Unable to renew lets encrypt certificate

Virtualmin
1

Hi everyone,
I’ve been facing a problem for hours. Yersterday I noticed the ssl certificate of my website (xxx.fr) had to be renewed (I thought it was automatic though…)…
To avoid the Firefox warning, I wrote a redirection in a htaccess (from https to http)

So I logged in Virtualmin (Debian 8, Virtualmin 6.00) and tried to renew the LE certificate but I keep coming across those errors:

… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 235, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 231, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 171, in get_crt
raise ValueError(“Gave up waiting for validation”)
ValueError: Gave up waiting for validation

and

DNS-based validation failed : Failed to request certificate :
u’error’: {u’status’: 400, u’type’: u’urn:acme:error:connection’, u’detail’: u’DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.xxx.fr’}, u’type’: u’dns-01’}

Any help would be greatly welcome :wink:

2

The url http://www.xxx.fr/.well-known/acme-challenge/aSF70Pkxdwr3BxrH1goBiRVobRDz3QX3WQS28dYTlWs is ok…
And when I dig it, it’s Ok…

dig TXT _acme-challenge.www.xxx.fr

;; ANSWER SECTION:
_acme-challenge.www.xxx.fr. 1800 IN TXT “QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o”

What am I doing wrong?

3

How comes I get this when reading values in Virtualmin > Servers > Bind DNS Servers

_acme-challenge.www.xxx.fr. 5 IN TXT 6tJCCY4oZNtFLQLzWHiORv2o011o8EGy4Rw1NjNC5e0

and I get a different value when I dig through ssh:

_acme-challenge.www.xxx.fr. 1043 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

If someone could help me, that would be great… :wink:

4

check your host name… does hostname and hostname -f commands should give you same outpu - aslo do you do your own dns or you doing it via registar?

5

Thanks for answering!
Here is the output:

user@xxx:~$ hostname
zzz

user@xxx:~$ hostname -f
zzz.xxx.org

As for the dns I handle them directly via Bind…

edit: By the way, xxx.xxx.org is the name known by Virtualmin (System hostname = xxx.xxx.org)

6

Ok I changed the hostname and now :

ValueError: Error checking challenge: 502 {u’type’: u’urn:acme:error:serverInternal’, u’detail’: u’The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.’}

Seems I have to wait until the end of the maintenance…

Thank you anyway for your help !

7

Ok as I said I changed the hostname so that it gives xxx.xxx.org for both hostname and hostname -f

but there’s still a problem…

dig TXT _acme-challenge.www.xxx.fr

_acme-challenge.www.xxx.fr. 1800 IN TXT “QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o”

but bind does not give the same value as dig in ssh…

_acme-challenge.www.xxx.fr. 5 IN TXT VifmnH57Yh_GEggfMikLlixnR-el68Vo9q3LN2cKJnI

8

hostname and hostname -f should be different , ie. exactly the way you had them at the start.

9

Ok but it didn’t work anyway in both cases…

10

As the https rises warning I added an urlrewriting in a htaccess to force https to http.
Could it be the reason why it does not pass the Web-based validation?

11

I found a kind of workaround, let’s say it’s ok, …

12
  • as I mentioned zzz and zzz.xxx.org is not same… and i think its your problem it self.
13

you are wrong… and if you set it as you saying - you would never ever be able to deal with this issues… do you know how bind dns works? also how domain verification and dkim works? - if so, you would know already.

14

If we’d like to query each others credentials, well, why not at least read the man page for hostname, specifically the FQDN section.

https://manpages.debian.org/stretch/hostname/hostname.1.en.html

and then how resolution works

https://manpages.debian.org/stretch/manpages/hostname.7.en.html

Why have a -f argument at all if it is going to return the same thing as the base command? :slight_smile:

All my stuff works just fine, btw.

15

Would you mind to share the workaround you found ?

16

Forums are far more useful if the wisdom is shared.
Please post how you fixed the problem.

17

The solution to Let’s Encrypt not working is almost always DNS or some redirects getting in the way of validation. So, check your DNS, make sure you can browse to the link for the validation file (the URL looks like something like this: http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).

18

joe just said it right - that is what I mean it about my own comment regards bind and dns… sorry if my answer was not very clear, however I did ask… did you resolve the problem noisemarine?

19

As problem the redirect https to http could be causing to fail same as more redirects in htaccess kind could, then probably a ,

i don’t understand the http without s here ? http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).
PORT?

20

Hello, i have the same problem, the solution: set all redirects in the apache conf & .htaccess from “http” to “https” back to only “http” and you can request a new let’s encrypt certificate and works… but is not a renew, it is a new certificate! this is a bad solution because it is manually, i have 10+ hosts and i don’t have time any 3 months to make this changes manually! any know a solution to works automatically? In theory a EXCEPTION in the apache conf. and .htaccess for http://domain.tld/.well-known/acme-challeng/.