SYSTEM INFORMATION | |
---|---|
OS type and version | Debian 10 |
Webmin version | 1.999 |
Virtualmin version | 7.1-1 |
Related packages | certbot 0.31.0-1+deb10u1 |
This server was originally set up with a much older version of Debian (which predated Let’s Encrypt). It’s been upgraded in place over the years following best practice (i.e. the official Debian guides) to Debian 10. Webmin, Virtualmin and Usermin were all installed from the official apt repos and have also been regularly upgraded in place. All the software on the server is currently up to date, and there aren’t any external repos other than Webmin and Virtualmin.
When Let’s Encrypt came out and Virtualmin started supporting it, we installed Let’s Encrypt via Virtualmin, which put it in /opt/eff.org/
. This was prior to Debian supporting Let’s Encrypt in the repos. At some point over the last couple of years, we installed the Debian packaged version of certbot. This did cause some slightly confusing configuration overlap, but until now I’ve been able to fix any problems that came up.
Over the last couple of days we’ve started getting warnings like this:
An error occurred requesting a new certificate for (redacted) from Let's Encrypt : Web-based validation failed : Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: (redacted), retry after 2022-08-16T16:15:08Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Please see the logfiles in /var/log/letsencrypt for more details.
DNS-based validation failed : Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: (redacted), retry after 2022-08-16T16:15:08Z: see https://letsencrypt.org/docs/duplicate-certificate-limit/
Please see the logfiles in /var/log/letsencrypt for more details.
I removed /opt/eff.org/
in the hopes of resolving any potential confusion between different versions of certbot. Unfortunately some parts of Virtualmin still seem to be stuck thinking that they should call certbot-auto. For older sites on the server, when I go Server Configuration → SSL Certificate → Let’s Encrypt, I get this message at the bottom:
Renewal failed due to
Web-based validation failed :
Skipping bootstrap because certbot-auto is deprecated on this system.
If I click on Request Certificate, I get this message:
Requesting a certificate for (redacted) from Let's Encrypt ..
.. request failed : Web-based validation failed :
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
DNS-based validation failed :
Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.
However, if I click on the same options for a newer site, the Let’s Encrypt section looks fine, no errors. From this I’m guessing that Virtualmin’s internal config for the older sites somehow has certbot-auto embedded in it, while newer sites were successfully set up using the system certbot.
How do I get Virtualmin to forget about certbot-auto and automatically use the system version of certbot for all sites, new and old? I’ve tried disabling and re-enabling SSL for one of the older sites, but Let’s Encrypt is still broken. I’m able to manually run certbot from the command line and generate certificates that way, but of course it doesn’t hook into Virtualmin, and I also keep receiving emails every day from the server reminding me that the certificate can’t be renewed. I’ve got a pretty solid understanding of Linux server admin and I can sort out this stuff out manually when it’s not managed by Virtualmin, but it’s a mystery to me where Virtualmin is getting its information. Without that I’m pretty stuck resolving the problem…