SSL renew fails on 1 domain only

Virtualmin
1
SYSTEM INFORMATION
**OS type and version: Ubuntu Linux 20.04.3
**Webmin version:1.981
**Virtualmin version:6.17-3 Pro

I have 10 domains including the main domain of this subdomain,
this one fails to renew as below, please advise

Validating configuration for sxx…
… no problems found

Requesting a certificate for xx from Let’s Encrypt …
… request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx
Using the webroot path /home/shop/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain xx
http-01 challenge for xx
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xx
    Type: unauthorized
    Detail: Invalid response from
    xx/.well-known/acme-challenge/hD63I1_7A0tRnZyVi_tV1cFGeWtx5id0E
    [45.63.90.253]: “\n\n500 Internal Server
    Error\n\n

    Inter”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

    DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for xx
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain xx
dns-01 challenge for xx
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xx
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.xx - check that a DNS record exists
    for this domain

2

You probably have a web app sucking up that request. You need to make sure any proxy or redirect rules you have leave the .well-known path alone. The web server must be able to serve plain files in the .well-known path for LE validation to work.

DNS validation can only work if Virtualmin is managing DNS records, which doesn’t seem to be the case for you. So…the fallback to DNS also doesn’t work.

3

FIXED, I had multiple mistakes,
1- I forgot I had wildcard CNAME in my DNS at Namecheap- I removed it
2-I was using MainWP on a subdomain with a feature called cleanup and security, basically it maps all subdomains back to the main domain. - I moved MainWP install to another domain.
3-I moved my Wordpress site from Closte many months ago and did not realize .htaccess had code that was not needed at new provider. - I cleaned up my .htaccess
4- Finally deleting my .well-known folder on Virtualmin, I was able to renew SSL immediately.

I hope this can help someone in the future,
thank you Joe and everybody at Virtualmin,

2 Likes
4

Thanks for following up with a complete explanation of your solution!

5

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.