No, there aren’t any .htaccess files in the directory. So here’s something weird:
I can renew the Webmin SSL certificate just fine (Webmin > Webmin Configuration > SSL Encryption > Let’s Encrypt > Request Certificate), but it didn’t update the Usermin certificate (Webmin > Usermin Configuration > SSL Encryption > Current Certificate). I had to do that manually by selecting the Copy Certificate From Webmin button.
But…any of the other domains in Virtualmin redirect to that 404 error.
If you can’t browse to .well-known on the server filesystem, obviously LE can’t validate. You have to fix that. When you proxy or redirect, you must exclude .well-known from that and allow it to be served from the filesystem.
After some further digging, I found that I can browse a new test.html file I placed in the .well-known folder of the main Webmin server.
When I tried to access the original test.html from my first post, which had different content, I was immediately redirected to the main Webmin server’s file that I had just created.
Since the content was different, then that was the only clue I had. Now just to figure out why the redirect is occurring.
Have you tried turning off the cloudflare proxy while troubleshooting?
You mentioned that you are using cloudflare.
Turn off the proxy to show direct. Perhaps there is a conflict?
I would like to suggest going through the list below on a virtual server that is not proxy through Cloudflare.
By the looks of it, you have problems with a re-direction and IPv6 not properly set up.
This is going by the errors you mentioned.
Hy @cyberndt, I appreciate you looking at this. I’ll try and clarify:
The subdomain for Webmin, webmin.mydomain.com, is able to obtain a certificate without problem. It is not proxied through Cloudflare.
I’m not using IPv6 at all. Not sure why that message came up for me the other day, but that at least has gone away.
I went ahead and created a test.mydomain.com account that is not proxied through Cloudflare. Before I created it, I verified that it had the correct IPv4 address.
But, I learned the reason it receives that error is because it is redirecting to mydomain.com/.well-known/acme-challenge from test.mydomain.com/.well-known/acme-challenge. (Notice it went from the subdomain to the root domain.) I figured this out when I performed a “Test connectivity” check during the SSL creation again and then attempted to load the site directly.
That doesn’t sound like a redirect. If it is simply serving the wrong site, it sounds like an Apache VirtualHost misconfiguration. Apache decides which site to serve based on an algorithm nobody understands, but if you have mixed * and IP VirtualHosts, Apache will serve something you didn’t expect. Similarly, if you have IPv6 config anywhere in the Apache VirtualHosts but not for every domain, you’ll get surprises.
There are all sorts of ways you can end up there. Restoring a domain that uses * into a server that is using IP based VirtualHosts, installing any of a number of web apps from system packages can do weird things to VirtualHosts (so don’t do that), IPv6 misconfiguration in Virtualmin or having it turned on and then disabling it later without cleaning up the configs that were created, etc.
Apache has bizarre, absolutely incomprehensible, virtual host selection rules. So…you have to take away all possible ways it can misinterpret your intentions because it will absolutely misinterpret you if there’s any way for it to.