[EDIT] Solved after I found Default Server redirecting wrongly and realised what Joe keeps trying to tell us - that once you create virtual servers (for example but not limited to, in Virtualmin) the “default” website path of /var/www/html is no longer guaranteed.
Post 104399 includes the easy fix of creating a virtual server for the FQDN of the Webmin server. It doesn’t need mail, database, spam filtering or a webmin login so keeping a low attack surface.
What it does do is create a sure path for the LE process to store the validation file so it can be retrieved by Let’s Encrypt to obtain and renew the Webmin certificate.
In Webmin > Webmin configuration > SSL Encryption > Let’s Encrypt I set the Website root directory for validation file to Apache virtual host matching hostname which will later be updated to Other directory with the equivalent path./home/username/public_html.
I’ll leave part of my original post to show what goes wrong when you don’t configure it correctly.
What confused me initially was the line ** ```
Using the webroot path /var/www/html for all unmatched domains.
“Using with webroot path /var/www/html for all unmatched domains”.
That may have been where Webmin stored the validation file but it was not the path apache served up for an “unmatched domain”
[end edit]
The Virtualmin server will not renew its LE certificate. In fact I have 2 CentOS 7 servers and one CentOS 8. All are updated to latest Virtualmin and OS updates.
None of the servers will automatically renew their LE certificates. I do not have a virtual server for the domain used for the hostnames.
All virtual servers automatically renew LE certificates correctly every 2 months.
All servers give a 404 Not Found error to the uRL
http://webmin_FQDN//.well-known/acme-challenge/filename
The requested URL /.well-known/acme-challenge/filename was not found on this server.
even though the file exists with permissions 777.
However there is a difference between CentOS 7 and 8 servers.
CentOS 7 will renew the LE certificate manually
CentOS 8 manual renewal fails with
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webmin_server
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain webmin_server
http-01 challenge for webmin_server
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: webmin_server
Type: unauthorized
Detail: Invalid response from
http://webmin_server/.well-known/acme-challenge/pBeYT9ArD4tAMu42ux2vMiXSC_MY3SLoMzHgoNWZMxI
[ip.ip.ip.ip]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.I figure the problem is in Apache but I cannot work out why it will not server the file.