Letsencrypt renewal failed

Hi,

WHen I try to update SSL, via webmin it does not work and give me the following message, for one of my website (works well for 4 others on the same server):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for extra-ordinaire.com
http-01 challenge for www.extra-ordinaire.com
Using the webroot path /home/extra-ordinaire/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 384, in _make_request
    six.raise_from(e, None)
  File "<string>", line 3, in raise_from
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 380, in _make_request
    httplib_response = conn.getresponse()
  File "/usr/lib/python3.7/http/client.py", line 1352, in getresponse
    response.begin()
  File "/usr/lib/python3.7/http/client.py", line 310, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python3.7/http/client.py", line 279, in _read_status
    raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 367, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/lib/python3/dist-packages/six.py", line 692, in reraise
    raise value.with_traceback(tb)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 384, in _make_request
    six.raise_from(e, None)
  File "<string>", line 3, in raise_from
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 380, in _make_request
    httplib_response = conn.getresponse()
  File "/usr/lib/python3.7/http/client.py", line 1352, in getresponse
    response.begin()
  File "/usr/lib/python3.7/http/client.py", line 310, in begin
    version, status, reason = self._read_status()
  File "/usr/lib/python3.7/http/client.py", line 279, in _read_status
    raise RemoteDisconnected("Remote end closed connection without"
urllib3.exceptions.ProtocolError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Please see the logfiles in /var/log/letsencrypt for more details.

What I found is that I have redirection of the acme-challange:

54.213.40.240 - - [16/May/2023:18:12:43 +0200] "GET /.well-known/acme-challenge/u1c0XLhZ8uIgd_Y6MFmfFnzqkEmOk_BHRsdvQ0Kr9V8 HTTP/1.1" 302 560 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

(as for other website is the “error code” 200)
Where or what could I check ?
(for information, it was working 3 months ago)

PS: sorry for my English

In my experience, when Let’s Encrypt fails, ist’s many times that it cannot reach the challenge file. Most of the time because some rewriterules that is navigating it somewhere else.

You should request the certificate again an then see what url/file Let’s Encrypt is looking for. Than paste this in your browser and see if it can be reached. I believe the files are removed when the request fails, so you have to do it quick. Check the .wel-know directory to see what is happening.

No need to do this, just create a testfile to check, see below.

You don’t need to do that.

Just create a file in /home/<domainname>/.well-known. That’s where Let’s Encrypt challenge files go, and if you can’t browse to files in that directory, you’d need to fix it.

The Let’s Encrypt challenge file disappears almost immediately, it’s not reasonable to try to fetch it.

Ah I agree, you are correct here, typical moment of me making things more complicated than it should

Just create a test file and see if you can reach it or that you are forwarded by some rewrite rules

Thanks all.

I create a folder home/<domainname>/.well-known and I put a file inside: I can browse the file with no redirection (200).
I try again and same error from the update.
I check if files were created: that was the case (I made a shell script):

inotifywait -m  /home/<domain>/public_html/.well-known/acme-challenge/ -e create -e moved_to |
    while read dir action file; do
        echo "The file '$file' appeared in directory '$dir' via '$action'"
    done

Report:

The file 'QvAl1E-inGa0TMoqkyQjfUOZYpUvWr5F7j3Do6JbyPY' appeared in directory '/home/<domain>/public_html/.well-known/acme-challenge/' via 'CREATE'
The file '9pOqWkvuGoE-_DHFgF2zb-j-qfhQVY_to68LW0pECYk' appeared in directory '/home/<domain>/public_html/.well-known/acme-challenge/' via 'CREATE'

But these files appears in the log_apache_access as redirect 302
And as said, it works well for 4 domains, it was also working well for this one until last time wehre I saw a redirection 302 for the file instead 200 (OK)

Difficult one. Did you only try ‘Update Renewal’ or also the ‘Request Certificate’ option?

I checked your domain and I’m having the same problem, when i access your domain https://www.extra-ordinaire.com/.well-known/ it opens normally but with http:// it redirects to https, and i think that its what its causing the issue, its doing the same thing on one of my domains, i dont know why, i dont have force ssl in virtualmin enabled and cloudflare isn’t forcing it too.

You must exclude .well-known from all redirects, including any you have that redirect from http to https. Redirects created by Virtualmin will already exclude .well-known, but any you create or created by your web apps may need to be altered.

Let’s Encrypt makes its requests over http, by the way. It has to. It can’t assume you have functional SSL at that point in the process.

I notice all traffic goes to www would that cause the issue?

If you’re trying to get a cert for the bare name (without www), you obviously cannot redirect the Let’s Encrypt validation request to www and expect it to work.

You must exclude .well-known from all redirects, if you want Let’s Encrypt to work.

Thanks Joe,
I should check how to do that in the apache config file for thsi web file, and then coming back

Hi,

It works after comented these line in the apache server configuration:

#    RewriteCond %{SERVER_PORT} !^443$
#    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

But should this work for keeping redirection to https -without troube with the letsencrypt renewal via webmin ?

 RewriteCond %{SERVER_PORT} !^443$
RewriteCond $0 ^/.well-known/
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

Note: I do not know why it works becase event this modification (I think because it is not a redirection 302), http://extra-ordinaire.com/.well-known/ is still redirect (but with “error” 200) to https://extra-ordinaire.com/.well-known/

Glad it works now!

200 is not an error but the default code of a correct processed request.

The rewrite should work, I got something similar:

RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} ^/.well-known/
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R]

Thanks,

Have a nice day all of you

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.