Let's Encrypt certificates not renewing anymore

For anyone having issues with certificates expiring, you can run the following command on the server to get a list of certificates sorted by expiry date.

virtualmin list-certs-expiry --all-domains

You can then manually request a renewal via Server Configuration / SSL Certificate / Let’s Encrypt on any vhost with a certificate expiring soon.

Much quicker than checking them all manually until 6.15 is released with the fix, if you don’t want to patch it before then.

2 Likes

noticed the same in a virtual server. apache vhost had SSLCertificate /home/domain/ssl.cert instead of /home/domain/ssl.combined … don’t know if it applies to every virtual server yet, but it should be the default for all…

1 Like

I can confirm this just hit one of my servers as well. I set the renewal period to 2 months and it expired. Manually updating the certificate worked. I have patched code as suggested after manually renewing certs.

Might be related to this LetsEncrypt announcement Transitioning to ISRG's Root - Let's Encrypt - Free SSL/TLS Certificates

Same issue here. Certs dropping like flies on multiple servers.

I also ran today in some problems while trying to manually renew a LetsEncrypt certificate, after the update to virtualmin 6.15 (webmin 1.973, usermin 1.823) it seems to happen like this:

Requesting a certificate for [------snip/snap------] from Let’s Encrypt …
HTTP/1.0 500 Perl execution failed Server: MiniServ/1.973 Date: Fri, 12 Mar 2021 10:40:42 GMT Content-type: text/html; Charset=utf-8 Connection: close

Error — Perl execution failed

panic: attempt to copy freed scalar 5597e13d19d8 to 5597df5400b8 at /usr/share/webmin/web-lib-funcs.pl line 3353.

It works for me with Webmin 1.973 and Virtualmin 6.15.

What distro do you see this problem on? Have you tried restarting Webmin manually with /etc/webmin/restart command, and re-running certificate request?

Okay I restarted it

/etc/webmin/restart
Stopping Webmin server in /usr/libexec/webmin
Starting Webmin server in /usr/share/webmin

But no difference when requesting manually the certificates. The distro is
Linux 4.9.0-15-amd64 #1 SMP Debian 4.9.258-1 (2021-03-08) x86_64 GNU/Linux

But no difference when requesting manually the certificates.

What is the output of cat /etc/os-release and whereis certbot and certbot --version commands?

1 Like
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Mea culpa … that was the problem. There was no certbot installed. I did that, and now the error is gone. Since when certbot is needed ? Haven’t seen this in the documentation by now.

Thanks.

certbot has always been recommended.

1 Like

I never knew this! So on a Debian based distribution simply

sudo apt-get install certbot

and nothing else?

Nothing else.

Is it possible to run the Let’s Encrypt cronjob or whatever Virtualmin uses for renewal manually? I still have issues after applying the fix to Virtualmin and would like to debug this.

And should the systemd timer for certbot run? I guess this doesn’t make sense as it provisions to the wrong folder. But system default this is on.

Manually running /etc/webmin/virtual-server/collectinfo.pl renewed all pending certificates. Not sure why I needed to call this command manually.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.