Let's Encrypt renewal suddenly returns 404 via Webmin/Virtualmin

colcol · February 2, 2020, 6:20pm

Hi there,

Help! Sudden problem with renewing a LE certificate. Here are some details.

My domain is: sendy.colcolmail.co.uk
My web server is (include version): nginx 1.10.3
The operating system my web server runs on is (include version): ubuntu 16.04.03
My hosting provider, if applicable, is: AWS EC2
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, webmin 1.941/virtualmin 6.08

Problem started on Jan 24th. Error message from the automatic webmin renewal email is:

An error occurred requesting a new certificate for sendy.colcolmail.co.uk from Let's
Encrypt : Web-based validation failed : Failed to request certificate : <pre>Traceback
(most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca,
disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
    raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path,
wellknown_url, e))
ValueError: Wrote file to /home/sendy/public_html/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg,
but couldn't download http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg:
Error:
Url: http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg
Data: None
Response Code: 404
Response: <html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>   DNS-based validation failed : Failed to request certificate : usage: acme_tiny.py  [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir
                    ACME_DIR [--quiet] [--disable-check]
                    [--directory-url DIRECTORY_URL] [--ca CA]
                    [--contact [CONTACT [CONTACT ...]]]
acme_tiny.py: error: argument --acme-dir is required

The acme-challenge file is there, so I am not sure why the 404 is returned. This seems to work: https://letsdebug.net/sendy.colcolmail.co.uk/97582

LE advised looking at the following: hxxp//check-your-website.server-daten.de/?i=39c64a1e-aa2e-4906-bd5f-30ec850563db

The first link has some scary ‘fatal error’ text. I am not a techie, so I am not sure what is going on. Bit worried that my LE cert will now expire within 2 weeks without a renewal.

I updated to v1.930 to v1.941 on Jan 25th, the day after the renewal failures started.

Anyone have any ideas as to what is going on?

I have asked on the LE forum about this as well.

Thanks
Maynard

colcol · February 2, 2020, 7:18pm

An update from Lets Encrypt:

"You have to find and remove or deactivate that filter (if the path starts with /.well-known/). "

Sadly I am none the wiser. Any thoughts from the experts here?

Maynard

Joe · February 2, 2020, 10:00pm

Virtualmin doesn’t setup any kind of DDoS filter or whatever the theory is here.

I assumed you maybe had two or more IPs for this host, so sometimes it’d work and sometimes it’d hit the host that doesn’t have the validation file. But, DNS says you only have one IP (it’s still plausible there is conflicting information in DNS for a variety of reasons, especially if this is an old name being re-used on a new IP, old info might be cached for hours or days after the change).

Is this domain running behind a CDN, like Cloudflare? They do their own caching and maybe something is awry there.

But, this isn’t something I’ve seen, and it’s not behavior I can point to in a default Virtualmin domain.

colcol · February 3, 2020, 9:12am

Hi Joe,

Thanks for the reply.

No CDN is involved. I have a simple Virtualmin setup. The server runs only Virtualmin GPL, and three virtual servers each running email software (sendy.co), and that’s it. Has been running fine for more than 2 years. Somebody has responded to my post on the LE forum that he/she is getting the same error with Virtualmin. The latest Virtualmin updates corrected errors to do with LE renewals, so I wondered whether I have become caught up in that.

Next step? If I pay $60 for a Virtualmin Pro annual licence, could support look at my GPL set-up and work out what is going on?

Maynard

Ilia · February 3, 2020, 10:19am

Hi,

Ubuntu 16 provides certbot package. Give it a try.

apt-get install certbot

colcol · February 3, 2020, 11:16am

Hi Ilia

Thanks for the reply. Tried it, then requested a certificate via Virtualmin manually and certificate now renewed

Thanks very much
Maynard