(Solved) Errors when generating a Let's Encrypt certificate for the server hostname


I have set up Virtualmin on a new Ubuntu Linux 18.04.4 server and it works great. I have created virtual servers and I can generate Let’s Encrypt certificates for all of them without any problems.

The only domain I’m having a problem with, is the domain matching the server’s hostname.

Let’s assume the server’s hostname is “sub.example.com”.

All the necessary DNS records have been set up on an external DNS server (Cloudflare). There’s an A-record for both “example.com” and “sub.example.com”, both pointing to the server’s IP address (that’s the same IP address). (Note that I have disabled DNS proxy for the DNS records on Cloudflare, so that’s not interfering with anything).

I have created a virtual server and website for “example.com”. I have also made that the default website for the server, by setting the option under Virtualmin > Server Configuration > Website options > Default website for IP address. It worked fine. When I upload files to the “example.com” website, the files are accessible from both “http://example.com/file.txt” and “http://sub.example.com/file.txt” (the latter being the server’s hostname).

I have tried two approaches In order to generate a Let’s Encrypt certificate for the server’s hostname “sub.example.com”.

Firstly, by going to Webmin > Webmin Configuration > SSL Encryption > Let's Encrypt.

By default, the server’s main IP address was displayed under “Hostnames for certificate”. I changed that to match the server’s hostname, “sub.example.com”. Under the “Website root directory for validation file” option, I chose the “A different Apache virtual host” option and set it to “example.com” (because that was set to serve requests made to the server’s hostname).

However, the certificate generation failed with error: ValueError: Wrote file to /home/example.com/public_html/.well-known/acme-challenge/foo, but couldn't download http://example.com/.well-known/acme-challenge/foo

That’s strange, since when I upload content to the “example.com” virtual server, is also accessible “http://sub.example.com/” - I have tested it.

Secondly, I have tried to solve the problem by creating a new virtual server for the server’s actual hostname, “sub.example.com”. When the server was created, the Let’s Encrypt certificate generation failed. However, all uploaded files are accessible via “http://sub.example.com”, as expected. I also set the option of the virtual server to be the “Default website for IP address”.

When I try to generate a certificate for the server by going to Virtualmin > Server Configuration > SSL Certificate > Let's Encrypt, I get the same type of error: ValueError: Wrote file to /home/sub.example.com/public_html/.well-known/acme-challenge/foo, but couldn't download http://sub.example.com/.well-known/acme-challenge/foo

Again, that’s strange, since I can verify that anything uploaded to the server’s website is accessible via “http://sub.example.com/whatever.file”.

The only domain that has a problem with certificate generation is the domain matching the server’s hostname (sub.example.com). Certificate generation for any other virtual host with any other domain (even for “example.com”) works fine.

Please help me find a solution to the problem.

I think I have now found the problem, but don’t know how to fix it…

When using wget on the server to retrieve the file, it fails, as it resolves to

# wget http://sub.example.com/somefile
--2020-02-20 08:00:00--  http://sub.example.com/somefile
Resolving sub.example.com (sub.example.com)...
Connecting to sub.example.com (sub.example.com)||:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2020-02-20 08:00:00 ERROR 404: Not Found.

That’s why certbot cannot verify the challenge, although I can access files from the hostname’s domain if the request does not originate from the host itself.


I have found a solution to the problem. Since the server has a static IP address, I just needed to add the entry in /etc/hosts:

# cat /etc/hosts localhost sub.example.com

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.