Let's Encrypt won't follow redirect to URL with port 10000

So in this ticket my initial problem was resolved:

However, now I get a different error when trying to renew an LE certificate at Webmin → Webmin → Webmin Configuration → SSL Encryption → Let’s Encrypt:

Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in <module>
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for admin.example.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://admin.example.com/.well-known/acme-challenge/MvrJg05k2zhXXAo5iV3radsriHdnBItBRQ0fvO9OzPE', u'hostname': u'admin.example.com', u'addressUsed': u'2600:3c04::f03c:92ff:fed5:3db2', u'port': u'80', u'addressesResolved': [u'', u'2600:3c04::f03c:92ff:fed5:3db2']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/6174587154/NxZjuQ', u'token': u'MvrJg05k2zhXXAo5iV3radsriHdnBItBRQ0fvO9OzPE', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'Fetching https://admin.example.com:10000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 10000'}, u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'admin.example.com'}, u'expires': u'2020-08-04T23:30:09Z'}

The “admin” sub-domain is correctly set at Virtualmin → EXAMPLE.COM → Services → Configure Website → Edit Directives to redirect traffic from http://admin.example.com/ to https://admin.example.com:10000/.

I don’t see how it can be possible to request an LE certificate if Virtualmin is configured correctly as in the last paragraph. Any suggestions?


My domain http://admin.toxi.gen.in redirects to https://toxi.gen.in:10000 by default. Virtualmin seeks from Let’s Encrypt the SSL certs for toxi.gen.in, www.toxi.gen.in and mail.toxi.gen.in by default. Everything works with default Virtualmin settings.

Well, as I just stated, the default settings don’t work for me. :man_shrugging: LE looks for the validation file at the URL with the 10000 point number, but the error message clearly states that it won’t follow a link to anything with a port number other than 80 or 443.

Ok: here is what I was attempting to point out - don’t seek a SSL cert for admin.example.com. Let it be accessed via http rather than https as it will redirect to https so it is ok.

OK, and how do you propose I do that?

Virtualmin → Server Configuration → SSL Certificate and under the Let’s Encrypt tab, request certificate for just the domains I have mentioned here

Oh OK, maybe you missed the part in the last ticket about where I’m trying to generate the certificate for the control panel, not for a hosted domain. That’s at Virtualmin -> example.NET -> Server Configuration -> Website Options.

Sorry, probably should have posted that in this OP too.

Sorry, got that path wrong. It’s Webmin -> Webmin -> Webmin Configuration -> SSL Encryption -> Let’s Encrypt.

Ok, noted. I don’t know about others but I do not use admin.example.com here. I do not apply for a SSL certificate for admin sub-domain. I leave it on http and then it always gets redirected to https on port 10000

In Virtualmin, any hosted domain can be accessed on port 10000 to lead to the Control Panel / Virtualmin GUI.

Yes, a request for http://admin.example.com gets redirected to httpS://admin.example.com:10000, but the problem is that port number. The LE request process needs to read the validation file from http://admin.example.com/validation-file, not https://admin.example.com:10000/validation-file.

As for your last post about any hosted domain on port 10000 leading to the control panel log-in page, that’s not what LE wants, obviously. It only cares about the validation file.

This is important: on all my systems a request for http://admin.example.com gets redirected to httpS://example.com:10000

Yes, exactly. And that’s the problem! :slight_smile:

So you need to solve this problem: do something to get http://admin.example.com redirected to httpS://example.com:10000 instead of applying for a SSL cert for httpS://admin.example.com:10000

Addendum: See this

Thanks for your suggestion, but that doesn’t make any sense. That redirection is what is happening now and that is the problem. And certificates are issued for domains, not for domain with port numbers. I’m not trying to get a certificate for a domain with a port number.

Also, this is a renewal, not an initial certificate, so I don’t know what changed in Virtualmin since three months ago.

I don’t see what that link has to do with my issue, especially as I don’t manage mail with Virtualmin.

Ok, so you are certain that you have not changed directives. Also the SSL application has worked in the past.

This is most puzzling…

Well, yes, actually, I have changed directives, as detailed in my last ticket. That got me part way to the resolution of the issue, but created a new problem that is the subject of this ticket.

SSL still works, but the certificate has expired, and the issue is that I cannot renew it.

Yes, I am most puzzled too!

The following sequence of events could explain your present situation:

  1. you applied for / renewed SSL certs with default directives in place. This operation was successful.

  2. you edited the directives; everything appeared to be working normally at that time.

  3. automatic SSL renewal fails due to edited directives that you have applied.

Not quite. They went in the order 1, 3, 2. I only edited the directives because the automatic renewal failed.