Let's Encrypt certificates not renewing anymore

I assumed certbot software would interfere so never added it to a Virtualmin server. As a remember, certbot let you do *.fqdn.tld, right?

For those lazy half-assed admins like me…

Today was the first time I noticed this. One of my primary virtual servers expired 0 days ago and I just gave a whirl at Virtualmin → Server Configuration → SSL Certificate: Let’s Encrypt [Request Certificate] and all is well for that one untill the update happens.

Good to have an update coming, I also have issues in several domains that doesnt renew :frowning: , i do manual update with them, but some other autorenew fine… maybe is because of path where I have certs located? Because I know the path is default for some, but nondefault for others…

Issue also present here on various Domains, code snippet fixed it.

For anyone having issues with certificates expiring, you can run the following command on the server to get a list of certificates sorted by expiry date.

virtualmin list-certs-expiry --all-domains

You can then manually request a renewal via Server Configuration / SSL Certificate / Let’s Encrypt on any vhost with a certificate expiring soon.

Much quicker than checking them all manually until 6.15 is released with the fix, if you don’t want to patch it before then.

2 Likes

noticed the same in a virtual server. apache vhost had SSLCertificate /home/domain/ssl.cert instead of /home/domain/ssl.combined … don’t know if it applies to every virtual server yet, but it should be the default for all…

1 Like

I can confirm this just hit one of my servers as well. I set the renewal period to 2 months and it expired. Manually updating the certificate worked. I have patched code as suggested after manually renewing certs.

Might be related to this LetsEncrypt announcement Transitioning to ISRG's Root - Let's Encrypt - Free SSL/TLS Certificates

Same issue here. Certs dropping like flies on multiple servers.

I also ran today in some problems while trying to manually renew a LetsEncrypt certificate, after the update to virtualmin 6.15 (webmin 1.973, usermin 1.823) it seems to happen like this:

Requesting a certificate for [------snip/snap------] from Let’s Encrypt …
HTTP/1.0 500 Perl execution failed Server: MiniServ/1.973 Date: Fri, 12 Mar 2021 10:40:42 GMT Content-type: text/html; Charset=utf-8 Connection: close

Error — Perl execution failed

panic: attempt to copy freed scalar 5597e13d19d8 to 5597df5400b8 at /usr/share/webmin/web-lib-funcs.pl line 3353.

It works for me with Webmin 1.973 and Virtualmin 6.15.

What distro do you see this problem on? Have you tried restarting Webmin manually with /etc/webmin/restart command, and re-running certificate request?

Okay I restarted it

/etc/webmin/restart
Stopping Webmin server in /usr/libexec/webmin
Starting Webmin server in /usr/share/webmin

But no difference when requesting manually the certificates. The distro is
Linux 4.9.0-15-amd64 #1 SMP Debian 4.9.258-1 (2021-03-08) x86_64 GNU/Linux

But no difference when requesting manually the certificates.

What is the output of cat /etc/os-release and whereis certbot and certbot --version commands?

1 Like
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Mea culpa … that was the problem. There was no certbot installed. I did that, and now the error is gone. Since when certbot is needed ? Haven’t seen this in the documentation by now.

Thanks.

certbot has always been recommended.

1 Like

I never knew this! So on a Debian based distribution simply

sudo apt-get install certbot

and nothing else?

Nothing else.

Is it possible to run the Let’s Encrypt cronjob or whatever Virtualmin uses for renewal manually? I still have issues after applying the fix to Virtualmin and would like to debug this.

And should the systemd timer for certbot run? I guess this doesn’t make sense as it provisions to the wrong folder. But system default this is on.

Manually running /etc/webmin/virtual-server/collectinfo.pl renewed all pending certificates. Not sure why I needed to call this command manually.