Letsencrypt renewal fails for subdomains for webmin and mailserver, overrode viable certs on all other virtual domains

SYSTEM INFORMATION
OS type and version: Ubuntu Linux 18.04.6
Webmin version: 1.981
Virtualmin version: 6.17-3
Related products version: Certbot, not sure of version

Having some massive issues with renewing the certs for webmin/virtualmin. My DNS is with Linode. My webserver is nginx.

I have several domains through virtualmin all on the same server. Here’s the obscured certbot renew list:

1: domain1.net
2: www.domain1.net
3: domain2.com
4: numbers.domain2.com
5: www.numbers.domain2.com
6: subdomain.domain2.com ← This is my virtualmin
7: www.subdomain.domain2.com
8: www.domain2.com
9: domain3.com
10: www.domain3.com
11: domain4.com
12: blog.domain4.com
13: www.domain4.com
14: domain5.org
15: www.domain5.org
16: domain5.com
17: domain6.xyz
18: www.domain6.xyz

My Letsencrypt for domain2, including the subdomain failed to renew several years ago and I never bothered to try and fix it until now because it’s such a damn hassle.

All of the other domains have their certs maintained via certbot in commandline, but the domain2 cert was done through Letsencrypt in Virtualmin because I wanted to be able to easily copy it from there to the webmin and postfix.

Today I thought I’d give a try to fixing the domain2 cert and I’ve made a hash of it.

I went into Virtualmin > domain2 > SSL Certificate > Let’s Encrypt and tried to renew with the config as follows:

It timed me out for rate limit, but the logs show success on the bare domain and www, and failure for the webmin subdomain and the “mail” subdomain. Both have A records in the Linode DNS.

{
  "identifier": {
    "type": "dns",
    "value": "mail.domain2.com"
  },
  "status": "pending",
  "expires": "2021-12-20T08:47:43Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849870/30ZeoQ",
      "token": "-a1syo7i4JZURImdCZyVR1cJmgH5IuU1Pp6TojtnjyI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849870/6QLyeg",
      "token": "-a1syo7i4JZURImdCZyVR1cJmgH5IuU1Pp6TojtnjyI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849870/ZnNwhw",
      "token": "-a1syo7i4JZURImdCZyVR1cJmgH5IuU1Pp6TojtnjyI"
    }
  ]
}

— snip —

{
  "identifier": {
    "type": "dns",
    "value": "subdomain.domain2.com"
  },
  "status": "pending",
  "expires": "2021-12-20T08:47:43Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849880/ZssK6g",
      "token": "Dlbc0gAUy-23Dpxw8akWHjybHSDoDUJvX_JItjTBRcY"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849880/C_3hpA",
      "token": "Dlbc0gAUy-23Dpxw8akWHjybHSDoDUJvX_JItjTBRcY"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/58077849880/8GJEZg",
      "token": "Dlbc0gAUy-23Dpxw8akWHjybHSDoDUJvX_JItjTBRcY"
    }
  ]
}

So I gave up and installed a self-signed certificate for domain2 and deleted the Let’s Encrypt CA cert because it was giving me a mismatch error.

Now all of the other domains are trying to use the self-signed cert instead of their perfectly good and functional existing CLI-generated certbot certs.

I’d like to get the other sites back to using their normal certs and get domain2’s + webmin cert sorted.

Let me know if you need any other logs etc. Thanks in advance.

Ok after several hours I seem to have fixed most of this except for a cert for the mail subdomain, which I use for my outbound SMTP. It remains to be seen if this is an issue. Including how I fixed it below for people who come later.

When I updated to the latest Webmin today the update did not run smoothly and it lost my config. I started out by restoring my settings from a backup, which Webmin is scheduled to FTP to me weekly.

I solved the vhost wrong cert problem via nginx -t after a lot of searching on stackexchange. I had duplicate server declarations in my /etc/nginx/sites-available server blocks. Upon deleting those duplicate server declarations the sites are now up and running and successfully responding with the proper ssl certs. That settles things for domains 1 and 3-6.

I then tried to install a Letsencrypt cert via Virtualmin for only domain2 and www.domain2 which succeeded, but did not actually work for webmin itself since it excluded the virtualmin subdomain created by virtualmin.

So I then tried the answer found here although untangling that thread was awkward. I created an alias subdomain.domain2 but it still failed to pull the Lets Encrypt Cert, apparently because when I created the alias I unticked the “create DNS zone” and “create nginx website” boxes thinking I wouldn’t need them.

I deleted the alias and recreated it with those boxes ticked, which got further but then dumped on trying to verify www.subdomain.domain2. So I went back to domain2 > SSL Certificate and set it to pull only for domain2, www.domain2 and subdomain.domain2 rather than those three plus www.subdomain.domain2.

I then went back to the SSL Certificate page and activated it for services, which also completed successfully. Now when visiting Virtualmin I no longer have the “https” crossed out, but my browser still tells me the site is not secure. Better than nothing, I guess?

I sent a test email and it went through but I’ve never managed to get encryption working right on the mailserver so I go through port 25 unsecured. Getting the cert working on mail.domain2 will remain a low priority issue. My mailserver is a mess so I’ve been looking to outsource it for some time.

EDIT: Switched my SMTP server address from mail.vhostdomain.com to domain2.com for all email addresses from which I send in Gmail and it now logs in properly for encrypting via SSL or TLS. Will probably tinker with it over the next few days since there’s a lot of spam weirdness in the postfix queue, but that’s another issue altogether.

Note:

  1. The mail.domain.tld subdomain is reserved for use by Virtualmin.

  2. Use your Virtualmin hostname in your email clients (e.g. Outlook and Windows Mail) as incoming server and outgoing server.

  3. For Let’s Encrypt to request and renew normal (i.e. not wildcard) certificates, it is necessary for the domain to have website which can be accessed by the rest of the net.

You appear to have done everything right except point 3 in your quest to get Virtualmin to request Let’s Encrypt certificate for your hostname. Keep at it, @cfmmroolet you are almost there.

Using my domain2 vs subdomain.domain2 seems to make no difference. With the alias set up everything should be renewing properly but we’ll know in a couple of months I guess.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.