LE SSL Cert Creation Fails

Virtualmin
1
SYSTEM INFORMATION
OS type and version Ubuntu 22.04.4
Webmin version 2.105
Virtualmin version 7.10.0 Pro
Related packages CertBot 1.21.0

Situation:

  • Virtualmin deployed on Ubuntu
  • Created virtual server
  • DNS records self-managed
  • No bespoke configuration, no messing with LE/CertBot configs
  • Request SSL certificate via Let’s Encrypt without wildcard

Result: Certificate request fails

/etc/letsencrypt/cli.ini with defaults:

# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
# Adjust interactive output regarding automated renewal
preconfigured-renewal = True

The web-based validation part from /var/log/letsencrypt/letsencrypt.log:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
DNS problem: looking up A for admin.EXAMPLE.com: DNSSEC: Bogus; DNS problem: looking up AAAA for admin.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up A for EXAMPLE.com: DNSSEC: Bogus; DNS problem: looking up AAAA for EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up A for mail.EXAMPLE.com: DNSSEC: Bogus; DNS problem: looking up AAAA for mail.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up A for webmail.EXAMPLE.com: DNSSEC: Bogus; DNS problem: looking up AAAA for webmail.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up A for www.EXAMPLE.com: DNSSEC: Bogus; DNS problem: looking up AAAA for www.EXAMPLE.com: DNSSEC: Bogus

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

The DNS-based validation part from /var/log/letsencrypt/letsencrypt.log: 
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
DNS problem: looking up TXT for _acme-challenge.admin.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up TXT for _acme-challenge.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up TXT for _acme-challenge.mail.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up TXT for _acme-challenge.webmail.EXAMPLE.com: DNSSEC: Bogus
DNS problem: looking up TXT for _acme-challenge.www.EXAMPLE.com: DNSSEC: Bogus

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

The last lines of /var/log/letsencrypt/letsencrypt.log: 
DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/letsencrypt", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Tested on another Ubuntu 22.04.4 with Virtualmin 7.9.0 installed and the certificate creation runs like a charm.

I can’t figure what the heck the issue is. Any pointers?

2

I don’t know how that error could be more clear?

And, you should focus on fixing the web-based validation. DNS validation is only needed for wildcards (which generally should be avoided) and would only happen in the non-wildcard case, if web validation failed (and the solution there is to fix web validation).

3

Well, that’s what I don’t understand: The A and AAAA records are set and point to the correct IPs.

4

Here’s the rest of the story… I supported a friend setting up his Virtualmin instance when the above issue kicked in. After some investigation I figured he had submitted a DS DNS entry to his registrar. We requested to delete it, then ran the LE cert creation with an untouched configuration and it succeeded.

Now I’m curious if the DS deletion was just a coincidence and had nothing to do with the issue (most probably because my friend changed settings and didn’t tell) or could it be the root cause for the trouble?

5

:man_shrugging:

Who knows what mysteries lurk in what users do when confronted with a problem they don’t understand? People do all sorts of weird things.

The error tells me the records were bogus. Something was wrong with the records. They pointed to the wrong place, they were invalid, I dunno what.

6

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.