Letsencrypt issue with .dev subdomain (server hostname)

EditioN · June 21, 2020, 12:41pm

Hi everyone!

I’m having a weird issue with a certificate renewal in one of my .dev sub-domains. Only now this issue appeared since before it was renewing without any problems.

I have multiple virtual hosts and domains on my virtualmin/webmin instance, only one of them is having issues which is a sub-domain of a .dev domain, this subdomain is my server hostname.

As you can see on the picture phoenix.xxxxxrte.dev is the subdomain I’m talking about.

This sub-domain has a A record, this was changed already when I was troubleshooting since it had a CNAME before.

When I try to renew my letsencrypt certificate this is what I get:

Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 143, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/xxxxxxxrte/domains/phoenix.xxxxxxxrte.dev/public_html/.well-known/acme-challenge/KIcJO5p-m2m_NF3sq_rFYBuI6ykszrLxXHslTcTUAug, but couldn't download http://phoenix.xxxxxxxrte.dev/.well-known/acme-challenge/KIcJO5p-m2m_NF3sq_rFYBuI6ykszrLxXHslTcTUAug: Error:
Url: http://phoenix.xxxxxxxrte.dev/.well-known/acme-challenge/KIcJO5p-m2m_NF3sq_rFYBuI6ykszrLxXHslTcTUAug
Data: None
Response Code: 404
Response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.well-known/acme-challenge/KIcJO5p-m2m_NF3sq_rFYBuI6ykszrLxXHslTcTUAug was not found on this server.</p>
</body></html>

Initially I couldn’t open that URL since the .well-known/acme-challenge folders were not being created, I had to create those. After that I was able do open it but of course using a browser it redirects me to https (HSTS from .dev domain)

Using curl I get:
curl -kIL http://phoenix.xxxxxxxrte.dev/.well-known/acme-challenge/KIcJO5p-m2m_NF3sq_rFYBuI6ykszrLxXHslTcTUAug
HTTP/1.1 200 OK
Date: Sun, 21 Jun 2020 12:38:27 GMT
Server: Apache/2.4.6
Last-Modified: Sun, 21 Jun 2020 12:33:49 GMT
ETag: “57-5a897568f1cd9”
Accept-Ranges: bytes
Content-Length: 87

Finally, on my httpd.conf I have:
RedirectMatch ^/(?!.well-known)(.*)$ "https://phoenix.xxxxxxxrte.dev/$1"

This are the exact settings I have configured for my main xxxxxxrte.dev domain and I’m able to get a certificate there…

Any idea you guys have to help me out?

Thank you!

EditioN · June 21, 2020, 12:48pm

To add, another thing I don’t understand is which package is being used for the letsencrypt renewal. Certbot is not installed and I have no /etc/letsencrypt directory.
Server is running on CentOS7.8

Ilia · June 21, 2020, 5:26pm

Hi,

Try installing certbot package, it will solve your issue.

EditioN · June 21, 2020, 6:23pm

Hi Ilia,

Thanks for this, it did fix it! And it does make some sense… lol
Question for you is, why would the certbot package “disappear” from my system?
And why did the other renewals worked? Was it because it wasn’t 2months yet so they wouldn’t use certbot?

Hope you can clarify me so I can understand and avoid this in the future.

Cheers

Ilia · June 24, 2020, 3:35pm

How would I know?

And why did the other renewals worked? Was it because it wasn’t 2months yet so they wouldn’t use certbot?

I really don’t know and I wouldn’t want to comment on anything inexact. The questions you ask is best asked to a person managing the actual server.

system · June 28, 2020, 3:43pm

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.