SYSTEM INFORMATION | |
---|---|
OS type and version | Rocky Linux 8.10 |
Webmin version | 2.202 |
Virtualmin version | 7.30.4 |
Webserver version | Apache 2.4 |
I’m having trouble renewing Let’s Encrypt certificates since the recent changes to this area of Virtualmin (in think added in Virtualmin 7.20.2).
Renewal log looks like (identifying information redacted within stars, but all looked correct):
Renewing an existing certificate for *mydomain*.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: *mydomain*.com
Type: unauthorized
Detail: *0000:0000:0000:0000:0000:0000:0000:0000*: Invalid response from https://www.*mydomain*.com/.well-known/acme-challenge/*XXXXXXXXXXXXXXXXX*/: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Looking at letsencrypt.log all looks OK (aside from the failure), but this line suggests Virtualmin may be creating the challenge file in the wrong place:
2025-01-13 10:17:41,266:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-01-13 10:17:41,266:DEBUG:certbot._internal.plugins.webroot:Removing /home/*myaccount*/domains/*mydomain*.com/public_html/.well-known/acme-challenge/*XXXXXXXXXXXXXXXXX*
My setup is slightly unusual in that the mydomain.com is a Sub-server of myaccount but they share the same webroot as the all run off the same codebase, but with their own SSL.
I would therefore expect to see the challenge file stored in:
/home/*myaccount*/public_html/.well-known/acme-challenge/*XXXXXXXXXXXXXXXXX*
This was working correctly previously, although I can’t be sure which directory the challenge was stored in when it was working.
It would be useful to see the command passed to certbot in the virtualmin renewal/error log, so I can see what virtualmin is passing to --webroot-path.
I’m going to see if I can find a way to allow requests to .well-known to load from the /domains/* folders while continuing to serve website content from the parent folder.
Any help appreciated, as I have one live site down at the moment and more with certificates expiring soon.