Is there a simple, step-by-step set of instructions to get Lets Encrypt to work?
I’m trying to get a new certificate for an installation that previously worked 100% fine until I added one alias server, and after several hours of troubleshooting realized that it wasn’t covered by the parent server’s SSL cert. So I tried the procedure that worked last time: the fully-automed way provided in Virtualmin where you tell it to just create a cert for all domains on the server. Except this time, instead of working, it created a huge 1.5MB text file file full of errors and told me to read it. Yeah, unfortunately I’m still in the middle of The Brothers Karamazov, so I don’t have time to start another novel yet.
I just tried again and it was much more terse, but no more helpful:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for [domain1].com and 14 more domains
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: admin.[domain3].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://admin.[domain3].com/.well-known/acme-challenge/Eu6yYFxuWN9jEDgTcvrRu4_PKf165AE0rBE-FVjbKbw: 404
Domain: mail.[domain3].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://mail.[domain3].com/.well-known/acme-challenge/1Ng40LTfi1wOO-gukyzaN8BOYyewsEkWC-q_dcHU49o: 404
Domain: webmail.[domain3].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://webmail.[domain3].com/.well-known/acme-challenge/lC6hryfAf0XwgbkM0-1ArTrMTgLNptlGUOS756ceFfY: 404
Domain: admin.[domain1].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://admin.[domain1].com/.well-known/acme-challenge/zOJhDrrmptCXfFl4rem0qQRu71BvFKSVXM7iq-Mnq_E: 404
Domain: admin.[domain2].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://admin.[domain2].com/.well-known/acme-challenge/Lx9Elc_GgVf5RHH30kOyHiydGp_8vE2Yryo5XHqIhME: 404
Domain: [domain1].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://[domain1].com/.well-known/acme-challenge/19xYeGjn_ESROqz7GnQMVH2S5J2OkzPV6M3DgplzJEo: 404
Domain: mail.[domain1].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://mail.[domain1].com/.well-known/acme-challenge/_SqsCOm6iGTw1_EKDoMc-MgL-bNw5viTryPxehFV4s4: 404
Domain: mail.[domain2].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://mail.[domain2].com/.well-known/acme-challenge/8V3q1RRF7vmfUOgv7yVe5fW8MLPM3vvTo58sxiZ5bxw: 404
Domain: [domain2].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://[domain2].com/.well-known/acme-challenge/HxwT_tpbLgGrs0_kYCcmfb9M0-sLBZeq9mmg_k8ektY: 404
Domain: [domain3].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://[domain3].com/.well-known/acme-challenge/-H62kLmv9cPBlvCsfQIIrk3BYnhyqllyjO6BuJ--I04: 404
Domain: webmail.[domain1].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://webmail.[domain1].com/.well-known/acme-challenge/v3MNcGLanyl6oh9VHOAK0qNsuCu-MCTZtKhP549VUIY: 404
Domain: webmail.[domain2].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://webmail.[domain2].com/.well-known/acme-challenge/_SzlSIg6jKQKjHe0HVamlNIQ0NTSycV63LHusK0Z51Q: 404
Domain: www.[domain1].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://www.[domain1].com/.well-known/acme-challenge/kBtpHwtygXK_9vCPp79NsGe4QEES_-XArSNS6AHnuEo: 404
Domain: www.[domain2].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://[domain2].com/.well-known/acme-challenge/G8pOWgJXtd4s7EqIljJDRnMf9OWxg3289vG46AF3lhg: 404
Domain: www.[domain3].com
Type: unauthorized
Detail: [my external IP address]: Invalid response from https://www.[domain3].com/.well-known/acme-challenge/G2s6RQbU_MUvubWhfI_tRTLJREwfJOjyvD-f9clU_b0: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
So apparently it’s not seeing the .well-known folder files, but I can’t see why. I haven’t set up any firewall or .htaccess rules that would prevent it. My setup is about as vanilla as it gets.
I can see in Wordfence that a number of calls to things like .well-known/acme-challenge/HxwT_tpbLgGrs0_kYCcmfb9M0-sLBZeq9mmg_k8ektY are marked as “tried to access a non-existent page” which means the requests are getting through just fine, certbot just isn’t putting the files where it they need to be. I have no idea how to troubleshoot that… I mean, I think the’re supposed to be there, and certbot thinks they’re supposed to be there, and the firewall isn’t blocking the requests, but they’re not there. ??? Apache log says the same thing, the requests reached the server but the files mostly weren’t there like they were supposed to be. Nothing at all in the apache error log.
I even went so far as to move my full hierarchy of web documents to a storage folder, recreate just the virtual server an alias folder structure with empty folders, no wordpress, not even .htaccess files, just empty folders, and tried to get Lets Encrypt to work then. More 404 errors as above. I personally both used a browser and went into terminal and used curl from the command line to make sure that the contents of .well-known/acme-challenge were accessible over the internet. They are, by both methods, I had no problem reading files I placed in them to test. The folders are readable via the parent domain and both aliases. No 404 errors, no problem reading files from them. And Lets Encrypt insists they’re not accessible.
I do suspect something is broken under the hood with virtualmin’s alias servers, as the “alias” I created by selecting to create a virtual server as an alias turned out not to be an alias, showed up as not being an alias on the virtual server list, and looking at the files buried in /etc/webmin/virtual-servers/, it’s completely different from other working alias servers I have. I deleted and recreated it 4 or 5 times to makes sure I wasn’t missing anything, same results every time. I ended up deleting it and cloning a working alias server, although ultimately that didn’t get me any closer to a working SSL install either.
I did a ton of googling and, what I would really like, instead of trying to guess what’s wrong and chase down a million potential loose ends that may or may not be it, is just to find simple, clear instructions for how to set everything up so Let’s Encrypt will run, and run properly, without me having to lose a second entire day to this.
Is there a setup guide for newbies somewhere that will explain step by step exactly what Let’s Encrypt needs in place to run properly?
I’m not doing anything complicated, this is a very plain vanilla server designed to host a couple of my own simple personal sites. Last time I did this it just worked, it took less than 5 minutes. This time it just doesn’t and I’ve lost maybe 18 hours so far on this simple 5-minute task, without the slightest progress towards a solution.
I’d be happy to wipe my server and rebuild from scratch if I knew it would be in working shape when I was done. I just need the instructions for what to do.
Alteratively, if anybody with enough posts on the forums for me to see that they’re reputable wants a short consulting gig, pm me a quote to do this for me, I can give you remote access to get it done. I just need a domain alias for one website that works over both http and https. It shouldn’t be this hard.
I’m really a little frustrated that the whole idea of Let’s Encrypt is it’s supposed to make SSL “easy”, and it just stole 18 hours of my life to not even get it running.
SYSTEM INFORMATION | |
---|---|
OS type and version | Debian 12 |
Webmin version | latest |
Virtualmin version | latest |
Related packages | certbot |