LE not renewing automatically in Webmin

51 posts / 0 new
Last post
#1 Wed, 10/18/2017 - 12:12
antioch

LE not renewing automatically in Webmin

ubuntu 16.04

set to renew monthly. however it does not do so automatically. instead, i have to manually re-request the cert after every 3 month validity period. currently a few weeks overdue for automatic renewal.

Wed, 10/18/2017 - 16:05
noisemarine

There's usually some kind of error message...

Wed, 10/18/2017 - 17:21
antioch

the only error messages i ever see are when browsers and mail clients start flipping out over an expired cert.

Thu, 10/19/2017 - 06:12
noisemarine

So after a failure, and you are about to re-request the cert..

You go into Virtualmin->select the virtual server you want->Server Configuration->Manage SSL Certificate->Let's Encrypt

At the bottom of the page, you don't see any error message, and/or you don't receive any email telling you your renewal failed?

Fri, 10/20/2017 - 13:05
antioch

No renewal issues with virtualmin servers. My issue is in the webmin module. no error messages on webmin > webmin > webmin configuration > ssl encryption > le page.

Sat, 10/21/2017 - 02:55
noisemarine

Pretty much the same form. You should still have received an email with the error.

In any case, we can't help unless you show us the error message.

Go into Webmin->Webmin Actions Log. You should be able to leave most everything as default, except choose the time period of interest (ie, between Jul and Oct or something). Click Search.

You should find some entries like "letsencrypt domain example.com". Click on them. Open the "Raw log data" section and scroll to see the error. You can paste it here, but please use the code tags (see the "More info about text formats" below the reply box) so it formats into a readable thing.

Sat, 10/21/2017 - 10:08
antioch

When nothing showed up during the specified renewal period, i expanded the time frame out from the day the last cert was issued to today. Except for successful virtualmin cert renewals, nothing until i got as far back as Aug 31, the day the previous cert was issued. Requested new SSL certificate from Let's Encrypt,"Webmin Configuration","user","x.x.x.x","31/Aug/2017 07:51"

Seems webmin isn't even trying to renew?

Thu, 11/30/2017 - 00:18
antioch

the sudden influx of support calls this morning reminded me that this issue still isnt resolved. another certificate manually requested. good for another 3 months. still nothing, other than this morning's manual request, in the webmin action log.

Sat, 12/02/2017 - 13:49
antioch

bump

Thu, 12/07/2017 - 22:41
antioch

bump

Mon, 12/11/2017 - 12:02
antioch

bump

Thu, 12/21/2017 - 10:38
antioch

bump

Thu, 12/21/2017 - 20:36
Joe
Joe's picture

Sorry for the lack of reply. I don't know why this is happening for you; LE renewals work on all of my systems.

Have you disabled the Virtualmin scheduled job? That's the only reason I can think of that it wouldn't run on schedule...Let's Encrypt renewals are part of that scheduled job.

--

Check out the forum guidelines!

Thu, 12/21/2017 - 21:46
antioch

im sorry, how would i check? webmin - system - scheduled cron jobs?

Fri, 12/22/2017 - 01:12 (Reply to #14)
Joe
Joe's picture

Virtualmin Configuration->Status Collection

There are several options in that section, but what I'd recommend is that if it is not currently disabled, turn it off and then back on again. Maybe that'll regenerate the scheduled job (which does end up in the Webmin scheduled jobs list, but there's no user-friendly way to create it aside from getting Virtualmin to do it for you).

If status collection is too heavy for your system (and it can be heavy on systems that have low memory), just reduce the frequency by a lot...like run it every hour or four or whatever. But, you really do want it running at least once a day because it does so many important house-keeping tasks.

--

Check out the forum guidelines!

Fri, 12/22/2017 - 15:29
antioch

"Interval between status collection job runs" changed from 5 mins to never, saved, rechecked config, setting changed back to 5 mins, saved, rechecked config. it should attempt to renew the cert next week. we'll see...

thx!

Fri, 12/22/2017 - 16:06 (Reply to #16)
Joe
Joe's picture

If the problem persists, do follow up. I'll have to talk to Jamie about what else to look at, if it does continue to fail, as I'm out of ideas. It's not something that has a lot of knobs to twiddle, so there's not really much that should be able to go wrong, but I've seen people report it at least a couple of times.

--

Check out the forum guidelines!

Mon, 01/08/2018 - 11:36
antioch

it did not renew. :(

Tue, 01/09/2018 - 09:36 (Reply to #18)
Joe
Joe's picture

Does anything about it appear in the /var/webmin/webmin.log or in any of the other logs in that directory? Do other scheduled tasks happen? e.g. does the dashboard tell you when you have software updates available (without having to manually refresh it)?

--

Check out the forum guidelines!

Tue, 01/09/2018 - 10:43
Jfro

Also important to know.

1 Domain or more / all domains on that server.? For those domain(S) SUBSERVER / ALIAS / SUBDOMAIN eXISTS in the domainlist GUI LE cert?

Apache or NGINX.

If apache url rewrites / forwarding htaccess somewhere...

If manually renew no errors at all in error logs?

Somehow cleanup LE older not used certs, don't know

Mon, 07/29/2019 - 16:43
antioch

the only thing i see is in miniserv.error, after changing the auto renew increment and pressing update renewal:

[29/Jul/2019:15:15:55 -0500] Reloading configuration
Use of uninitialized value in string eq at ./webmin-lib.pl line 1869.


upon tracking down webmin-lib.pl, lines 1829 - 1871 read:

sub cert_info
{
my %rv;
local $_;
open(OUT, "openssl x509 -in ".quotemeta($_[0])." -issuer -subject -enddate -text |");
while(<OUT>) {
s/\r|\n//g;
if (/subject=.*CN\s*=\s*([^\/]+)/) {
$rv{'cn'} = $1;
}
if (/subject=.*O\s*=\s*([^\/]+)/) {
$rv{'o'} = $1;
}
if (/subject=.*Email\s*=\s*([^\/]+)/) {
$rv{'email'} = $1;
}
if (/issuer=.*CN\s*=\s*([^\/]+)/) {
$rv{'issuer_cn'} = $1;
}
if (/issuer=.*O\s*=\s*([^\/]+)/) {
$rv{'issuer_o'} = $1;
}
if (/issuer=.*Email\s*=\s*([^\/]+)/) {
$rv{'issuer_email'} = $1;
}
if (/notAfter\s*=\s*(.*)/) {
$rv{'notafter'} = $1;
}
if (/Subject\s+Alternative\s+Name/i) {
my $alts = <OUT>;
$alts =~ s/^\s+//;
foreach my $a (split(/[, ]+/, $alts)) {
if ($a =~ /^DNS:(\S+)/) {
push(@{$rv{'alt'}}, $1);
}
}
}
}
close(OUT);
$rv{'type'} = $rv{'o'} eq $rv{'issuer_o'} ? $text{'ssl_typeself'}
  : $text{'ssl_typereal'};
return \%rv;
}


is that of any help?

Tue, 07/30/2019 - 13:58
antioch

and yes, other scheduled stuff happens.

back over in webmin - system - scheduled cron jobs, i dont see any reference to anything about LE/certbot. what command am i looking for in the list?

Mon, 08/05/2019 - 09:10
antioch

bump

Fri, 08/09/2019 - 11:24
antioch

bump

Tue, 08/13/2019 - 10:11
antioch

bump

Tue, 08/13/2019 - 10:47
tpnsolutions
tpnsolutions's picture

Hi,

Typically wnen LE has problems renewing, I've found that there is at least one problematic domain on the server which halts the renewal of other domains. I would suggest checking the validity of each domain, to see if one of them is the culprit.

If you'd like to setup a private session, I can go through your server and diagnose what is going on. Send me an email if you'd like to discuss this option.

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Tue, 08/13/2019 - 11:54
antioch

each name on the certificate resolves just fine. does that confirm validity?

Tue, 08/13/2019 - 13:49
tpnsolutions
tpnsolutions's picture

Hi,

How many domains are being hosted?

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Tue, 08/13/2019 - 13:55
antioch

there are 5 sans on the certificate in question.

Tue, 08/13/2019 - 14:50
tpnsolutions
tpnsolutions's picture

Hi,

If you're on Skype, drop me a message.

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Tue, 08/20/2019 - 19:35
antioch

bump

Fri, 08/23/2019 - 11:45
OliverF

Oh, a thought just came up. This is a "just in case" mention, that I mention in case it helps.

I once had a relatively similar situation with virtualmin: impossible to renew a certificate with no error message to tell there was a problem.

That was because I did something wrong with a config file, and the system was smart enough to verify if config files were good and would have allowed Apache to properly restart once it was shut down. As the answer was "nope, root is stupid and screwed up again", Apache wasn't allowed to restart. However, that didn't generate an explanation in virtualmin, the renewal procedure seemed like it was going through, although it didn't, as an Apache restart was required to finalize and apply the changes.

I discovered the problem myself after, being paranoid and all, I tried to restart Apache by ssh, and understood. Once the problem with the config file was fixed, apache was able to restart on demand, and virtualmin properly applied the certificate renewal.

I doubt that's your problem, but, hey, who can tell!

Fri, 08/23/2019 - 14:25
antioch

apache restarted via ssh. certificate due to be renewed next week. we'll see.

Tue, 09/10/2019 - 13:24
antioch

still no joy. about to celebrate 2 years of manually renewing. :(

Mon, 09/16/2019 - 16:58
antioch

bump

Wed, 09/25/2019 - 18:45
antioch

bump

Tue, 10/01/2019 - 20:29
antioch

bump

Wed, 10/02/2019 - 03:53
Jfro

IF GPL License you could try payed Support ticket.?

Or TPNSOLUTIONs.. payed support / training

Mon, 10/07/2019 - 12:50
antioch

bump

Mon, 10/07/2019 - 15:59
adamjedgar

Can i clarify,

Is this just tue auto renew for your webmin server domain itself? (You say in title "webmin" not auto renewing)

So all your virtualmin virtual server certificates are auto renewing?

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Mon, 10/07/2019 - 16:09
antioch

correct on both counts.

Tue, 10/08/2019 - 05:38
adamjedgar

Then i am confused by your statement "a sudden influx of phone calls..." from clients?

Are you hosting clients with Webmin in addition to Virtualmin and on the same system?

I am just trying to recall if i even run a letsencrypt ssl on my webserver administrator interface...EDIT oh i have got letsencrypt running for webmin and mine is working fine.

Why are clients complaining exactly and for what service (webhosting or email?)

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Tue, 10/08/2019 - 13:21
antioch

dovecot and other services use a san on the webmin certificate, due to lack of sni support at the time.

automatic renewal of the webmin certificate worked fine for the first year or so. then one day...

Mon, 10/14/2019 - 22:02
antioch

bump

Sat, 10/19/2019 - 10:15
antioch

just realized this topic turned two yesterday. now where are my candles...

Fri, 10/25/2019 - 12:30
antioch

bump

Fri, 11/01/2019 - 08:54
antioch

kinda spooky how long this has been outstanding. ;-)

Fri, 11/01/2019 - 09:07
Jfro

Please read here both post you see they need time for some more then only LE.

AND LE script is maybe in work at virtualmin. https://www.virtualmin.com/comment/818437#comment-818437

https://www.virtualmin.com/node/67390

Ofcourse you could still have an other problem as cause

You HAVE GPL TPNsolutions asked you to skype him, and you can open a support ticket at virtualmin ?!?! 

Tue, 11/05/2019 - 11:44
antioch

my issue predates that.

Tue, 11/05/2019 - 11:56 (Reply to #49)
Jfro

YUp we all know. ;)

BUT pointing out it makes no sense to solve your issue, and not solving other parts out of links i posted.

Meaning if they are working on new version of script , they will test ofcourse and then probably if your issue is caused by a bug also solved. Solving a issue in for now outdated script makes no sense!

IF NOT BUG, but something with your situation / config we did post some notes where and how to get help.

Also if you really wanted help to solve it you could get payed support ( also long time ago) to solve your issue, even one Person is offering you to help by skype????????????? .

Even his emailadres is here above in topic from tpnsolutions

I'm on CENTOS 7x and there no problems! Only with that acmev1<>v2 ofcourse now

Tue, 11/12/2019 - 22:11
antioch

bump