks!

Thu, 12/28/2017 - 01:31
Garamani

It seems there is 2 configuration destination for SSL certificate renewal: 1. Virtualmin>Server Configuration>Manage SSL Certificate>Let's Encrypt 2.webmin>Webmin Configuration> SSL Encryption> Let's Encrypt

In my system at the second destination, the "Months between automatic renewal" was set to "only renew manualy".

Now in both destination It's set to 2 month.

I have to wait for 2 month to see if it's work. (need to mention, there was no "failed renewal attempt" in Webmin action log in my system, So I think the renewal should work this time.)

Sun, 07/22/2018 - 07:12
Kvark
Kvark's picture

Just to confirm that facing that issue once update my vps to virtualmin ver 6. Bug ticket has been raised. LE auto update not working for sure. Manual update from web gui works fine, so look like something not trigered well on date check?