I think a Webmin/Virtualmin update broke something in LetsEncrypt

14 posts / 0 new
Last post
#1 Thu, 09/27/2018 - 09:17
Lanna

I think a Webmin/Virtualmin update broke something in LetsEncrypt

Background, I use LetsEncrypt for all individual domains and subdomains. It still works perfectly.

However, the main hostname for the server also has it's own LetsEncrypt certificate. All fine and good. However, I have to sign the certificate for all mail subdomains on all virtual hosts in order to avoid invalid certificate warnings in mail clients. This always worked perfectly.

However, I've been trying to renew that certificate for a couple of days and it won't work anymore. I keep getting 404 not found error from LetsEncrypt. From what I can tell, it appears unable to write auth files to individual public folders for individual subdomains on other virtual hosts.

Renewing individual subdomain certificates still works fine.

I've tried the latest dev release of Webmin. Same same.

This is not a Cloudflare issue.

Any thoughts on what might be the problem? I have about a week until the existing certificate expires.

Thu, 09/27/2018 - 09:24
Lanna

To add to the above, here is the error. . .

imap.site2.co.th challenge did not pass: Invalid response from http://imap.site2.co.th/.well-known/acme-challenge/kFJKgLcZ-IperVhf2y47D... q%!(EXTRA string= 404 Not Found

Not Found

<p)

So, to clarify, the above is when I'm trying to update the main server hostname (th4.site1.co.th) and in that certificate I'm including the subdomains for site2, but it's failing, where it always previously worked. Updating site2's own certificate still works. Very strange.

Thu, 09/27/2018 - 14:31
Lanna

Just to update, this is not apparently due to a Webmin update, I tried downgrading to earlier versions and the problem persists.

Thu, 09/27/2018 - 15:05
andreychek

Howdy,

While I'm not sure what the root cause is, the key to resolving it is to figure out where requests for " http://imap.site2.co.th/.well-known/acme-challenge/" are going.

That is, when Let's Encrypt tries it, it's getting a 404 error... what you may want to try is putting your own .html file into that acme-challenge directory, and see if you can access it from the web.

If you can't, you might then need to use the logs to determine why that's not working.

Or, if you don't need "imap.site2.co.th" included in the SSL cert, you could always remove it from the list of domains being included in the SSL Cert.

-Eric

Thu, 09/27/2018 - 15:07
Lanna

Hi,

I already tried putting a small text file in the directory and I can access it from web browser.

I also tried removing the subdomain from the certificate, but it just then flags up a different subdomain. Note that this was working for years, I've made no changes. It just stopped working and I've no idea why.

Thu, 09/27/2018 - 15:42
Lanna

. . . and do you have a suggestion which logs to look at first?

Fri, 09/28/2018 - 06:18
JoeDoe

Broken here aswell,
This was working before.
I can access a TXT file from the browser aswell:

domain.tld challenge did not pass: Invalid response from http://domain.tld/.well-known/acme-challenge/oIiO9g8SigorS4wXT2_k4iPv1dFhxaY5Mq-cSXXIdAs: "<html>\n    <head>\n        <title>domain.tld</title>\n        <meta name="Description" content="">\n        <meta name="Keywords" co"

~ Joe Doe

Fri, 09/28/2018 - 10:20
Lanna

Important to stress that renewing individual certificates for individual hosts still works fine, so the auth file is being written and read by LetsEncrypt. . . but something has gone wrong when adding domains to sign for on other root domains. I can normally figure these things out by myself but I've hit a wall on this one.

Sat, 09/29/2018 - 07:46
applejack

I had the same issue recently and it was because of a httpd conf issue in that some of the host names had for some reason been removed from the ServerAlias settings so check the httpd conf for the main server and make sure there are ServerAlias for all hostnames you are trying to renew for.

Sat, 09/29/2018 - 14:36
Lanna

Thanks for the idea. However, this is not the case on my server.

Sat, 09/29/2018 - 15:06
Lanna

I seem to have fixed this by trial and error. As I was able to renew individual certs, I went ahead and did that for every single subdomain. This seems to fix something, I guess some broken permissions. Thereafter I was able to sign the main server hostname certificate for all subdomains on other virtual hosts. I would still be interested to hear if anyone spots the root cause though, as I fear this problem may come back to haunt if not identified.

Mon, 10/01/2018 - 03:54
Jfro

WE had and have some problems to. Yes we did create sub and alias and then manual and so on then solved hmm.

Searching here the forum, sometimes it worked to do ( create) a self signed cert and after that a letsencrypt again.

While i thinks as you described when renew the "subdomains" have a unique cert for their own also now in your case is this > i presume. ( don't know what having then 2 different certs in your Data is causing.

I mean one certs only for that subs per subdomain, and the main with all mentioned in them.

This is not the way it should be done, but don't know if it is going to give problems with LE or in Combination with virtualmin?

So if possible go for the option self sign certs first is maybe better, id don't know i can't find that article supportdocument now.

Virtualmin Support please advise in this matter wich one preferring wen such happening after testing ofcourse dns, httpd.conf and htaccess and so on. ?

Tue, 10/02/2018 - 08:24
JoeDoe

Still having the same problem for various domains.
I've checked httpd.conf tried switching to Self-Signed Certs but without luck.
I've even tried to remove the .well-known redirect since these redirects to https, but still no luck.
And i've tried to disable the global redirect from HTTP to HTTPS but this also didn't solve my issue.

The only way for me that it works is to import a backup and let the Create Virtual Server proccess request a LE cert.

I have to mention that renewal works fine.

~ Joe Doe

Thu, 12/27/2018 - 15:01
Lanna

Still having this problem. Having to manually renew each individual domain and subdomain before it works.