Slave DNS and Letsencrypt

OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17 Pro

Hi everyone, hope you are all safe and well.

There must be some strange mis-configuration going on here so I’m happy to accept any suggestions.

I am having problems with slave DNS and Letsencrypt. I have set up to automatically create slave DNS (on another server) and that works except when request Letsencrypt cert is set to automatically request upon VS creation.

Steps to reproduce this:
In Virtualmin>System Settings>Virtualmin Configuration>SSL Category leave “Request Let’s Encrypt certificate at domain creation time” set to “No”.
Create a new VS in Virtualmin.
On screen note that it says “Creating slave zone on …” & “Done”
Check slave DNS server and see that the slave zone is set up and it does seem to be ok.
Now request a Letsencrypt cert in Virtualmin>Server Configuration>SSL Certificate and that does complete without issue.
All good so far.

In Virtualmin, delete the VS. Note that slave DNS is also deleted.

Now, this is where the trouble starts.

If I set “Request Let’s Encrypt certificate at domain creation time” set to “Yes” in Virtualmin>System Settings>Virtualmin Configuration>SSL Category so that a cert is generated when the VS is created the cert fails because the slave zone is not created. Despite the progress report on screen says “Creating slave zone on …” & “Done”

Checking the slave server I have confirmed that the slave zone is NOT created…

Thanks for reading and any ideas you might have.

Tim

Update to add that I have had to start over with this server because I SNAFU it and couldn’t even get in via SSH/Putty (lesson learned, won’t do that again, I hope!).

Anyway, a complete re-install of the operating system and Virtualmin and the same issue exists.

In short, if “Request Let’s Encrypt certificate at domain creation time” is set then the slave DNS is not created and of course the cert fails as a result.

I have run out of ides.

Thanks for suffering my issues. :smiley:

Sounds like a bug. Maybe @Jamie will chime in with thoughts on this.

I will just chime in and say I did this just now and did not have the same issue.
My servers run Debian 10 and Virtualmin GPL (not that the GPL vs Pro should be an issue here), but might be CentOS related…?

@Dim_Git can you confirm that the slave zone does get created OK on the same system if you don’t request a Let’s Encrypt cert at creation time?

Hi Jamie,

Yes, confirmed! Also, same two servers used for both tests (ie with and without cert. request)

I have just checked again (I am prone to error :smiley: ).

Add a new VS to VM.

The progress report that shows as the domain is added via Virtualmin shows “Adding slave zone on ecsweb-dns.co.uk … … done”

Checking the slave shows a record has been generated.

Then delete the VS in Virtualmin.

The progress report that shows “Deleting slave DNS zone on ecsweb-dns.co.uk … … done”

Check slave - record is deleted.

All is good with LE request disabled.

Turn on LE request in "Configuration For module Virtualmin Virtual Servers"and save.

Create new VS (on VM, of course).

Progress report says “Adding slave zone on ecsweb-dns.co.uk … … done”

Check slave and see that no record has been created.

And, of course LE fails.

At this stage these two servers are not production so happy to give you access to both.

Take care,
Tim

Hi Jamie,
Hope you had a good weekend.

Further to my reply about giving you access to the two servers should you wish to dig, in I thought it might be helpful if I did so rather than incurring the delays resulting from time zone.

This is the master server
https://ecsweb-host.co.uk:10000

This is the slave
https://ecsweb-dns.co.uk:10000

There are two domains you can play with : seapowergen.co.uk and seapowergen.com (both resolve to these servers).

Headsup: I have set fail2ban to very draconian on the slave with a week ban after 3 fails in 3 mins.

Many thanks and take care,
Tim

Edited to add:
Credentials removed at request of Toreskev. Sorry! I thought this was a secured area.

Thanks or the heads-up

1 Like

Yooo, please remove your IPs and passwords ASAP.
I have also flagged this!

@Joe has previously said that they never want access to servers…

2 Likes

Something has just dawned on me. I thought my messages to Jamie were in a sort-of PM system (is why I included credentials). OK, my last brain cell is dying of loneliness.

Also, when I click the “D” in a circle (sort of avatar) in the right of the blue bar across the top, it suggests tha Unborn has posted a reply. If that is the case, sorry I haven’t replied Unborn but I can’t see it.

Anyway, back to the problem in hand. In a desparate attempt to resolve this I have tried to start again with a fresh install of the OS but this time I have really paid close attention to every step but the problem still exists. If get Letsencrypt is enabled the slave DNS is NOT created and of course the cert application fails.

I had hoped that having a pro installation would get this sorted, perhaps I am being too impatient.

Anyone have any ideas?

Thanks for reading

I’m still struggling with this and would like to get this server into production but really don’t feel justified until it is all sorted out.

I have read many posts here and elsewhere along similar lines but nothing I can find is very definitive.

Does anybody have any clues even.

Is there a log of this sort of failure? I know there is a LetsEncrypt log but that only shows the expected error that the cert failed. I guess I need to see logs of when the secondary is created. Where would I find those logs on both the master and the slave?

Or any other pointer would be great.

Thanks for reading.

OK, so here is an interesting development.

If I use “Transfer Virtual Server” fom the old (Centos 5) server to the new server (Centos 7) the transfer proceeds absolutely flawlessly. Terific module so many thanks for that.

What is interesting is that the Letsencrypt cert is successful!

EDITED TO ADD.
The original post here said that the LE cert was issued, Unfortunately I was looking at the wrong virtual server. The LE cert is NOT issued. It has been a long day already.

Sorry guys, gotta have a bit of a moan now. This is a Pro/paid for installation but this issue has been seemingly left to fester a little bit, no reply for some time and I am wondering if I have transgressed or worse. If there is nothing that can be done or you are just too busy to handle this right now, I would rather be told that instead of just being ignored. That’s it, rant over.

Still, my ongoing thanks for a teriffic application.

I only know that Create LE at domain creating time could be pa.n in the…
Not only Virtualmin.
Is depending to much how quick things are done and resolving, sometimes i don;t know where you can set some wait times higher somwhere.

Maybe you can find info about those in forumor webseacrh.

Also extra API’s … or scripts maybe to handle…

Because or error could be wrong order somewhere, so it handles first the Letsencrypt, is given error then the script slave dns is not done after that i don’t know??

Sorry, @Dim_Git we’re not ignoring you. Jamie just hasn’t had time to track down the cause yet. I’ll ping him and see if we’ll have a fix by the next release…it seems likely to be a small amount of code to fix it, but tracking it down might be a challenge; a lot of moving parts in making this work, and the order they happen in is also critical (and there are delays inherent in DNS changes).