LetsEncrypt auto-renewal has stopped

Sometime within the latest months the auto letsencrypt renewal has stoppen working. Manual renewal using the "Request Certificate"-button on the "Server Configuration" / "Let's Encrypt"-tab works fine.

"Re-Check Configuration" reports all ok"

Any ideas ? What to check ?

Status: 
Active
Virtualmin version: 
6.14
Webmin version: 
6.14

Comments

Ilia's picture
Submitted by Ilia on Mon, 03/01/2021 - 12:28

Hello,

Thank you contacting us.

Any ideas ? What to check ?

It would be interesting to have a look at relevant log entries from /var/log/letsencrypt on the day it failed - what does it say?

Hi,

It the same here on both virtualmin pro instances of mine (cent7-based and fully up to date) ... Just found out, in all /etc/webmin/virtualmin-server/domains/ there is an entry auto_letsencrypt=0 ... sounds like our problem?

Is it save to change this to 1 ? I can't find any documentation on this.

Stay healthy, -- Kai

Hi Ilia It does not fail, it just does not run. So please reply Kai's question above. Thanks

Ilia's picture
Submitted by Ilia on Tue, 03/02/2021 - 05:46

It the same here on both virtualmin pro instances of mine (cent7-based and fully up to date) ... Just found out, in all /etc/webmin/virtualmin-server/domains/ there is an entry auto_letsencrypt=0 ... sounds like our problem?

Kai, no. I don't think it's the source of the problem as auto_letsencrypt is set upon domain creation time (or on initial post-install wizard for default domain) and either based on correspondent Virtualmin config option (if Let's Encrypt should be automatic up-on domain creation time) when domain is created with UI or when created using CLI, if it's manually set with additional --letsencrypt param. Later auto_letsencrypt is only tested when disabling/re-enabling SSL website feature for existing website.

What is important here is that apply_letsencrypt_cert_renewals must be called. Mentioned sub will not work if letsencrypt_renew param in domain config is not set or/and if collectinfo.pl is not called.

What is your case? What do you have set on Webmin ⇾ Webmin Configuration: Webmin Scheduled Functions for collectinfo.pl? Does letsencrypt_renew present on your domain config?

Ilia's picture
Submitted by Ilia on Tue, 03/02/2021 - 06:54

Alright, I see what other issue and most likely the source of the problem is. Due to the recent change in Let's Encrypt it seems that they now have issuer_cn set to R3 rather than what it was before, and thus apply_letsencrypt_cert_renewals stops, thinking that it's not Let's Encrypt certificate. Currently Virtualmin 6.14 doesn't have this checked done right but upcoming Virtualmin 6.15 is have it fixed already!

You could manually patch feature-ssl.pl file and line 2437 from what it is now and replace it with:

next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);

I cannot say it's recommended way of doing it but it's better than not working automatic renewals.

Edit: After editing mentioned file you would have to restart Webmin with /etc/webmin/restart command.

Well, I try changing it to: next if ($info->{'issuer_cn'} !~ /R3/i); The we'll see within the next month or so.

Ilia's picture
Submitted by Ilia on Tue, 03/02/2021 - 12:51

Well, I try changing it to: next if ($info->{'issuer_cn'} !~ /R3/i); The we'll see within the next month or so.

Yeah, sure. It'll work too!

jimr's picture
Submitted by jimr on Thu, 03/04/2021 - 03:06 Pro Licensee

I applied this fix 2 days ago ... it did not work .. webmin/virtualmin failed to update the ssl certs before expiry but manual update worked no problem

i changed line like Ilia suggest

next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);

then restart webmin service (on few servers) or reboot (on other servers) and now works fine

thank you

I also confirm, the patch solve the issue in my servers, automatically cert renewals started a few minutes after aplly the patch on feature-ssl.pl

My fix did'nt help, before I rebooted. Then it updated all certs older than 2 months.

LetsEncrypt auto-renewal has stopped for me too on many servers. It will simply let the certifications expire saying 0 days remaining. I had to press renew manually. Virtualmin version 6.14.

Ilia's picture
Submitted by Ilia on Sat, 03/06/2021 - 15:23

LetsEncrypt auto-renewal has stopped for me too

Yes, sorry about this.

We're about to announce Webmin 1.973 and a week later will try to do Virtualmin 6.15.

Meantime, you could apply the patch mentioned above in the comment #5 to address the problem.

It worked for me too in Virtualmin 6.14.

I modified feature-ssl.pl file line 2437 and replaced it with (as asked by Ilia):

next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);

Chiming in here to say that we are experiencing the same issue on all of our Virtualmin servers (both GPL and Pro). The last Let's Encrypt auto-renewal e-mail I received from Virtualmin was on February 2nd. I will apply the patch mentioned in comment #5, hopefully that will resolve this issue for me as it has for others in this thread.

Ilia's picture
Submitted by Ilia on Tue, 03/09/2021 - 16:59

After editing mentioned file you would have to restart Webmin with /etc/webmin/restart command.

Just as it has for others, changing the line in feature-ssl.pl has resolved the auto-renew problem for me. I look forward to the official fix being included in the next Virtualmin release.

wanindra's picture
Submitted by wanindra on Thu, 03/18/2021 - 06:36

Maybe it will useful for someone else, I had to apply the fix at two different places in file /usr/share/webmin/virtual-server/feature-ssl.pl.

The first fix on line 2437 was not enough. There was another similar line on line 2626 that needed similar fix.

Must be the version that I am running?

Solved in 6.15 - thank you

Ilia's picture
Submitted by Ilia on Thu, 03/18/2021 - 07:08

Solved in 6.15 - thank you

Yes, the patch above must not be applied for Virtualmin 6.15+.

Hi Ilia, my line 2437 is empty. Should i add the patch line there?

Thank you

Ilia's picture
Submitted by Ilia on Sat, 04/24/2021 - 17:42

Hi,

No, latest Virtualmin 6.16 and Webmin 1.973 have this issue fixed.

My ssl don't auto renew

Webmin version 1.942 Usermin version 1.791 Virtualmin version 6.09 Pro

I've had this problem too, actually caused us quite an embarassment with one client a couple of weeks ago. I'm now checking and manually renewing as required.

On Virtualmin 6.14 and Webmin has just upgraded to 1.974. Not seeing a 6.15 or 6.16 upgrade coming through. By the looks of things 6.15 should have landed some time ago?

Mark

Hi !

It looks like this bug is back with 6.16.

There is no more text input zone for renewal period and renewal is never triggered.

Xavier

In version 6.16, renewal is either on or off , and happens automatically when the cert is close to expiry.

Ilia's picture
Submitted by Ilia on Tue, 05/04/2021 - 07:59

On Virtualmin 6.14 and Webmin has just upgraded to 1.974. Not seeing a 6.15 or 6.16 upgrade coming through. By the looks of things 6.15 should have landed some time ago?

You should check your repos or run install.sh script with -s param to setup repos and exit:

./install.sh -s

This was working in 6.15 but is not working for me on 6.16. Manual renewals are working fine, but no auto renewals seem to be taking place.

Ilia's picture
Submitted by Ilia on Tue, 05/04/2021 - 13:51

This was working in 6.15 but is not working for me on 6.16. Manual renewals are working fine, but no auto renewals seem to be taking place.

If you go to the domain for which auto-renewal doesn't work, how its virtual-server.name - Server Configuration ⇾ SSL Certificate / Let's Encrypt page look like? Could you make a screenshot?

Do you have Automatically renew certificate? set to Yes?

So I had 6 domains that were at 21 days when my daily report ran at midnight this morning. All of these renewed today. Prior to this, they were renewing at 30 days or so. My next oldest ones are 37 days out currently, so I'll keep my eye on those and see what happens.