Every 65 minutes; Let's Encrypt certificate renewal failed!

aaronk · April 2, 2021, 2:01pm

Operating system: Ubuntu
OS version: 20.04.2

certbot 0.40.0 is installed and Virtualmin SSL creation/renew process works; both Web and DNS based.

Even there is no need to renew the certificate for the domain since renewal date is 3/30/2021.

However, every 65 minutes; system generates the email below;

An error occurred requesting a new certificate for domain .com, *.domain .com from Let’s Encrypt : DNS-based validation failed :

Use of --manual-public-ip-logging-ok is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt .org Use of --manual-public-ip-logging-ok is deprecated.
Renewing an existing certificate for domain .com and *.domain .com Performing the following challenges:
dns-01 challenge for domain .com
dns-01 challenge for domain .com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain domain.com Challenge failed for domain domain.com
dns-01 challenge for domain .com
dns-01 challenge for domain .com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

The following errors were reported by the server:

Domain: domain .com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.domain .com - check that a DNS record exists for
this domain

Domain: domain .com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.domain .com - check that a DNS record exists for
this domain

ramin · April 2, 2021, 2:28pm

It’s possible that creating a DNS TXT record will get your certificate validated.

aaronk · April 2, 2021, 2:37pm

I both tried Manual(via certbot) and Auomated(via Virtualmin); they are working with no issues.
It seems something like cron jobs of webmin/virtualmin which I couldn’t find a clue on logs. Similarly, I couldn’t find that specific 65-min cron to check the problem.

tpnsolutions · April 2, 2021, 5:44pm

@aaronk,

I’d be happy to work with you to resolve your LE issues. I’ve recently discovered and addressed LE issues within our own servers so I’m confident we can work through this and get you back to an operational status.

Drop me a line if you’d like to discuss.

Best Regards,
Peter Knowles | TPN Solutions

Affordable, Professional IT Support - tpnassist.com

aaronk · April 4, 2021, 9:41pm

Anyone knows how to disable/modify Virtualmin cron jobs; especially the one for Letsencrypt every 65mins?

No luck with crontab or user/root cron dirs…

Joe · April 4, 2021, 10:11pm

I don’t think Virtualmin has any jobs that run every 65 minutes. Seems like maybe it’s something certbot is doing (though I don’t know why it would, the way Virtualmin calls it should not setup anything recurring in certbot, as it handles the renewals itself every two months by default).

Did you run certbot manually at some point?

Edit: This is a wildcard cert. Did you mean to try to setup a wildcard cert? Do you host the DNS locally? It is impossible to get a wildcard via web-based validation, so you either have to host DNS in Virtualmin (and glue records need to reflect that) or you have to generate your cert using some other process that updates the necessary TXT record on renewals (e.g. certbot supports Route 53 hosted zones, as well as some other API-based DNS options).

aaronk · April 5, 2021, 12:45am

Yes, DNS is locally hosted; Virtualmin can run Letsencrypt renewal without any problem(both DNS validation and web validation are okay).
Every 65-min email is coming from webmin@hostname that’s why I thought it would be related with Webmin/Virtualmin cron jobs.

Just to make sure; is Virtualmin use Certbot to issue/renew certificate or another module is taking care of it?

Joe · April 5, 2021, 12:59am

If certbot is installed, it uses certbot. certbot is preferred because it handles several edge cases that the bundled ACME Tiny cannot. And, for wildcards, it must use certbot. The bundled ACME Tiny client does not handle wildcards.

I’m not sure what’s going on…I’ve never seen that behavior (though I rarely use wildcard certs and don’t recommend them, as they have security implications).

aaronk · April 5, 2021, 1:35am

Okay, then…

No more wildcard SSL… I hope certbot will stop mailing after it.

P.S. If not, since Virtualmin/Letsencrypt works properly; I can create a small script that blocks that false-positive emails of certbot.

Thanks again Joe.

Joe · April 5, 2021, 1:46am

I wouldn’t do that. certbot and Let’s Encrypt need to be able to communicate with you.

Figuring out what’s going wrong is the right thing here…I’m just not familiar enough with the problem to be able to tell you how to proceed.