Let's Encrypt SSL fails on redirected site

OS type and version Debian 10
Virtualmin version 7.5

I set up a site to redirect its shorter domain name to another site using the full longer domain name. I set up Let’s Encrypt on it. I then set up an .htaccess file to redirect the site with the shorter name to the site with the longer name.

This works fine on my servers that use other control panels.

Let’s Encrypt failed to renew the certificate. The errors generated indicate that DNS was incorrect. It wasn’t. It appears that Let’s Encrypt in Virtualmin doesn’t “know” that it should ignore the .htaccess file in the case of writing the Let’s Encrypt as other control panels appear to.

Any suggestions on how to work around this?

Has this been reported as an issue? Can a fix be implemented?

Thanks for any help!

You have to exclude the .well-known directory from any redirects, proxy rules, etc.

That’s not how it works. Your webserver must serve the Let’s Encrypt validation key from the filesystem where the ACME client puts it. Virtualmin isn’t involved in that request/response and can’t be (Virtualmin isn’t the web server answering those requests).

With web validation, the Let’s Encrypt client (usually certbot, but Webmin has an embedded one, too, that is less capable, if you’re on a very old OS that can’t run certbot) makes a request to the LE servers, which respond with a validation key, which is then placed by the Let’s Encrypt client into the .well-known directory in the public_html of the website. The LE validation system then requests that file, and if it finds it, it knows the requester of the cert owns the domain.

In short: Virtualmin can’t change that workflow. You have to allow .well-known to be served from the filesystem if you want a Let’s Encrypt certificate validated via web validation.

Edit: Also, when Virtualmin is responsible for the redirects or proxy rules, it will generally add the necessary exclusion for .well-known.

Thanks for this, Joe.

When you say “when Virtualmin is responsible for the redirects or proxy rules, it will generally add the necessary exclusion for .well-known” how do I make that happen?

I set the site up as a site of its own and manually added the .htaccess. Is there a better way to set the site up as a redirect so the .well-known access will be handled by Virtualmin properly? In other words, how do I make Virtualmin responsible for the redirects or proxy rules?

Thanks again,

Hi again,

I figured it out after stumbling across:
Server Configuration > Website Redirects

After setting up the redirect, I was able to then navigate to
Server Configuration > SSL Certificate
and set up Let’s Encrypt just fine.

Thanks again,