Renew SSL Certificates for subdomains

Hello, I’m a newbie in system admin and need help. A company set up a server for us where we can create virtual servers (subdomains). I’ve asked many times to set autorenew for the subdomains SSL without having any answer, so I’ll have to fix it myself.
Based on company’s admin who setup the server, the SSL certificates have been created using this command line for every subdomain: certbot certonly --force-renew -d abc.mydomain.com

Now those subdomains expires regularly and I’ve to run this command every x months, on all subdomains (+30). This is time consuming and off course not the best way to do things.

I’ve tried to find a solution to get only one certificate for all domain et subdomain (on Webmin / Servers / Virtualmin Virtual Servers / Module Config / SSL Settings

image1360×621 54.2 KB

On a previous forum thread, I’ve seen a procedure to manage this. So I clicked on “Use Default Certificate Path” for 2 subdomains and could get the let’s encrypt for them.

Now when I do the same for third one, I’ve this error message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxx_mydomain_com (replaced . by _ as I can only post 2 links)

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: xxx_mydomain_com
Type: unauthorized
Detail: xxx.xx.xxx.xx: Invalid response from https___xxx:mydomain_com/.well-known/acme-challenge/YYYYYYYYYYYYYYYYYYYY: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at community_letsencrypt_org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I’m doing it right ? Every time we have a new customer, I’ll have to create a new subdomain and manage SSL but not sure I’m doing the correct way (looks too complicated). Looks like I’m doing wrong but I followed advice from company’s admin who setup the server for us.

Thank you for helping me out with this SSL settings.

you should be using the GUI to request certs, that what the config is related to.

image1579×772 108 KB

Is where I got the error “Certbot failed to authenticate some domains…” but on topic I could only post 1 capture.

From the screen above, try Request Certificate, does that error?

Yes it does. Just figured out that if I run “certbot certonly --force-renew -d xxx.mydomain.com” in terminal then I Request Certificate again, it works. Not sure I’m doing right anyway.

I would never use certbot, the GUI will setup the auto renew. (Unless you system admin is doing it from some special reason.)

virtuamin has its own command line if you what to use CLI.

Ok. Will go this way from now. Thank you for your support.

Using certbot directly is not the right way. That won’t handle all the extra stuff Virtualmin does with the certs, and so any other services will break every time the cert expires. Virtualmin is calling certbot, but it does additional stuff on each renewal.

You just need to fix the problems the error is telling you about.

There are only like three things that can go wrong, and it’s always the same things (if you search the forum you will find dozens of discussions of exactly your issue and the problem you have). Yours appears to be that to you have some redirect or proxy rules that are sucking up the requests to .well-known. You need to fix that.

For testing, put a file in /home/domainname/public_html/.well-known and try to browse to it. Until you can browse to that file, you haven’t fixed it and you need to find the redirect or proxy rule and make it exclude .well-known, so keep fixing on it (making a bunch of requests of Let’s Encrypt will get you blocked from requesting a cert for a while, so hammeing “renew” over and over is a bad way to test).

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.