Let's Encrypt request failed

I am working to redirect test website from http to https and requesting for lets encrypt certificate but i got an error for request certificate but before anything else i let know what i setup first …

• Webmin tab select Webmin then Webmin Configuration then
• SSL encryption under *Redirect non-SSL requests to SSL mode= set “Yes” then save setting.

Next

• Virtualmin tab > select my domain then Server Configuration then SSL certificate then select Let’s Encrypt

Domains associated with this server
domain.com
www.domain.com
mail.domain.com

then click "Request Certificate

got this error

Request Certificate
In domain domain.com

Requesting a certificate for domain.com, www.domain.com, mail.domain.com from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

Traceback (most recent call last): File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in main(sys.argv[1:]) File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e)) ValueError: Wrote file to /home/domain/public_html/.well-known/acme-challenge/V3GsL5uZeHCx1Gt81x_mBpHtJ6MuKnSkngwoo215qvU, but couldn’t download http://mail.domain.com/.well-known/acme-challenge/V3GsL5uZeHCx1Gt81x_mBpHtJ6MuKnSkngwoo215qvU:

1. Is there a way to download Let’s Encrypt via https than http for mail.domain.com?
2. Is there anything i forgot to edit in config file?

if mail feature was not enabled i can request Let’s Encrypt certificate and my domain could automatically redirect to https and my ssl is good with the grey lock icon

Exclude the redirection for the .well-known directory directly inside the apache (or nginx if you use it) file. Restart the service after that.

How would i exclude the redirection for the .well-known directory inside the apache file?

Place this:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

inside the vhost file and restart apache2 after it.

It is getting complicated for me to locate and apply what you have suggested, maybe i try to revert what i done and try requesting again the cert

Good day!

I tried to place the code you give to me.

<VirtualHost 192.168.0.160:80>
SuexecUserGroup “#1001” “#1001”
ServerName mis-office.tk
ServerAlias www.mis-office.tk
ServerAlias mail.mis-office.tk
ServerAlias webmail.mis-office.tk
ServerAlias admin.mis-office.tk
DocumentRoot /home/misofffice/public_html
ErrorLog /var/log/virtualmin/mis-office.tk_error_log
CustomLog /var/log/virtualmin/mis-office.tk_access_log combined
ScriptAlias /cgi-bin/ /home/misofffice/cgi-bin/
ScriptAlias /awstats/ /home/misofffice/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/misofffice/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.3
FCGIWrapper /home/misofffice/fcgi-bin/php7.3.fcgi .php
FCGIWrapper /home/misofffice/fcgi-bin/php7.3.fcgi .php7.3

<Directory /home/misofffice/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTP_HOST} =webmail.mis-office.tk
RewriteRule ^(.) https://mis-office.tk:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.mis-office.tk
RewriteRule ^(.) https://mis-office.tk:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.3
FcgidMaxRequestLen 1073741824

AuthName “mis-office.tk statistics”
AuthType Basic
AuthUserFile /home/misofffice/.awstats-htpasswd
require valid-user


<VirtualHost 192.168.0.160:443>
SuexecUserGroup “#1001” “#1001”
ServerName mis-office.tk
ServerAlias www.mis-office.tk
ServerAlias mail.mis-office.tk
ServerAlias webmail.mis-office.tk
ServerAlias admin.mis-office.tk
DocumentRoot /home/misofffice/public_html
ErrorLog /var/log/virtualmin/mis-office.tk_error_log
CustomLog /var/log/virtualmin/mis-office.tk_access_log combined
ScriptAlias /cgi-bin/ /home/misofffice/cgi-bin/
ScriptAlias /awstats/ /home/misofffice/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/misofffice/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.3
FCGIWrapper /home/misofffice/fcgi-bin/php7.3.fcgi .php
FCGIWrapper /home/misofffice/fcgi-bin/php7.3.fcgi .php7.3

<Directory /home/misofffice/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
RewriteCond %{HTTP_HOST} =webmail.mis-office.tk
RewriteRule ^(.) https://mis-office.tk:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.mis-office.tk
RewriteRule ^(.) https://mis-office.tk:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.3
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/misofffice/ssl.cert
SSLCertificateKeyFile /home/misofffice/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

AuthName “mis-office.tk statistics”
AuthType Basic
AuthUserFile /home/misofffice/.awstats-htpasswd
require valid-user

This is the error i got

Requesting a certificate for mis-office.tk, www.mis-office.tk, mail.mis-office.tk from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 112, in get_crt
account, code, acct_headers = _send_signed_request(directory[‘newAccount’], reg_payload, “Error registering”)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 52, in _send_signed_request
new_nonce = _do_request(directory[‘newNonce’])[2][‘Replay-Nonce’]
File “/usr/share/webmin/webmin/acme_tiny.py”, line 46, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: https://acme-v02.api.letsencrypt.org/acme/new-nonce
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>

Make sure the folder .well-known exists inside the public_html folder of that domain.
Inside the .well-known folder, there should be a acme-challenge subfolder.
If they arent there, create them there.

That error you said could be two things, its a network issue which doesnt have to something to do directly with your settings but with rate-limited access to the letsencrypt system.

Some users reported that installing certbot on the system fixes that issue.

So you might try both (first one with the network means you need to wait some time and retry then).

Did i wrote the code correctly and in place?

after creating .well-known folder and acme-challenge subfolder

Request Certificate
In domain mis-office.tk

Requesting a certificate for mis-office.tk, www.mis-office.tk, mail.mis-office.tk from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

Traceback (most recent call last): File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in main(sys.argv[1:]) File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e)) ValueError: Wrote file to /home/misofffice/public_html/.well-known/acme-challenge/tf27EMePcTBchS-HmghI6gjD2LvilxZeC6Jrh1Up60E, but couldn’t download http://mail.mis-office.tk/.well-known/acme-challenge/tf27EMePcTBchS-HmghI6gjD2LvilxZeC6Jrh1Up60E:

Good, that means that its going into the right direction.
Btw, did you restart the apache service after editing those files?

Yes I restart Apache Webserver after editing…

The error was also the same on my first post here

Which subdomain do you use for the FQDN?
You could try to exclude the mail subdomain from the certificate (if you dont use that function).

i enabled mail features for future purposes because if everything works fine we will use vmin for hosting. Do i need to exclude mail.mis-office.tk for cert request?

Not directly, but that domain isnt reachable. Means its either not properly configured or not configured at all.
Thats why I said you could try that.
The mail domain got nothing to do with the mail function itself. If I recall it correctly, thats used for autodiscover /etc…

Ok, I will exclude it in cert request. Maybe another topic will open mo mail configuration with outlook.

Requesting a certificate for mis-office.tk, www.mis-office.tk from Let’s Encrypt …
… request was successful!

Configuring webserver to use new certificate and key …
… done

Applying web server configuration …
… done

Great, glad it works now. Might mark the answer you think is useful for other people as the solution for the problem.

Can I ask more about enforce ssl mode?
Redirect http to https when i access my domain?

Of course. Feel free to do that. I dont expect for further problems to reoccur.
You can either to that via the redirect function from the panel or do it via vhost or htaccess.

You can click on the padlock in the address-bar. It will tell you more information.
Depeding on your browser, its either green or gray. Some won’t highlight encryption at all, if its one of those then yes its secure.
Some browsers show red packlogs or one padlock which is marked with a cros or slash. Meaning its not secure.

In your case it seems already to redirect to https.
You can either let it be like that or still enforce it via .htaccess, vhost settings or via the redirect function form virtualmin.
I always do it via vhost or .htaccess, but thats just because I am used to that.
If you want to do it via .htaccess then create one inside the public_html folder and fill it with this content:

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]