Do MYXXXXDOMAIN.com and www.MYXXXXDOMAIN.com both resolve properly? Try pinging each and make sure they go to the correct IP address. Then try visiting each in a browser. Do they get to the correct site? If either of these things fail, you need to fix them.
When visiting in each in a browser, the www.MYXXXXDOMAIN.com redirects to https://MYXXXXDOMAIN.com as expected. However, the results fail in the browser because the browser does not like the fact that the SSL cert is expired.
Would removing SSL from the domain and restarting Virtualmin, then test access to the domain, upon success re-add the SSL and attempt to request a certificate work?
Well, that didn’t work. Different error this time:
Requesting a certificate for MYXXXXDOMAIN.com, www.MYXXXXDOMAIN.com from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate : MYXXXXDOMAIN.com challenge did not pass: Fetching https://MYXXXXDOMAIN.com/acme-challenge/A7p_chcczOaNPLpfydIZ3IX-KVLD7izBYhUpi7fYWQY: Error getting validation data
DNS-based validation failed : Failed to request certificate :
Undefined subroutine &main::get_bind_zone_for_domain called at /usr/libexec/webmin/webmin/letsencrypt-dns.pl line 24. MYXXXXDOMAIN.com challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.MYXXXXDOMAIN.com
What domains do you have listed in the “Request certificate for” box on the LE page? Are you using the default “Domains associated with this server” or “Domain names listed here”? Whatever you have listed in there MUST have working DNS and website for LE to be able to do its thing. If you’ve got odd names like listed above, use the “Domain names listed here” option and put each name in there you need.
This second error indicates it fell back to the DNS method of validating your certificate because the website validation method didn’t work.
Something is weird about the web-based validation. It should be going to .well-known/acme-challenge/blahblahblah but there is no .well-known in that path. Do you have some redirects in place for that domain? Make sure you can browse to the .well-known directory on all of the domains you’re requesting a certificate for. It shouldn’t matter that the cert is expired. That’s a red herring; what matters is that it can be reached at all, which this error indicates it cannot.
When viewing Virtualmin -> selected domain -> Server Configuration -> Website Redirects I see two in the list:
URL path Type Destination
/(?!.well-known) Redirect to URL https://MYXXXXDOMAIN.com/$1
^/(?!.well-known) Redirect to URL https://MYXXXXDOMAIN.com/$1
Not sure why there are two. Checking some of the other domains on the same server I only see one redirect for them, the second one above.
noisemarine,
In the “Request certificate for” box on the LE page, it is set to “Domains associated with this server”. There are two domains listed" MYXXXXDOMAIN.com www.MYXXXXDOMAIN.com
I can ping both domains and they resolve to the correct IP address. So that would imply the DNS is good.
Matth,
Ping works and no DNS changes in 6 months. I do see a .well-known folder in the public_html directory, which is the root of the website for this domain. User and owner are set to the owner of the virtual server and the rights are 755.
On my side here is how it works: RedirectMatch ^/(?!.well-known)(.*)$ https://a.mydomain.com/$1
With this redirect you can request a certificate with let’s encrypt and you’ll access the site only with https.
It’s effectively very important that let’s encrypt can access the .well-know folder with http to be able to perform the certificate enrollment.