LetsEncrypt says "request failed : Web-based validation failed"

christophera · April 1, 2024, 3:16pm

Hi,

I started having email issues this morning and investigating, I find the LetsEncrypt validation is failing. Is this a known issue?

Requesting a certificate for andrews.com, www.andrews.com, mail.andrews.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for andrews.com and 2 more domains Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: andrews.com Type: unauthorized 
(edited to remove ips)

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.2
Webmin version	2.105
Virtualmin version	7.10.0
Related packages	SUGGESTED

jimr1 · April 1, 2024, 3:29pm

The Unauthorised log entry intimates that letsencrypt doesn’t have access to the correct directory

ID10T · April 1, 2024, 3:31pm

Am I the only one on the forum that gets emails on cert renewal or failure? I’d say once you get this solved maybe look into that.

Is the andrews (dot) com real? It works for me. I show ‘the lock’ in the url bar.

MantasU · April 1, 2024, 3:33pm

Yes. Make sure .well-known is accessible for acme-challenge. Also, if you control your DNS, use the wildcard option.

jimr1 · April 1, 2024, 3:38pm

Why do you need to do that … surely that is not the correct thing to do. It is a possible security risk

christophera · April 1, 2024, 3:41pm

Yep, that’s real, but I have two servers, that’s on the web one, on my email server it’s expired and throwing that error.

How do I make sure .well-known… I wonder if it’s checking the web server for that… I don’t know, it’s worked okay in the past…

Chris

ID10T · April 1, 2024, 3:48pm

Make sure you are only asking for the correct certs on each server?
Requesting a certificate for andrews.com, www.andrews.com, mail.andrews.com from Let's Encrypt ..

MantasU · April 1, 2024, 3:54pm

DNSSEC if you are that paranoid about security.

MantasU · April 1, 2024, 3:59pm

Why are you hosting a separate email server? Waste of resources and money. Your email server should use the same certificate as your domain. Of course, it will throw an error since your other server manages your domain

ID10T · April 1, 2024, 4:03pm

It really isn’t helpful to question this kind of decision as we know nothing of the infrastructure and reasoning behind it. It is also off topic. Our goal is to help resolve the problem.

MantasU · April 1, 2024, 4:08pm

Remove mail.domain.tld from your web server. Add A record with your email server’s IP address. Request a certificate for mail.domain.tld on your email server. Make sure it is propagated around the world first. https://dnschecker.org/ @christophera

christophera · April 2, 2024, 12:57pm

Hi all,

Thank you, I’ve never asked a question on this forum and gotten such a lively response!

Yes, I mistakenly had the multiple domains listed on the cert, that caused the problem.

I’ve corrected that and all is well!

Thanks again!

Chris

ID10T · April 2, 2024, 3:20pm

Thank you for letting us all know the problem was resolved.

system · April 10, 2024, 3:21pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.