Let's Encrypt suddenly unable to renew certificates

shillongserver · August 18, 2020, 1:06pm

I got a notice in the dashboard earlier today informing me that SSL certificates for a domain name and a subdomain of the same domain name has expired. When I go to the Let’s Encrypt tab in the SSL certificate page and try to renew/create new certifcates, I get the following error:

Requesting a certificate for example.com, www.example.com from Let’s Encrypt …

.. request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for example.com: {'identifier': {'type': 'dns', 'value': 'shillongserver.com'}, 'status': 'invalid', 'expires': '2020-08-24T21:19:06Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://example.com/.well-known/acme-challenge/rYnQf2i5FB6jMXPH0kb4UzkCn2nyVgkx_8H2T0QleIA [2602:fe90:300:1a2::f5e:f17d]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/6602519563/2bw1Tg', 'token': 'rYnQf2i5FB6jMXPH0kb4UzkCn2nyVgkx_8H2T0QleIA', 'validationRecord': [{'url': 'http://example.com/.well-known/acme-challenge/rYnQf2i5FB6jMXPH0kb4UzkCn2nyVgkx_8H2T0QleIA', 'hostname': 'example.com', 'port': '80', 'addressesResolved': ['123.456.789.10', '1234:ab56:789:1b7::f7a:f29e'], 'addressUsed': '2602:fe90:300:1a2::f5e:f17d'}]}]}

DNS-based validation failed : Only the offical Let’s Encrypt client supports DNS-based validation

The auto-renewal was working fine this whole time so I’m not sure what could be causing this. The only changes I made to virtualmin was adding DKIM to all my virtualservers a few months back.

Also, not sure if it matters or not but the subdomain is the FQDN of the server and for some weird reason, both the domain (example.com) and the subdomain (someHostName.example.com) redirects to the ubuntu page instead of their public_html directory.

calport · August 18, 2020, 1:28pm

You have put your finger on it, @shillongserver. You need to fix this before Let’s Encrypt is able to renew certificates again.

shillongserver · August 18, 2020, 1:51pm

@calport Hello, can I know what changes should I make to fix this? They both have a .conf file in the sites-available and sites-enabled directories and most of the settings for the virtual servers of the domain and subdomain are similar to the other virtual servers.

calport · August 18, 2020, 3:18pm

As you have elected to obfuscate the domain name and have not shared any of your config files, the only broad-based observation which I am able to make is that you must find the incorrect reference to /var/www and change it to /home/user in the config file for the concerned domain.

shillongserver · August 18, 2020, 3:36pm

@calport The DocumentRoot in the conf file (inside sites-available) of the domain are already set to /home/serverName/public_html. Is there somewhere else I need to check for the path?

And which conf files would you want to see? I will paste the content here.

Regards

shillongserver · August 18, 2020, 3:39pm

@calport Also, in the Virtualmin dashboard, if I select the particular domain or the subdomain, the “Preview Website” option takes me to the correct public_html folder and loads the test index.html that I kept there so I think (but not sure though) that virtualmin is configured to use the home directory but there must be some other configuration setting that is messing it up instead.

shillongserver · August 18, 2020, 9:23pm

@calport The SSL certificate expired just now since it was valid only till August 18 and now the virtualmin dashboard only shows the left sidebar and trying to open anything returns the following error:

Connection Lost
"Can’t establish a connection to the server at abc.example.com:10000

What should I do?

system · September 17, 2020, 9:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.