Let's Encrypt won't follow redirect to URL with port 10000

I don’t see what that link has to do with my issue, especially as I don’t manage mail with Virtualmin.

Ok, so you are certain that you have not changed directives. Also the SSL application has worked in the past.

This is most puzzling…

Well, yes, actually, I have changed directives, as detailed in my last ticket. That got me part way to the resolution of the issue, but created a new problem that is the subject of this ticket.

SSL still works, but the certificate has expired, and the issue is that I cannot renew it.

Yes, I am most puzzled too!

The following sequence of events could explain your present situation:

  1. you applied for / renewed SSL certs with default directives in place. This operation was successful.

  2. you edited the directives; everything appeared to be working normally at that time.

  3. automatic SSL renewal fails due to edited directives that you have applied.

Not quite. They went in the order 1, 3, 2. I only edited the directives because the automatic renewal failed.

Hmmm. With reference to your comment from the other thread which I have quoted below, in System Settings → Server Templates → Apache website could you set URL for admin redirect to use domain name. The custom URL you have applied there could be the cause of all your troubles.

But that is the default, as far as I recall. Anything else I apply there would be custom.

It does occur to me that I can change the URL there to https://admin.example.com/ (without the port number) and then I can probably renew the certificate and then change it back, but that goes against all common sense.

I meant, in System Settings -> Server Templates -> Apache website could you set URL for admin redirect to the radio button captioned “use domain name”. Since you currently have https://admin.example.COM:10000/ in the text box, you have overridden the default URL with this custom URL.

Again, the default URL is https://example.COM:10000 and the custom URL which you are forcing Virtualmin to use is https://admin.example.COM:10000 and this is what I think is causing all your problems.

OK, I see what you mean. I tried that and tried renewing the certificate, but that didn’t change the error. However, I’m not sure that changing the template changed the configuration of the domain.

I’ll change the Apache directive that needs to be changed and see if that helps.

Yes, the directive as well as the server template must be set to their original default values for SSL renewals to work normally.

So you’re saying that if the domain is example.com, I have to change this directive at Virtualmin -> EXAMPLE.COM -> Services -> Configure Website -> Edit Directives (and Virtualmin -> EXAMPLE.COM -> Services -> Configure SSL Website -> Edit Directives) from this:

RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(.*) https://admin.example.com:10000/ [R]

… to this:

RewriteCond %{HTTP_HOST} =admin.example.com
RewriteRule ^(.*) https://example.com:10000/ [R]

Is that right? And I must leave the port number in?

Or should I just take them out?

OK, still get the same error referring to LE not being able to follow links to URLs with ports other than 80 or 443.

So I did the next logical thing, took the 10000 port off the RewriteRule. Now I get a slightly different error, but the attempt still fails.

Oh, and I did restart Apache in between each attempt.

If @Joe or @Ilia don’t chime in here tomorrow I’m going to report this as a bug in the Pro forum. Either my statement at the end of the OP here is correct, or I’m missing some information required to complete what should be a very straightforward operation.

I’m getting this exact same error today on one of the LE SSL renewals. All other domains are renewing correctly and at this time only one does this same thing… Same error with the same ports?

Okay, this was an easy fix. I had two subdomains that in the list that were causing the renewal process to bomb out due to missing DNS entries. Fixed and all good.

i.e. DNS entries were in place for


but not for:


and this was causing the auto-renewal to error out. I realize that I initially had DNS entries for all of these, but had removed ADMIN and WEBMAIL from my DNS entries on this specific virtual sub-server (AKA TLD name).

I think it’s the reference to the :10000 and :20000 ports that makes this seem more than it really is, at least that was the case for my issue. Your mileage and experience(s) may vary.

Hope the elaboration helps the next guy.


Thanks. I always appreciate it when people post the resolutions.


1 Like

Well, that’s a solution to the problem of someone who didn’t RTFM. There is still no solution to the original post.

When I have time I’ll do a new installation of Virtualmin and see what happens in the default installation. Then escalate it if what looks like a bug to me isn’t resolved.

It’s new in 6.10 that Virtualmin even tries to get a cert for the admin alias. It’s not strictly necessary, but the lack of it leads to a weird situation where you have to start on http and then the redirect takes you to https. That’s a hard habit to break.

It may be that the feature is half-baked in some cases. I haven’t spent much time looking at it. This thread is way too long and convoluted for me to try to follow it, but from the initial question, i think you’re just seeing an oversight in this new feature…or maybe a bug in the feature trying to work for existing domains, I’m not sure. What needs to happen is the redirect has to be bypassed for the .well-known URL. The redirect shouldn’t be involved at all.

I’ll try to test this and raise any problems to Jamie’s attention ASAP. If it’s reproducible with simple steps, feel free to open a ticket in https://github.com/virtualmin/virtualmin-gpl/issues

Thanks @Joe. Would appreciate your looking into it. I’ll make a point of getting to this Thursday my time and provide some feedback based on my trying to do this with a fresh installation.

Perhaps you’ll retract this post after reading Joe’s reply. I may NOT have had these DNS entries as I thought, but none the less I figured it out and solved the LE cert renewal issue.