Can't replace certificate on one server/domain

Ubuntu Linux 18.04.4, webmin 1.962, virtualmin 6.14

Hi,

on my server, I managed to get “Let’s Encrypt” to work with all ‘servers’. Only one I did differently, before, with " Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA ". But that is not working as it should, browsers often show security warnings so I though I’d try Let’s Encrypt on that server as well. Whenever I try though, I get this:

Requesting a certificate for gran-canaria-info.com, www.gran-canaria-info.com, autoconfig.gran-canaria-info.com, autodiscover.gran-canaria-info.com from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for autoconfig.gran-canaria-info.com
http-01 challenge for autodiscover.gran-canaria-info.com
http-01 challenge for gran-canaria-info.com
http-01 challenge for www.gran-canaria-info.com
Using the webroot path /home/grancanariainfo/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. autoconfig.gran-canaria-info.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.gran-canaria-info.com/.well-known/acme-challenge/QBU6fSOkfnRA2AHcABAGo4qoqnfZtHxpQZnYfeUSkpg: Timeout during connect (likely firewall problem), www.gran-canaria-info.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.gran-canaria-info.com/.well-known/acme-challenge/FuYgXhNyCwWSBhHYvj2bxV8OGh7KJ3aDLWeI3wd5opc: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: autoconfig.gran-canaria-info.com
  Type: connection
  Detail: Fetching
  https://www.gran-canaria-info.com/.well-known/acme-challenge/QBU6fSOkfnRA2AHcABAGo4qoqnfZtHxpQZnYfeUSkpg:
  Timeout during connect (likely firewall problem)

  Domain: www.gran-canaria-info.com
  Type: connection
  Detail: Fetching
  https://www.gran-canaria-info.com/.well-known/acme-challenge/FuYgXhNyCwWSBhHYvj2bxV8OGh7KJ3aDLWeI3wd5opc:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  DNS-based validation failed :
  Saving debug log to /var/log/letsencrypt/letsencrypt.log
  Plugins selected: Authenticator manual, Installer None
  Obtaining a new certificate
  Performing the following challenges:
  dns-01 challenge for autoconfig.gran-canaria-info.com
  dns-01 challenge for autodiscover.gran-canaria-info.com
  dns-01 challenge for gran-canaria-info.com
  dns-01 challenge for www.gran-canaria-info.com
  Waiting for verification…
  Cleaning up challenges
  Failed authorization procedure. www.gran-canaria-info.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.gran-canaria-info.com - check that a DNS record exists for this domain, gran-canaria-info.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.gran-canaria-info.com - check that a DNS record exists for this domain, autodiscover.gran-canaria-info.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autodiscover.gran-canaria-info.com - check that a DNS record exists for this domain, autoconfig.gran-canaria-info.com (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.autoconfig.gran-canaria-info.com - check that a DNS record exists for this domain
  IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.gran-canaria-info.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.www.gran-canaria-info.com - check that a DNS record
  exists for this domain

  Domain: gran-canaria-info.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.gran-canaria-info.com - check that a DNS record
  exists for this domain

  Domain: autodiscover.gran-canaria-info.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.autodiscover.gran-canaria-info.com - check that a
  DNS record exists for this domain

  Domain: autoconfig.gran-canaria-info.com
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.autoconfig.gran-canaria-info.com - check that a DNS
  record exists for this domain

Which is weird, the public_html folder has the same rights as the public_html folders of the other servers, and dns wise I thought things are okay. Anyway, how do I start troubleshooting this?

Thank you!

Humm, You said that you have an A record and also an AAAA record. AAAA are better but for now, I don’t recommend you to go with an AAAA record, the AAAA is based on IPv6 and the A is based on IPv4.

• I don’t know what you want to move from a premium DV SSL to a free DV SSL?
• The error could be due to any reasons, Have you generate more than 5 Let’s encrypt in an hour (Rate Limits - Let's Encrypt - Free SSL/TLS Certificates)?

What I will recommend you to do and sometimes it works is by uninstalling the SSL/TLS and reinstall it, work is

1. log in to your Virtualmin dashboard.
2. Then go to create virtual server.
3. Then go to Enabled features and uncheck Setup SSL website too?
4. Then press on create server.
   And to the step again
5. go to create virtual server.
6. Then go to Enabled features and check Setup SSL website too?
7. Then press on create server.

After all of it you should go to Server Configuration --­> Let's encrypt tab. Make sure
Domains associated with this server is checked and you check Months between automatic renewal is set to 2 months and Finally request SSL.

You should wait around 30 min or go to incognito chrome mode and see if let’s encrypt is working.

Those strings of 43 characters trailing .well-known/acme-challenge are tokens that can be used for manually creating DNS TXT records that Let’s Encrypt is unable to process itself during DNS validation (the same way it’s unable to process the .well-known/acme-challenge directory during http validation). Sometimes a manual TXT record workaround gets results when all else fails.

Under ideal conditions manually adding tokenized TXT records shouldn’t be necessary. Based on LE’s message “Timeout during connect (likely firewall problem)” there could be some other network obstacle, like missing glue for nameservers that causes delayed lookups.

If you want to try it, a TXT record needs two pieces of info:

• Record name: _acme-challenge.domain.tld
• Text record/value: xxxx-43-character-token-string-of-text-xxxx

Use the most recent token LE displays in an error or log, not just any token that could have expired.

If you’re agreeable to a wildcard certificate a single TXT record for the parent domain should be all that’s needed.

@lex just seen that website, its running ssl from lets encrypt already.

Thank you people, thanks to all of you it is now working as it should. So I removed the AAAA records, and then I was able to get the Let’s Encrypt certificates installed. The others, which I bought before discovering Let’s encrypt would sometimes show the site as a dangerous site and I had enough of it.

So: many thanks!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.