Failed to Renew Certificate

cassory · April 16, 2024, 7:06pm

OS Version: Rocky 8.8
WebMin Version 2.021
I cannot find the Virtualmin version via the dash board

I have had a server running on Webmin using Virtual min for 3 years. It has was setup to automatically renew the websites certificate, and has done so successfully until this week. I received a failure message from webmin with from Let’s Encrypt : Domain has no website, and DNS-based validation is not possible.

I went through and checked on the certs on the server. I have run certbot certificates and was able to verify that I did infact get new certificates on the server that show new dates. However they were not put into place on the website, which still shows the old cert dates. I’m not sure where to look for a log to determine what went wrong, right now there is a warning that says

“this virtual server does not have an SSL website enabled yet. Any SSL certificate can only be used for other services”

Despite the website having a valid certificate for 14 more days.

I’m not sure where to check to see if there is just like a ON button for ssl or something that somehow got reset or if something more difficult needs to be done to fix this.

Thanks for you help

stefan1959 · April 16, 2024, 9:22pm

Do you have virtualmin then as its pretty obvious. Weird for 3 years you don’t see it.

cassory · April 17, 2024, 1:39pm

Once this was set up I have only logged into it maybe 3 times, the version looks like it is 7.7 Thanks

GeoffatMM · April 18, 2024, 9:51pm

Rather than start a new post, I am using this one as I too have suddenly started having issues with Lets Encrypt auto renewal.

I have changed nothing but for some reason (a recent update?) my server cannot renew its certificate and I get this message:

Requesting a certificate for xsxtc.uk, www.xsxtc.uk, mail.xsxtc.uk, admin.xsxtc.uk, webmail.xsxtc.uk, ns1.xsxtc.uk from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):

File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in *
main(sys.argv[1:])*
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main*
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)*
File “/usr/share/webmin/webmin/acme_tiny.py”, line 149, in get_crt*
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))*
ValueError: Challenge did not pass for ns1.xsxtc.uk: {‘identifier’: {‘type’: ‘dns’, ‘value’: ‘ns1.xsxtc.uk’}, ‘status’: ‘invalid’, ‘expires’: ‘2024-04-25T21:38:35Z’, ‘challenges’: [{‘type’: ‘http-01’, ‘status’: ‘invalid’, ‘error’: {‘type’: ‘urn:ietf:params:acme:error:unauthorized’, ‘detail’: ‘77.68.100.23: Invalid response from https://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA: 404’, ‘status’: 403}, ‘url’: ‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/340143569877/YmPJQA’, ‘token’: ‘g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘validationRecord’: [{‘url’: ‘http://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘hostname’: ‘ns1.xsxtc.uk’, ‘port’: ‘80’, ‘addressesResolved’: [‘77.68.100.23’], ‘addressUsed’: ‘77.68.100.23’, ‘resolverAddrs’: [‘A:10.0.12.87:25049’, ‘AAAA:10.0.12.82:24201’]}, {‘url’: ‘https://ns1.xsxtc.uk/.well-known/acme-challenge/g_51oS9S-UmME66BcA0VoqNEShACXh6hbWFmEE-WelA’, ‘hostname’: ‘ns1.xsxtc.uk’, ‘port’: ‘443’, ‘addressesResolved’: [‘77.68.100.23’], ‘addressUsed’: ‘77.68.100.23’, ‘resolverAddrs’: [‘A:10.0.12.87:22300’, ‘AAAA:10.0.12.85:31867’]}], ‘validated’: ‘2024-04-18T21:38:49Z’}]}
DNS-based validation failed : Only the official Let’s Encrypt client supports DNS-based validation*

From what I can see it is a python script issue that is not accepting the ns1.xsxtc.uk entry. As I say I have changed nothing.

Any offers of help or suggestions?

Geoff

GeoffatMM · April 18, 2024, 9:59pm

Postscript:

I remove d the ns1.xsxtc.uk reference and regenerated a certificate and it worked OK so the main websites (and importantly the mail server) now have certificates working.

When I add the ns1 entry back in, it fails again.

stefan1959 · April 18, 2024, 10:44pm

why would you need a cert for ns1?

http://ns1.xsxtc.uk/ redirect to https://15rsb.xsxtc.uk/ so I guess thats why its failing.

Joe · April 18, 2024, 11:33pm

Don’t do that. Your issue is not the same as that of the original post, so this is changing the subject.

Start your own topics for new issues.

https://forum.virtualmin.com/guidelines/

GeoffatMM · April 18, 2024, 11:49pm

OK Joe, apologies.

Thanks Stefan I will look at the redirect but you are right, ns1 does not need a certificate.

Thanks both.

Stegan · April 20, 2024, 1:10pm

Time for an upgrade perhaps?

Not just Virtualmin … but Rocky 8.8 also looks a bit out-of-date

Randomz · April 20, 2024, 2:39pm

That refers to each minor release. A simple dnf update should fix that.

These are major release dates.

Rocky Linux 8 is supported by the Rocky Linux project until May 2029.
Rocky Linux 9 is supported by the Rocky Linux project until May 2032.

Stegan · April 20, 2024, 2:54pm

Ok, but Virtualmin 7.7 is when 7.10.0 is current. (and goodness knows what the package’s states are like. A lot can happen in 3 years, (best to keep an eye on such things.)