Letsencrypt certificate error for the host system server2.mydomain.com

Guys, I have a brand new install of Virtulmin GPL (I am also a user of Virtualmin pro on another server). I am trying to get an SSL for server2.mydomain.com however it keeps throwing an error...

just to cover a couple of bases first:

  • server1.mydomain.com is a separate debian 9 system that is functioning normally for more than a year. It has SSL and also the apache virtual host https://mydomain.com

  • the error is confusing...i can resolve in a web browser the domain name http or https://server2.mydomain.com no problem

  • I have an index.html file sitting in the very directory that this error is talking about that is serving a default webpage.

  • neither webmin nor virtualmin are able to obtain an SSL for this...the same error on both.

I suspect that there is something not right in the default virtualmin setup for debian 10. I have had a number of stupid issues (such as cannot resolve external ip address when creating virtual servers) that i havent ever experienced with a default fresh install of debian 9...clearly something is not right.

If i add another virtual server for a different domain, the SSL function works ok and successfully obtains a letscencrypt certificate, however, its impossible to get it working for the server itself.

What i suspect may be happening (although im not sure) is tha, even though this server resolves correctly via dns, perhaps somehow letsencrypt is attempting to browse my other VPS (server1.mydomain.com) where the apache virtual host parent domain "mydomain.com" redsides and of course that wont work.

I followed help on the forums where it was suggested i create a virtual server on this host called "server2.mydomain.com" and obtain an SSL for that...however the error below comes up...

Requesting a new certificate for server2.mydomain.com, using the website directory /home/server2/public_html ..
.. request failed : Failed to request certificate :

Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
    raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/server2/public_html/.well-known/acme-challenge/IJism8duOgF0TVRqo9-mN2Q2uNcGpsmJZlDW4nv1_Ac, but couldn't download http://server2.mydomain.com/.well-known/acme-challenge/IJism8duOgF0TVRqo9-mN2Q2uNcGpsmJZlDW4nv1_Ac: Error:
Url: http://server2.mydomain.com/.well-known/acme-challenge/IJism8duOgF0TVRqo9-mN2Q2uNcGpsmJZlDW4nv1_Ac
Data: None
Response Code: 404
Response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

what do i do to resolve this? I cant believe it is seemingly impossible to obtain and SSL cert for mutliple VPS servers with the same brand name (ie mydomain.com)

ie server2.mydomain.com, server3.mydomain.com

Is this an error in virtualmin or something i need to change myself in the default setup?

Status: 
Active

Comments

Ilia's picture
Submitted by Ilia on Wed, 05/13/2020 - 06:29

Hi,

Sorry for the late response.

Are you able to open this URL from your browser: http://server2.mydomain.com/.well-known/acme-challenge/IJism8duOgF0TVRqo9-mN2Q2uNcGpsmJZlDW4nv1_Ac?

It doesn't seem that you have certbot package installed? Try installing this package and requesting certificate from Virtualmin once again:

apt-get install certbot

Hi Ilia, this is strange...i have a virtual server on that system that has a letsencrypt ssl certificate installed from virtualmin. it just wont install it for the host itself. as you say, certbot doesnt appear to be installed, however, look at what happens when i try to install certbot using apt-get in virtualmin...(the following is repeated with all of the certbot packages, i have only included a single entry. Nothing was installed at all.

E: Failed to fetch http://deb.debian.org/debian/pool/main/p/pyicu/python-pyicu_2.2-2_amd64.deb  Temporary failure resolving 'deb.debian.org'
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

what permissions should /etc/resolve.conf have? In my new system they are 0755 (which i think is right) ownership is shown as root:root

BTW, i notice resolve.conf is running from a symlink. /run/resolvconf/resolv.conf

however, in symlink /run/resolve.conf, the permissions are 0644

should it be this way? (ie the main resolve directory is 0755, and the run symlink is 0644)

also Ilia, i manually added the debian buster backports to /etc/apt/sources.list

deb http://ftp.debian.org/debian buster-backports main

however, when then run "apt update" in command shell... i get the following:

[root@server2 ~]# apt update

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Err:1 http://security.debian.org/debian-security buster/updates InRelease
  Temporary failure resolving 'security.debian.org'
Err:2 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-buster InRelease
  Temporary failure resolving 'software.virtualmin.com'
Err:3 http://software.virtualmin.com/vm/6/gpl/apt virtualmin-universal InRelease
  Temporary failure resolving 'software.virtualmin.com'
Err:4 http://ftp.debian.org/debian buster-backports InRelease
  Temporary failure resolving 'ftp.debian.org'
Err:5 http://deb.debian.org/debian buster InRelease
  Temporary failure resolving 'deb.debian.org'
Err:6 http://deb.debian.org/debian buster-updates InRelease
  Temporary failure resolving 'deb.debian.org'
Reading package lists...
Building dependency tree...
Reading state information...
All packages are up to date.
W: Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease  Temporary failure resolving 'deb.debian.org'
W: Failed to fetch http://security.debian.org/debian-security/dists/buster/updates/InRelease  Temporary failure resolving 'security.debian.org'
W: Failed to fetch http://deb.debian.org/debian/dists/buster-updates/InRelease  Temporary failure resolving 'deb.debian.org'
W: Failed to fetch http://software.virtualmin.com/vm/6/gpl/apt/dists/virtualmin-buster/InRelease  Temporary failure resolving 'software.virtualmin.com'
W: Failed to fetch http://software.virtualmin.com/vm/6/gpl/apt/dists/virtualmin-universal/InRelease  Temporary failure resolving 'software.virtualmin.com'
W: Failed to fetch http://ftp.debian.org/debian/dists/buster-backports/InRelease  Temporary failure resolving 'ftp.debian.org'
W: Some index files failed to download. They have been ignored, or old ones used instead.


why cant the brand new virtualmin gpl system resolve even to your own servers? (my personal website on the server is working fine and has its own valid letsencrypt SSL cert). The problem seems to be with the host itself!

AW FFS...bind wasnt running DOH!!!! Ok i have now installed certbot on the host...the certificate for server2.mydomain.com has now installed successfully.

It is now throwing another error in browser...its redirecting to ipaddress instead of the server2.mydomain.com. In google browser i get the error, "ipaddress cannot prove certificate belongs to server2.mydomain.com" how do i fix this?

Ilia's picture
Submitted by Ilia on Sat, 05/16/2020 - 12:12

Can you get Joe to ensure that in future, the default webmin/virtualmin 6 gpl installation actually has this package installed please. I have wasted days on this.

Well, we do have bind installed for Debian 10. It would be reasonable to check, if the bind is running. It could've been killed.

thanks for your help, you have solved my problem for me, much appreciated.

You are welcome!

its redirecting to ipaddress instead of the server2.mydomain.com.

It's not clear what's happening. Check your Apache configuration and that a domain record is actually added to your server (with expected IP address(es)).

ipaddress cannot prove certificate belongs to server2.mydomain.com

You need to make sure that IP address(es) assigned for a domain are set correspondingly on registrar and your server side (including web-server and DNS).