Is there an ELI5 for Lets Encrypt?

Is there a simple, step-by-step set of instructions to get Lets Encrypt to work?

I’m trying to get a new certificate for an installation that previously worked 100% fine until I added one alias server, and after several hours of troubleshooting realized that it wasn’t covered by the parent server’s SSL cert. So I tried the procedure that worked last time: the fully-automed way provided in Virtualmin where you tell it to just create a cert for all domains on the server. Except this time, instead of working, it created a huge 1.5MB text file file full of errors and told me to read it. Yeah, unfortunately I’m still in the middle of The Brothers Karamazov, so I don’t have time to start another novel yet.

I just tried again and it was much more terse, but no more helpful:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for [domain1].com and 14 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.[domain3].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://admin.[domain3].com/.well-known/acme-challenge/Eu6yYFxuWN9jEDgTcvrRu4_PKf165AE0rBE-FVjbKbw: 404

  Domain: mail.[domain3].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://mail.[domain3].com/.well-known/acme-challenge/1Ng40LTfi1wOO-gukyzaN8BOYyewsEkWC-q_dcHU49o: 404

  Domain: webmail.[domain3].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://webmail.[domain3].com/.well-known/acme-challenge/lC6hryfAf0XwgbkM0-1ArTrMTgLNptlGUOS756ceFfY: 404

  Domain: admin.[domain1].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://admin.[domain1].com/.well-known/acme-challenge/zOJhDrrmptCXfFl4rem0qQRu71BvFKSVXM7iq-Mnq_E: 404

  Domain: admin.[domain2].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://admin.[domain2].com/.well-known/acme-challenge/Lx9Elc_GgVf5RHH30kOyHiydGp_8vE2Yryo5XHqIhME: 404

  Domain: [domain1].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://[domain1].com/.well-known/acme-challenge/19xYeGjn_ESROqz7GnQMVH2S5J2OkzPV6M3DgplzJEo: 404

  Domain: mail.[domain1].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://mail.[domain1].com/.well-known/acme-challenge/_SqsCOm6iGTw1_EKDoMc-MgL-bNw5viTryPxehFV4s4: 404

  Domain: mail.[domain2].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://mail.[domain2].com/.well-known/acme-challenge/8V3q1RRF7vmfUOgv7yVe5fW8MLPM3vvTo58sxiZ5bxw: 404

  Domain: [domain2].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://[domain2].com/.well-known/acme-challenge/HxwT_tpbLgGrs0_kYCcmfb9M0-sLBZeq9mmg_k8ektY: 404

  Domain: [domain3].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://[domain3].com/.well-known/acme-challenge/-H62kLmv9cPBlvCsfQIIrk3BYnhyqllyjO6BuJ--I04: 404

  Domain: webmail.[domain1].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://webmail.[domain1].com/.well-known/acme-challenge/v3MNcGLanyl6oh9VHOAK0qNsuCu-MCTZtKhP549VUIY: 404

  Domain: webmail.[domain2].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://webmail.[domain2].com/.well-known/acme-challenge/_SzlSIg6jKQKjHe0HVamlNIQ0NTSycV63LHusK0Z51Q: 404

  Domain: www.[domain1].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://www.[domain1].com/.well-known/acme-challenge/kBtpHwtygXK_9vCPp79NsGe4QEES_-XArSNS6AHnuEo: 404

  Domain: www.[domain2].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://[domain2].com/.well-known/acme-challenge/G8pOWgJXtd4s7EqIljJDRnMf9OWxg3289vG46AF3lhg: 404

  Domain: www.[domain3].com
  Type:   unauthorized
  Detail: [my external IP address]: Invalid response from https://www.[domain3].com/.well-known/acme-challenge/G2s6RQbU_MUvubWhfI_tRTLJREwfJOjyvD-f9clU_b0: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So apparently it’s not seeing the .well-known folder files, but I can’t see why. I haven’t set up any firewall or .htaccess rules that would prevent it. My setup is about as vanilla as it gets.

I can see in Wordfence that a number of calls to things like .well-known/acme-challenge/HxwT_tpbLgGrs0_kYCcmfb9M0-sLBZeq9mmg_k8ektY are marked as “tried to access a non-existent page” which means the requests are getting through just fine, certbot just isn’t putting the files where it they need to be. I have no idea how to troubleshoot that… I mean, I think the’re supposed to be there, and certbot thinks they’re supposed to be there, and the firewall isn’t blocking the requests, but they’re not there. ??? Apache log says the same thing, the requests reached the server but the files mostly weren’t there like they were supposed to be. Nothing at all in the apache error log.

I even went so far as to move my full hierarchy of web documents to a storage folder, recreate just the virtual server an alias folder structure with empty folders, no wordpress, not even .htaccess files, just empty folders, and tried to get Lets Encrypt to work then. More 404 errors as above. I personally both used a browser and went into terminal and used curl from the command line to make sure that the contents of .well-known/acme-challenge were accessible over the internet. They are, by both methods, I had no problem reading files I placed in them to test. The folders are readable via the parent domain and both aliases. No 404 errors, no problem reading files from them. And Lets Encrypt insists they’re not accessible.

I do suspect something is broken under the hood with virtualmin’s alias servers, as the “alias” I created by selecting to create a virtual server as an alias turned out not to be an alias, showed up as not being an alias on the virtual server list, and looking at the files buried in /etc/webmin/virtual-servers/, it’s completely different from other working alias servers I have. I deleted and recreated it 4 or 5 times to makes sure I wasn’t missing anything, same results every time. I ended up deleting it and cloning a working alias server, although ultimately that didn’t get me any closer to a working SSL install either.

I did a ton of googling and, what I would really like, instead of trying to guess what’s wrong and chase down a million potential loose ends that may or may not be it, is just to find simple, clear instructions for how to set everything up so Let’s Encrypt will run, and run properly, without me having to lose a second entire day to this.

Is there a setup guide for newbies somewhere that will explain step by step exactly what Let’s Encrypt needs in place to run properly?

I’m not doing anything complicated, this is a very plain vanilla server designed to host a couple of my own simple personal sites. Last time I did this it just worked, it took less than 5 minutes. This time it just doesn’t and I’ve lost maybe 18 hours so far on this simple 5-minute task, without the slightest progress towards a solution.

I’d be happy to wipe my server and rebuild from scratch if I knew it would be in working shape when I was done. I just need the instructions for what to do.

Alteratively, if anybody with enough posts on the forums for me to see that they’re reputable wants a short consulting gig, pm me a quote to do this for me, I can give you remote access to get it done. I just need a domain alias for one website that works over both http and https. It shouldn’t be this hard.

I’m really a little frustrated that the whole idea of Let’s Encrypt is it’s supposed to make SSL “easy”, and it just stole 18 hours of my life to not even get it running.

It’s always the same three problems: DNS is wrong (which has a few variants), web server isn’t responding correctly (proxy or redirect rules preventing access to the .well-known path or the wrong site is showing up), or Virtualmin isn’t managing DNS and you’re requesting a wildcard.

You don’t appear to be requesting a wildcard, so it can’t be the last one.

My guess is you:

Requesting certs for names that aren’t correct in DNS. Do all of those names (e.g. webmail.domain3.com) resolve to the right IP address? If not, you either shouldn’t request a cert for it (remove it from the list of names for the cert), or you should fix DNS.

or

You’re running a web app that has an .htaccess file or some other proxy or redirect rules that’s preventing access to .well-known.

Put a file in /home/domain/public_html/.well_known and try to download it with your browser, on every domain you’re requesting a cert for. Until that works, you can’t request a Let’s Encrypt cert.

And, if you search the forum, you’ll find many, many, discussions of this. Let’s Encrypt is as easy as we can make it. But, if DNS is managed outside the system, we’re trusting you to setup all the names (if DNS isn’t enabled in Virtualmin for the domain, Virtualmin will show you “Suggested DNS Records” that you can use to be sure you have all the records you need for basic functionality like this). If you don’t want the extra names (like webmail), you can also disable those in the Server Templates, or you can choose not to include them on the cert.

And, if you’re installing web apps outside of Virtualmin’s control, with custom .htaccess or proxy/redirect rules, then you’ll need to make sure .well-know is not sucked up by those rules.

Oh, wait.

Something is fundamentally broken. Something is broken in your configuration, you don’t need a guide to Let’s Encrypt, you need to figure out what broke. You shouldn’t need to do anything to make those files exist. When you request them in Virtualmin, they get created (and also deleted immediately after validation).

So…I have no idea what’s going on.

Are you seeing these log entries in the right virtual server log? It’s possible you have a “wrong site shows up” problem, caused by having some VirtualHosts configured with *, while others are configured with IPs. (See Website Troubleshooting – Virtualmin). Other causes of “wrong site shows up” includes IPv6 misconfiguration.

Thanks… yeah, I had a feeling something is fundamentally broken. I’m thinking virtualmin is not a good idea to rely on, if things are just going to mysteriously break and cause me to have to do 18 hours of troubleshooting. I really need my servers to just kind of run and be working without me having to constantly babysit them.

I don’t think there’s any issue of wrong sites turning up. I’ve been a webmaster part time for about 26 years, so I’m pretty familiar with IP networking and keeping websites running. This Virtualmin experience is literally the first time in all that time I’ve ever had any difficulties administering a website.

My hosts are configured however they wound up being configured when I imported from Cpanel… which, by the way, is what I think is the root cause of all these problems. I don’t think Virtualmin’s “Cpanel import” features really work as advertised, I think I got left with a very hinky, unstable system and that’s why everything is so weird and hard to figure out. So I don’t know if they configured with * or IPs or whatever.

I do know the inability to find any documentation or help with these bizarre problems is a strong disincentive to use virtualmin and I regret the huge time investment I’ve made in this. I’ve gotten down in the bits and bytes and configured vhosts in apache by hand without problem… using management software should be even easier than that, not far harder.

Fortuntely I run my server on vmware, I think I have a backup of the server VM from a couple days ago and can fire that up and restore my separate wordpress backups and not have too much data loss. This whole experience has been a nightmare, though, and I really need to figure out how to avoid software like Virtualmin in the future. It really looked like it was going to do the job, and “weird problems without any answers result in me missing entire nights of sleep trying to fix it just so I can have my website up and accessible on the internet” just isn’t acceptable.

I do appreciate your taking the time to reply, though. Thanks.

Works fine, been using virtualmin for at least 10 years and webmin of 20 years, maybe its just not for you.

Works fine, been using virtualmin for at least 10 years and webmin of 20 years

Well, um, congratulations?

works fine for me also, your error logs seam to indicate a web server configuration problem are you sure that all required modules for your web server are installed and there are no ‘custom’ directives that cpanel has written to the web server config files which this server is now reading.
if you have a spare domain name (not brought over from the migration) why not create that using virtualmin and request a certificate, if that works your problem will lie (I guess) in the web server configuration

That’s how my problem has started. My install has worked fine for months (notwithstanding all the minor rough spots like things that didn’t actually import, the subdomains that were broken after the import, the fact that I noticed sometimes virtualmin doesn’t save settings correctly, etc). It’s at least served my websites fine and didn’t give me errors in swahili when I first tried to get lets encrypt set up.

Things didn’t turn unpredictable until I tried to add a new domain as an alias two nights ago, the first time I’ve tried to add a domain since the cpanel import. That’s when the inexplicable problems started, and spread to my previously set-up domains which had worked fine for months, and finally to webmin itself, as just in the last hour it’s giving me new errors I’ve never seen before, connection problems just trying to log in.

And I know it’s webmin’s problems because some of the domains I have hosted on that server are still running absolutely without issue, only some are totally broken now. So it’s not a connectivity issue or larger issue with my server.

Look, I think it’s really great that some people have had no problems with virtualmin. (I would love to know how you accomplished that, BTW.) My point in posting here wasn’t to claim it doesn’t work for some other person. I’m just asking if anybody can point to a solution to what’s not working for me.

Have you check the web server configuration files for errors ? checked the web server / domain error logs, this may give you a clue

as you have some experience, just take a look at the actual config files, as all Virtualmin ever does (hopefully someone will correct me if I’m wrong) is to modify traditional config files, such as (my only experience is on RedHat) /etc/httpd/conf/httpd.conf.

so – with a bit of work with MORE/LESS/VIM/NANO, you can examine everything Virtualmin does Perhaps something will jump out at you to show what’s different among your Virtual Servers.

The problem I believe it to be wouldn’t show up as errors. The config is valid, it just doesn’t behave the way anyone expects (when you mix and match * with IP based virtual hosts, you get behavior that surprises literally everyone, likewise when IPv6 is configured for some VirtualHosts but not others, you may also get surprising behavior).

OP doesn’t seem to want to check that, I’m not sure why, but that seems the most likely problem.

that’s one to remember

No, because I wouldn’t know an apache configuration error unless it jumped off the page, stuck out its hand, and said, “Hi, you may not recognize me, but I’m the apache configuration error you’re looking for”.

What is a ‘*’? Wildcard? I’m not knowingly using wildcards anywhere, or using IPv6.

{:puff of smoke comes out of top of head:} I absolutely want to check that. I need an ELI5, as stated in the title. It’s not that I “don’t want” to do the right thing, I just don’t understand what it is you’re telling to do. I don’t even understand what you are referring to as “that” when you say “OP doesn’t seem to want to check that”.

Are you claiming for some reason that I don’t want to look at the config files in a text editor? Of course I have, many times now.

Me looking at Apache config files in a text editor is like, when someone has engine trouble, so they lift the hood, and stand there and stare intently at the engine. And you guys are being like “Engine trouble? He should just check to see if something’s wrong with the engine.” “Yeah, seems like for some reason he doesn’t want to do that.” I do! I’m right here looking at it! I’ve got the hood open and everything! I’ve been staring at it for hours! Now what?

Anybody got a Haynes manual for this thing?

I pointed you to a specific section of our troubleshooting guide: Is there an ELI5 for Lets Encrypt? - #4 by Joe

If you’re having trouble following that or can’t see anything that matches what’s described, then bring that information to us. To me, it looks like you have a mix of * and IP-based VirtualHost sections in your Apache configuration (which does not behave the way anyone would think). But, that behavior can also come from misconfigured IPv6 on the system (and Virtualmin-created IPv6 VirtualHosts because it thought you wanted IPv6 based on seeing IPv6 configured).

There might be something else going on, but if you won’t answer the questions I asked, I can’t really do more. I don’t have enough information to be certain what’s going wrong, which is why I asked for more information above; you haven’t confirmed that you’re seeing requests in the right logs, for example.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.