LE (still) not renewing automatically in Webmin

yes, i changed it to overkill for just that purpose after i started experiencing issues. and yes, that is also the entire contents of /etc/letsencrypt/renewal/webmin-domain.tld.conf.

so if i understand u correctly, webmin ought to have placed renew_before_expiry = 60 days in /etc/letsencrypt/renewal/webmin-domain.tld.conf when i switched it into overkill?

all the virtual servers are also set to overkill, and they renew as expected. but their /etc/letsencrypt/renewal/domain.tld.conf’s all share the same # renew_before_expiry = 30 days line without another renew_before_expiry appearing anywhere else. how can that be?

just added renew_before_expiry = 60 days to /etc/letsencrypt/renew/webmin-domain.tld and ran certbot renew with the same results as before - no renewal. output shows consideration for webmin-domain.tld, but declines to renew with
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webmin-domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

heres /var/log/letsencrypt/letsencrypt.log, for ur viewing pleasure.

Looks like it’s still reading 30 days or defaulting to 30 days. Are you sure that line is not still commented out?

‘#’ comments it out, right?

if so, let me ask, does something need restarted between /etc/letsencrypt/renew/webmin-domain.tld.conf edits in order to take effect?

Yes, the # indicates a comment, which is not parsed as config data.

I don’t think there’s anything to restart. certbot isn’t a daemon, I don’t think. I think it just runs as a scheduled job.

i think i just had an ah-hah moment. though im not sure how to proceed.

as my webmin certificate is now less than 30 days from expiration, i again ran certbot renew and noticed it lists the expiration date for each certificate it is skipping. it once again skipped my webmin certificate, stating /etc/letsencrypt/live/webmin-domain.tld/fullchain.pem expires on 2020-10-24 (skipped), whereas the certificate that shows up in the browser for https://webmin-domain.tld:10000 expires on september 1.

that explains why it never renews automatically. but why is webmin presenting a certificate other than /etc/letsencrypt/live/webmin-domain.tld/fullchain.pem for the dashboard and other services configured to use this certificate?

The only thing I can think of is that Webmin has an associated cert from one of your Virtualmin domains (i.e. you clicked “Copy to Webmin” on one of your Virtualmin domain certs in the past), and now it doesn’t think it’s got its own cert. That’d be bug-like. But I can’t think of any other way for it to end up that way unless the cert paths were changed manually.

webmin>webmin>webmin configuration>ssl encryption>ssl settings:


heres our september 1 certificate.

which means this setting in webmin>webmin>webmin configuration>ssl encryption>lets encrypt must not be working:
Screenshot from 2020-08-03 23-32-50

any harm in copying the three pem files in /etc/letsencrypt/live/webmin-domain.tld over those specified in webmin>webmin>webmin configuration>ssl encryption>ssl settings?

any way to get these synced up again?

or are you saying this is a bug that will eventually be corrected?

updated to latest version of webmin a day or two ago. no relief.

@Jamie do you have any idea why Webmin would never renew LE?

or more specifically, why its looking at the wrong cert file and how to fix?

Be aware that if the cert file is updated outside of Webmin (ie. via certbot run from the command line or a cron job), it won’t be picked up by Webmin until it’s restarted.

i only recently attempted certbot renewal per joe’s instruction. before that, ive only ever used webmin.

however, last wednesday, i added renew_before_expiry = 60 days to /etc/letsencrypt/renew/webmin-domain.tld and ran certbot renew. it renewed as expected since the cert that /etc/letsencrypt/live/webmin-domain.tld/fullchain.pem links to had just crossed that threshold. but the newly renewed cert didnt appear in my browser, as i didnt yet know i needed to restart webmin for that to happen. so i went through the gui (webmin>webmin>webmin configuration>ssl encryption>lets encrypt) to request a new certificate. afterwards, a new cert appeared in the browser.

now im looking at the cert /etc/letsencrypt/live/webmin-domain.tld/fullchain.pem links to and noticing its serial number matches that of the cert at /etc/webmin/letsencrypt-cert.pem. so im wondering if the aforementioned fumbling about i did last wednesday straightened out whatever was causing webmin to copy a past certificate to /etc/webmin/letsencrypt-cert.pem. we’ll see what news a month brings.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.