Failed to Renew Certificate

OS Version: Rocky 8.8
WebMin Version 2.021
I cannot find the Virtualmin version via the dash board

I have had a server running on Webmin using Virtual min for 3 years. It has was setup to automatically renew the websites certificate, and has done so successfully until this week. I received a failure message from webmin with from Let’s Encrypt : Domain has no website, and DNS-based validation is not possible.

I went through and checked on the certs on the server. I have run certbot certificates and was able to verify that I did infact get new certificates on the server that show new dates. However they were not put into place on the website, which still shows the old cert dates. I’m not sure where to look for a log to determine what went wrong, right now there is a warning that says

“this virtual server does not have an SSL website enabled yet. Any SSL certificate can only be used for other services”

Despite the website having a valid certificate for 14 more days.

I’m not sure where to check to see if there is just like a ON button for ssl or something that somehow got reset or if something more difficult needs to be done to fix this.

Thanks for you help

Do you have virtualmin then as its pretty obvious. Weird for 3 years you don’t see it.

Once this was set up I have only logged into it maybe 3 times, the version looks like it is 7.7 Thanks

Rather than start a new post, I am using this one as I too have suddenly started having issues with Lets Encrypt auto renewal.

I have changed nothing but for some reason (a recent update?) my server cannot renew its certificate and I get this message:

Requesting a certificate for xsxtc.uk, www.xsxtc.uk, mail.xsxtc.uk, admin.xsxtc.uk, webmail.xsxtc.uk, ns1.xsxtc.uk from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):

  • File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in *
  • main(sys.argv[1:])*
  • File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main*
  • signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)*
  • File “/usr/share/webmin/webmin/acme_tiny.py”, line 149, in get_crt*
  • raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))*
    ValueError: Challenge did not pass for ns1.xsxtc.uk: {‘identifier’: {‘type’: ‘dns’, ‘value’: ‘ns1.xsxtc.uk’}, ‘status’: ‘invalid’, ‘expires’: ‘2024-04-25T21:38:35Z’, ‘challenges’: [{‘type’: ‘http-01’, ‘status’: ‘invalid’, ‘error’: {‘type’: ‘urn:ietf:params:acme:error:unauthorized’, ‘detail’: ‘77.68.100.23: Invalid response from https://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA: 404’, ‘status’: 403}, ‘url’: ‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/340143569877/YmPJQA’, ‘token’: ‘g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘validationRecord’: [{‘url’: ‘http://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘hostname’: ‘ns1.xsxtc.uk’, ‘port’: ‘80’, ‘addressesResolved’: [‘77.68.100.23’], ‘addressUsed’: ‘77.68.100.23’, ‘resolverAddrs’: [‘A:10.0.12.87:25049’, ‘AAAA:10.0.12.82:24201’]}, {‘url’: ‘https://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘hostname’: ‘ns1.xsxtc.uk’, ‘port’: ‘443’, ‘addressesResolved’: [‘77.68.100.23’], ‘addressUsed’: ‘77.68.100.23’, ‘resolverAddrs’: [‘A:10.0.12.87:22300’, ‘AAAA:10.0.12.85:31867’]}], ‘validated’: ‘2024-04-18T21:38:49Z’}]}
  • DNS-based validation failed : Only the official Let’s Encrypt client supports DNS-based validation*

From what I can see it is a python script issue that is not accepting the ns1.xsxtc.uk entry. As I say I have changed nothing.

Any offers of help or suggestions?

Geoff

Postscript:

I remove d the ns1.xsxtc.uk reference and regenerated a certificate and it worked OK so the main websites (and importantly the mail server) now have certificates working.

When I add the ns1 entry back in, it fails again.

why would you need a cert for ns1?

http://ns1.xsxtc.uk/ redirect to https://15rsb.xsxtc.uk/ so I guess thats why its failing.

Don’t do that. Your issue is not the same as that of the original post, so this is changing the subject.

Start your own topics for new issues.

https://forum.virtualmin.com/guidelines/

OK Joe, apologies.

Thanks Stefan I will look at the redirect but you are right, ns1 does not need a certificate.

Thanks both.

Time for an upgrade perhaps?

Not just Virtualmin … but Rocky 8.8 also looks a bit out-of-date

That refers to each minor release. A simple dnf update should fix that.

These are major release dates.

  • Rocky Linux 8 is supported by the Rocky Linux project until May 2029.
  • Rocky Linux 9 is supported by the Rocky Linux project until May 2032.

Ok, but Virtualmin 7.7 is when 7.10.0 is current. (and goodness knows what the package’s states are like. A lot can happen in 3 years, (best to keep an eye on such things.)

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.