Requesting a certificate for *** from Let's Encrypt request failed

Operating system:Debian Linux 9

Hi all, I tried to letsencrypt renew my domain and webmin server cert and I get the following error:

Requesting a certificate for mysite.com, www.mysite.com, jp.mysite.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jp.mysite.com
http-01 challenge for mysite.com
http-01 challenge for www.mysite.com
Using the webroot path /home/mysite/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mysite.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.com/.well-known/acme-challenge/F-is3Wku7hLBMMMg_oDAAAgIZk8glDHDoSTg3XYXTAM [172.104.118.45]: "<!DOCTYPE html>\n<html class=\"avada-html-layout-wide avada-html-header-position-top\" lang=\"en-US\" prefix=\"og: http://ogp.me/ns# f"
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mysite.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mysite.com/.well-known/acme-challenge/F-is3Wku7hLBMMMg_oDAAAgIZk8glDHDoSTg3XYXTAM
   [172.104.118.45]: "<!DOCTYPE html>\n<html
   class=\"avada-html-layout-wide avada-html-header-position-top\"
   lang=\"en-US\" prefix=\"og: http://ogp.me/ns# f"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I actually have no idea how to fix this… any help would be much appreciated. I am using the virtualmin > server configuration > SSL certificate > Let’s Encrypt tab.

My webmin and website are both using the same domain.
Webmin = jp.mysite.com
Website = www.mysite.com and mysite.com
FTP is encrypted but of course, this is expired also…
DNS A redirects to the correct IP address, I do not use AAAA

If someone would please be so very kind to provide step by step instructions for how to do this in virtualmin/webmin, I would be very grateful.

bump… any replies?

Neither do I but I’ll throw out some ideas…

Is this the server’s hostname and is there an A record for it? If you are hosting your own DNS Virtualmin takes care of essential A records when you create a virtualhost, but I don’t think Virtualmin takes a server hostname into account. If there’s a missing A record for this name add it manually to the same zone for the other names.

Do you mean there’s no IPv6 at all? or IPv6 is enabled for the server but you choose not to use it? If IPv6 is lurking somewhere in the network LE will find it and expect to find AAAA records. Or IPv6 doesn’t exist but there’s an entry for ::1 in /etc/hosts. If any of this rings a bell you’ll want to make certain IPv6 is thoroughly disabled before going without AAAA records.

Here’s a suggestion that may help with that:

It’s hard to say why http validation fails. Sometimes LE is unable to create .well-known/acme-challenge. Other times there’s redirection occuring in a virtualhost config or http header in an .htaccess file that gets in LE’s way. When http validation fails LE moves on to DNS validation, so I find that it’s easier to correct DNS one time rather than modify a virtualhost every time LE needs to run.

2 Likes

Oh great call out!!

I went to virtualmin > mysite.com > server configuration > change IP address and there I chose “None” for New IPv6 address.

Now I can renew my cert! Thank you @ramin!