Automatic Let's Encrypt renew failes

DanielStonek · February 28, 2021, 2:34pm

CentOS Linux 7.9.2009
Virtualmin 6.14

From 2019 I have working some auto certificates renewal.
I’m starting receiving Let’s Encrypt certificate expiration notices by email but none “Let’s Encrypt certificate renewal compete” anymore.
Trying to do it manually from Server Configuration → SSL Certificate → Let’s Encrypt I got errors like those:

Domain: sql.domain.com
Type: unauthorized
Detail: Invalid response from
https://sql.domain.com/.well-known/acme-challenge/a3QPv0zy4ZQ7SO05Lu63UoB0ovQLNn5CIJNzFhqQBuU
[173.249.47.114]: “\n\n404 Not
Found\n\n<h 1>Not Found\n<p”

Domain: mail.domain.com
Type: unauthorized
Detail: Invalid response from
http://mail.domain.com/login.php?url=http%3A%2F%2Fmail.domain.com%2F.well-known%2Facme-challenge%2FuQpuI4BSUn3YR2Oks2mEOlF6Qhdj1F00pZpFVnLfAg0%3F_t%3D1614520435%26_h%3DbuVuMzUDgyxm2KH9GS6r4bnsIs0&horde_logout_token=qfGx63dJZvpq4zWAr_dMygR
[173.249.47.114]: "\n<html
lang="en-US">\n \n "

Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.mail.domain.com - check that a DNS record
exists for this domain

I never had to add those DNS records to get the certs renewed.

It seems the issue is only for domains having a login default page.
This cert I want to renew has 4 domains, two with login default pages, the 2 displaying errors (sql* and mail*)

Anyway I have other certs that don’t renew automatically now but they do successfully manually

Thanks

EDIT 1: I was able to create separate certs for each of both subdomains

ramin · February 28, 2021, 4:23pm

This TXT record fix has worked for me before under various circumstances with and without Virtualmin being involved. I’ve never noticed a pattern as to why it’s sometimes necessary although I’ve never really looked into it as closely as you have. I hope a lot of people see and take note of your post if they see this particular error.

DanielStonek · February 28, 2021, 4:27pm

Same time you wrote this answer I added “EDIT 1” at bottom of my question.
I also can add a TXT record but I don’t know the token to use.

Also I am worried why auto-renew has stopped.
Thanks

ramin · February 28, 2021, 5:53pm

Sorry, I thought you already fixed it and I completely forgot about the token.

I was using certbot for wildcards when I first had this problem. I’ve also seen it using Virtualmin’s LE plugin. Apparently this article helped out with certbot, but I’m fairly certain I was using Virtualmin when I found the token buried somewhere in a mess of errors.

According to my notes a portion of the fail error looked like this:

Domain: domain.tld
Type:   unauthorized
Detail: Incorrect TXT record
"43-character_token_was_here_xxxxxxxxxxxxxxx" found at _acme-challenge.domain.tld

Despite the wording in the error, I think the token in this example is actually the correct one to use for the record value, and it’s the TXT record itself that’s missing and therefore “incorrect”. If I’m wrong about that then it’s time to update my crappy notes.

As for auto-renewals not working, there’s chatter about that lately and there may be a fix in the works. I noticed it too but manual renewals are working.

DanielStonek · February 28, 2021, 6:38pm

As said I could create separate certs for those subdomains without adding DNS records.

Same as you I also found 43-char, I guess a token in error log https://sql.domain.com/.well-known/acme-challenge/a3QPv0zy4ZQ7SO05Lu6…43-total chars
and
http://mail.domain.com/login.php?url=http%3A%2F%2Fmail.fdomain.com%2F.well-known%2Facme-challenge%2FuQpuI4…43-total-chars…pZpFVnLfAg0%3F_t%3D1614520435%26_h%3DbuVuMzUDgyxm2KH9GS6r4bnsIs0&horde_logout_token=qfGx63dJZvpq4zWAr_dMygR

Not sure if they remain the same after creating separate certs.

I still don’t realize why auto renew stopped working.

system · April 29, 2021, 6:38pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.