|OS type and version
I have one domain (which has been installed at this place for at least 3-4 years) giving me a headache …
SSL certificate did expire and gave an alert to visitors … I went into the SSL cert management, and sure enough, on the main page “Current certificate” the cert was showing as expired 2 days ago.
I then went into the “Let’s Encrypt” tab and the cert was showing as renewed a few days ago …
I did a new “Request Certificate” which went through smoothly, everything successful, but still on the main tab it says expired 2 days ago …
After searching a bit, I realized there was a message at the top of the "Let’s Encrypt " tab saying:
This page can be used to request a new certificate, which will overwrite any other you currently have configured for this domain. However, the Let's Encrypt service requires that your ownership of the certificate domain be validated by checking that this system hosts the website for the domain. This is done by placing a small temporary file under the website's document directory
I searched and I cannot find something about that “small temporary file” … in my understanding this is what the .well-known process is all about, but what I don’t understand is that this is the first time ever I’m requested to do this, I cannot find what name I should give to that file, I have quite a lot of domains on that server and others and was never asked to do something similar. At first I thougth it was a Let’s Encrypt message but in fact I guess it’s Virtualmin.
The only things I can think of:
- old version of Debian, but this is on purpose to support some old sites and technologies
- this website is in a subdirectory of public_html so there is a “Website documents sub-directory” … redirection to SSL is not forced …
- recent updates of webmin/virtualmin changed something
But again, this site has been up and running with SSL for many years … Any idea of why this sudden problem ?
Well I just got an email telling me the certificate had been automatically updated and it now works properly … I don’t know why it didn’t renew automatically before expiration, but everythings seems now good …
My best guess maybe you ended up with a duplicate that the server did not pick up on? Needed a reload?
Keys get stored in /etc/ssl/virtualmin under a long numeric string. Maybe if you check the dates you will find an ‘extra’.
But, why was it suddenly out of sync? I can’t even provide a good guess on that one.
If you search
.well-known in the forum, you’ll find dozens, maybe hundreds, of comments where I explain it.
As for your question, have you ever used
certbot directly to get a cert for this domain? You should decide whether to use Virtualmin or
Sorry for my english not being as good as I would like … Of course I know about .well-known but my understanding about that term “small temporary file” was that Virtualmin was talking about something entirely else …
As of now I always used Virtualmin with no problem, I will look into certbot !
I wasn’t suggesting you use
certbot directly! I was saying you should only use one or the other! Virtualmin is generally easier. (Virtualmin uses
certbot, but it handles the scheduling and configuration and such itself, rather than having
certbot do it.)
Using both leads to problems sort of like the one you’ve described. But, if you have always used Virtualmin, then that’s not the problem you have.
For most people, most of the time, letting Virtualmin manage your certs is a nicer experience.
In the lets encrypt page whats it say at the bottom?
I never said that I used certbot and Virtualmin, I always used Virtualmin to handle this, this server has been up and running that way for the last 3 years.
@stefan1959 That page “Let’s Encrypt” was saying that the renewal was successful, but the main page “Current certificate” still said that it was expired 2 days ago.
Reminder: as per my second message, now all is good, as soon as Virtualmin did a request by itself (automatically) it was back to normal.