Let's Encrypt doesn't seem to be generating the files needed for ACME challenges

Techokami · May 8, 2021, 9:33am

Operating system: Ubuntu 20.04 LTS
I have recently set up a webserver with Virtualmin, and the only problem I am having at the moment is getting Let’s Encrypt to properly generate SSL certs. Here is the output log for generating certs:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.techokamilabs.com
http-01 challenge for mail.techokamilabs.com
http-01 challenge for techokamilabs.com
http-01 challenge for webmail.techokamilabs.com
http-01 challenge for www.techokamilabs.com
Using the webroot path /home/techokamilabs/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain admin.techokamilabs.com
Challenge failed for domain mail.techokamilabs.com
Challenge failed for domain techokamilabs.com
Challenge failed for domain webmail.techokamilabs.com
Challenge failed for domain www.techokamilabs.com
http-01 challenge for admin.techokamilabs.com
http-01 challenge for mail.techokamilabs.com
http-01 challenge for techokamilabs.com
http-01 challenge for webmail.techokamilabs.com
http-01 challenge for www.techokamilabs.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

The following errors were reported by the server:
Domain: admin.techokamilabs.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
admin.techokamilabs.com - check that a DNS record exists for this
domain

Domain: webmail.techokamilabs.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
webmail.techokamilabs.com - check that a DNS record exists for this
domain

The following errors were reported by the server:

Domain: mail.techokamilabs.com
Type: unauthorized
Detail: Invalid response from
http://mail.techokamilabs.com/.well-known/acme-challenge/CQdESXHvZq2kNBkrdgWaehf1sSi10z-Z5nimpMeN3tY
[2600:3c03::f03c:92ff:fe01:c267]: “\n\n404 Not
Found\n\n
Not Found
\n<p”

Domain: techokamilabs.com
Type: unauthorized
Detail: Invalid response from
http://techokamilabs.com/.well-known/acme-challenge/c_4i2d_kgMwq9xbVTseZmokUVfro-MG0jELpbG_bPDk
[2600:3c03::f03c:92ff:fe01:c267]: “\n\n404 Not
Found\n\n
Not Found
\n<p”

Domain: www.techokamilabs.com
Type: unauthorized
Detail: Invalid response from
http://www.techokamilabs.com/.well-known/acme-challenge/xppWm8Xicl6o4weZhO9Gms-PNfeGLcIjBpMzYnzkYP8
[2600:3c03::f03c:92ff:fe01:c267]: “\n\n404 Not
Found\n\n
Not Found
\n<p”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

All the subdomains do, in fact, have proper A records configured. What is puzzling to me is that the challenge response does not seem to be properly generated, and instead results in a 404 error??

EDIT: I have attempted to get the certification generated manually, and it still failed with looking for the challenge file, even though I was able to confirm that the file exists in my web browser. Now I’m really confused!

toreskev · May 8, 2021, 5:01pm

Not sure what the 404 comes from, but admin. and webmail. are indeed missing:

dig A webmail.techokamilabs.com @ns1.linode.com

> ; <<>> DiG 9.16.15-Debian <<>> A webmail.techokamilabs.com @ns1.linode.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60589
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;webmail.techokamilabs.com.	IN	A
> 
> ;; AUTHORITY SECTION:
> techokamilabs.com.	86400	IN	SOA	ns1.linode.com. techokami.gmail.com. 2021000002 14400 14400 1209600 86400

Techokami · May 8, 2021, 10:19pm

Turns out I needed to not use Linode’s DNS services, but instead do my own DNS. Once I switched everything over…

Requesting a certificate for techokamilabs.com, www.techokamilabs.com, mail.techokamilabs.com, admin.techokamilabs.com, webmail.techokamilabs.com from Let’s Encrypt …
… request was successful!
Configuring webserver to use new certificate and key …
… done
Applying web server configuration …
… done
Re-starting Webmin …
… done
Re-starting Usermin …
… done

Joe · May 9, 2021, 2:22am

You also could have removed those names from the LE request, if you don’t want them. Virtualmin automatically adds all domain names for all services managed by it, which includes some extra names for automatic redirects, mail, etc. But, you can’t ask for a cert for a name that doesn’t resolve or resolves to the wrong place.

toreskev · May 10, 2021, 6:06am

Good to know you got it sorted.
In your case though, since using Linode I would also consider using their DNS as secondary. That way you will be able to control everything from Virtualmin, but have the advantage of anycast DNS from Linode using Cloudflare’s infrastructure.

system · May 18, 2021, 6:07am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.