Every 65 minutes; Let's Encrypt certificate renewal failed!

Operating system: Ubuntu
OS version: 20.04.2

certbot 0.40.0 is installed and Virtualmin SSL creation/renew process works; both Web and DNS based.

Even there is no need to renew the certificate for the domain since renewal date is 3/30/2021.

However, every 65 minutes; system generates the email below;

An error occurred requesting a new certificate for domain .com, *.domain .com from Let’s Encrypt : DNS-based validation failed :

Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt .org Use of --manual-public-ip-logging-ok is deprecated.
Renewing an existing certificate for domain .com and *.domain .com Performing the following challenges:
dns-01 challenge for domain .com
dns-01 challenge for domain .com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain domain.com Challenge failed for domain domain.com
dns-01 challenge for domain .com
dns-01 challenge for domain .com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: domain .com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.domain .com - check that a DNS record exists for
    this domain

    Domain: domain .com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.domain .com - check that a DNS record exists for
    this domain

It’s possible that creating a DNS TXT record will get your certificate validated.

I both tried Manual(via certbot) and Auomated(via Virtualmin); they are working with no issues.
It seems something like cron jobs of webmin/virtualmin which I couldn’t find a clue on logs. Similarly, I couldn’t find that specific 65-min cron to check the problem.

@aaronk,

I’d be happy to work with you to resolve your LE issues. I’ve recently discovered and addressed LE issues within our own servers so I’m confident we can work through this and get you back to an operational status.

Drop me a line if you’d like to discuss.

Best Regards,
Peter Knowles | TPN Solutions

Affordable, Professional IT Support - tpnassist.com

Anyone knows how to disable/modify Virtualmin cron jobs; especially the one for Letsencrypt every 65mins?

No luck with crontab or user/root cron dirs…

I don’t think Virtualmin has any jobs that run every 65 minutes. Seems like maybe it’s something certbot is doing (though I don’t know why it would, the way Virtualmin calls it should not setup anything recurring in certbot, as it handles the renewals itself every two months by default).

Did you run certbot manually at some point?

Edit: This is a wildcard cert. Did you mean to try to setup a wildcard cert? Do you host the DNS locally? It is impossible to get a wildcard via web-based validation, so you either have to host DNS in Virtualmin (and glue records need to reflect that) or you have to generate your cert using some other process that updates the necessary TXT record on renewals (e.g. certbot supports Route 53 hosted zones, as well as some other API-based DNS options).

Yes, DNS is locally hosted; Virtualmin can run Letsencrypt renewal without any problem(both DNS validation and web validation are okay).
Every 65-min email is coming from webmin@hostname that’s why I thought it would be related with Webmin/Virtualmin cron jobs.

Just to make sure; is Virtualmin use Certbot to issue/renew certificate or another module is taking care of it?

If certbot is installed, it uses certbot. certbot is preferred because it handles several edge cases that the bundled ACME Tiny cannot. And, for wildcards, it must use certbot. The bundled ACME Tiny client does not handle wildcards.

I’m not sure what’s going on…I’ve never seen that behavior (though I rarely use wildcard certs and don’t recommend them, as they have security implications).

Okay, then…

No more wildcard SSL… I hope certbot will stop mailing after it.

P.S. If not, since Virtualmin/Letsencrypt works properly; I can create a small script that blocks that false-positive emails of certbot.

Thanks again Joe.

I wouldn’t do that. certbot and Let’s Encrypt need to be able to communicate with you.

Figuring out what’s going wrong is the right thing here…I’m just not familiar enough with the problem to be able to tell you how to proceed.