Unable to renew LE certificate

Hi Community,

I’m still struggling with sub-domain certificate renewal. Webmine indicates that the certificate has expired but cannot renew it, with the following error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wiki.mydomain.com
Using the webroot path /home/admin-main/domains/wiki.mydomain.com/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. wiki.mydomain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://wiki.mydomain.com/.well-known/acme-challenge/8jzFM4gAKiERsRUTqPUZsTdtERo_4MLs2CNme2ajlwY [xx.xx.xx.xx]: 418

Another sub-domain is set up exactly as this one and has renewed with no issue.

Can anyone point me in the right direction to troubleshoot this?

Thanks in advance for any help!

Assuming you’ve got a resolved A record and LE still won’t renew, try creating a DNS TXT record (for mydomain.com’s zone or for wiki.mydomain.com if it has a zone of its own).

Record name: _acme-challenge

Text record: 8jzFM4gAKiERsRUTqPUZsTdtERo_4MLs2CNme2ajlwY

Restart BIND and wait an hour before trying again.

If the new certificate is successful the _acme-challenge TXT record is removed and you’ll see a new CAA record.

Hi Ramin, thanks for the tip!

I’ve checked my DNS area and found that I can just set “mydomain IN TXT “_acme-challenge””, so don’t know where to fill in the text value. By the way, I think that this value changes for every renewal attempt, doesn’ it?

As for the BIND, I must admit I don’t know what it is… :flushed:

Thanks for your help!

If you don’t have an A record (AAAA for IPv6) for ‘wiki’ that points to the doman’s IP, take care of that first. I would have thought Virtualmin already created DNS A records when the sub-domain (or sub-server) was created.

I don’t know if the hash string changes or not, this really isn’t the point of using it to nudge ACME along to verify a domain when an A record isn’t enough. It may not help you but it has worked for me in similar situations.

To create the TXT record: Virtualmin/Server Configuration/DNS Records. Use the white button to select TXT and green button to create. The next screen will match everything I’ve covered so far.

BIND is your DNS server and restarting it is just an extra measure that ensures wait time isn’t a waste of time. A manual restart may not be needed since Webmin probably restarts BIND every time records change. The command for restarting BIND varies depending on your Linux distro. It could be systemctl restart named or service bind9 restart.

Hi @ramin,

Some more context: my DNS area is operated by the host (OVH.com), my server being a physical machine running Debian 10. Thus I didn’t look for the Virtualmin DNS configuration and didn’t even know there was one… I suppose the host triggers a BIND restart each time I modify the DFNS area.

Should I (re)create the suggested records in Virtualmin’s DNS area and match the host’s one?

Thanks again for your help!

Seems I always make the mistake of assuming everybody rolls their own DNS with Webmin and Virtualmin. Anyway, your DNS records need to be edited wherever DNS is hosted, OVH in your case. In theory you could shut down BIND on your server but it’s not hurting anything if running.

Hi @ramin,

I just checked that all required records are now set up in the DNS area: what’s the correct procedure now for certificate renewal?

Thanks again for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.