Let's Encrypt certificates not renewing anymore

I do stand slightly corrected, as I just found out by reading the code a bit more that Virtualmin does in fact call webmin::request_letsencrypt_cert which in turn uses the LetsEncrypt code through Webmin itself (which then does use certbot if it is available).

…But in order to get to that point in the code of Virtualmin, the certificate issuer is checked first, which means it will fail for newer certificates… this also means that it will not try to renew the certificate using certbot (through webmin::request_letsencrypt_cert), because the code to do that will be skipped

If I’m mistaken, feel free to tell me whatever I’m not understanding correctly. I am eager to learn more about how Virtualmin works behind the scenes.

Reference: I’m talking about this line in the code which causes the renewal to be skipped: virtualmin-gpl/feature-ssl.pl at master · virtualmin/virtualmin-gpl · GitHub (line 2543) which is different from the current released version of Virtualmin (6.14, released 2nd December 2020) which you can view here: virtualmin-gpl/feature-ssl.pl at 6.14 · virtualmin/virtualmin-gpl · GitHub (line 2438)

@synio what os and version you have this issue on? I run debian 10 which I’ve upgraded from debian 9 and certbot still working, I had no issues at all. (also running gpl)

@unborn, Debian 10 as well.

But the problem might only become apparent around March for most.

Do you reference the SSL certificates at the home directories for your webserver?

This is starting to happen for me too on all of my servers. Auto-renew is failing and I discover this, thankfully, by the expiring soon emails from Let’s Encrypt. Manual renew works without problem. Running CentOS Linux 3.10.0-1160.15.2.el7.x86_64 on x86_64; VirtualMin 6.14; WebMin 1.962. Do have certbot installed, version 1.11.0-1.el7.

1 Like

Yea I think more and more users will start running into the issue if they don’t release a new version based on the updated code soon…

We’ll be rolling updates to fix this problem (and another LE related issue) this weekend.


Hey Joe, thanks for the news that a fix is coming. Do you happen to have any updates here? I’m asking because we have hundreds of sites across hundreds of Vmin-enabled servers and… a very noisy Nagios server warning us about expiring SSL certificates! We’d sure like to know what to expect re: the 6.15 release and whether we’re going to need to mitigate across all of those servers before then. Thanks again!

Hi, any update on this?

We will try to release a new version as soon as possible. Meanwhile there is a quick and simple solution to address this particular issue.

1 Like

Goodness, I sure hope the new version is imminent, as we’d certainly prefer that 100x over making that quick and simple change to the code across hundreds of servers.

Me to. Glad the fix is coming.

I dont know if its related, but the CA root is also missing on many of my servers. The browser works OK, but some people when using services that connect to the website are failing saying there is a authority issue with the cert. I have to manually upload the Lets Encrypt root cert for each site. I dont know what sites its failing without doing a SSL check on all sites.

Started a couple of months back.

Posting here in case its related.

I assumed certbot software would interfere so never added it to a Virtualmin server. As a remember, certbot let you do *.fqdn.tld, right?

For those lazy half-assed admins like me…

Today was the first time I noticed this. One of my primary virtual servers expired 0 days ago and I just gave a whirl at Virtualmin → Server Configuration → SSL Certificate: Let’s Encrypt [Request Certificate] and all is well for that one untill the update happens.

Good to have an update coming, I also have issues in several domains that doesnt renew :frowning: , i do manual update with them, but some other autorenew fine… maybe is because of path where I have certs located? Because I know the path is default for some, but nondefault for others…

Issue also present here on various Domains, code snippet fixed it.

For anyone having issues with certificates expiring, you can run the following command on the server to get a list of certificates sorted by expiry date.

virtualmin list-certs-expiry --all-domains

You can then manually request a renewal via Server Configuration / SSL Certificate / Let’s Encrypt on any vhost with a certificate expiring soon.

Much quicker than checking them all manually until 6.15 is released with the fix, if you don’t want to patch it before then.


noticed the same in a virtual server. apache vhost had SSLCertificate /home/domain/ssl.cert instead of /home/domain/ssl.combined … don’t know if it applies to every virtual server yet, but it should be the default for all…

1 Like

I can confirm this just hit one of my servers as well. I set the renewal period to 2 months and it expired. Manually updating the certificate worked. I have patched code as suggested after manually renewing certs.

Might be related to this LetsEncrypt announcement Transitioning to ISRG's Root - Let's Encrypt - Free SSL/TLS Certificates

Same issue here. Certs dropping like flies on multiple servers.