Vmin is trying to renew LE certs with nginx instead of apache

danboid · April 9, 2026, 3:27pm

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.5
Webmin version	2.610
Virtualmin version	7.20.2.pro-1

Let’s Encrypt cert renewal and request has broken because vmin/certbot seems to be wanting to request certs for nginx nstead of apache. If I manually update a domains cert using a certbot command ( certbot --apache …) cert renewal works.

I’ve had a good look but I cannot see the vmin setting for this. How do I force vmin to only request/renew LE certs using/for apache?

I don’t know how this has happened because nginx isn’t even installed on our vmin server. Is this a certbot bug?

I’m seeing errors like this in the letsencrypt log:

HTTP 200
Server: nginx
Date: Thu, 09 Apr 2026 14:47:14 GMT
Content-Type: application/json
Content-Length: 1135
Connection: keep-alive
Boulder-Requester: 1975107017
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: e8SfZ44tVHF94bk50sYgcZXHVxtorA9c4XpoaZiao4rQT_8Csgg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.test-domain2.poseidon.salford.ac.uk"
  },
  "status": "invalid",
  "expires": "2026-04-16T14:47:11Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1975107017/685600304221/WHNjtw",
      "status": "invalid",
      "validated": "2026-04-09T14:47:13Z",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "172.167.31.187: Invalid response from http://www.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA: 403",
        "status": 403
      },
      "token": "JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA",
      "validationRecord": [
        {
          "url": "http://www.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA",
          "hostname": "www.test-domain2.poseidon.salford.ac.uk",
          "port": "80",
          "addressesResolved": [
            "172.167.31.187"
          ],
          "addressUsed": "172.167.31.187"
        }
      ]
    }
  ]
}
2026-04-09 15:47:14,829:DEBUG:acme.client:Storing nonce: e8SfZ44tVHF94bk50sYgcZXHVxtorA9c4XpoaZiao4rQT_8Csgg
2026-04-09 15:47:14,829:INFO:certbot._internal.auth_handler:Challenge failed for domain admin.test-domain2.poseidon.salford.ac.uk
2026-04-09 15:47:14,829:INFO:certbot._internal.auth_handler:Challenge failed for domain test-domain2.poseidon.salford.ac.uk
2026-04-09 15:47:14,829:INFO:certbot._internal.auth_handler:Challenge failed for domain webmail.test-domain2.poseidon.salford.ac.uk
2026-04-09 15:47:14,830:INFO:certbot._internal.auth_handler:Challenge failed for domain www.test-domain2.poseidon.salford.ac.uk
2026-04-09 15:47:14,830:INFO:certbot._internal.auth_handler:http-01 challenge for Identifier(typ=IdentifierType(dns), value='admin.test-domain2.poseidon.salford.ac.uk')
2026-04-09 15:47:14,830:INFO:certbot._internal.auth_handler:http-01 challenge for Identifier(typ=IdentifierType(dns), value='test-domain2.poseidon.salford.ac.uk')
2026-04-09 15:47:14,830:INFO:certbot._internal.auth_handler:http-01 challenge for Identifier(typ=IdentifierType(dns), value='webmail.test-domain2.poseidon.salford.ac.uk')
2026-04-09 15:47:14,830:INFO:certbot._internal.auth_handler:http-01 challenge for Identifier(typ=IdentifierType(dns), value='www.test-domain2.poseidon.salford.ac.uk')
2026-04-09 15:47:14,830:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Identifier: admin.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://admin.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/0MmDGMIAOAfDOhq2qpCSQjDMkskU8vwvXOlm1re5d0A: 403

  Identifier: test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/gI_PHnKWMw5BdqhkaouL9RMVujFEB-9df3wS89NEOAM: 403

  Identifier: webmail.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://webmail.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/8nCPzV_eWX-w2KUNmOCLiW9Uimff6vRD2vIY9TTi5gs: 403

  Identifier: www.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://www.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed identifiers serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2026-04-09 15:47:14,831:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2026-04-09 15:47:14,831:DEBUG:certbot._internal.error_handler:Calling registered functions
2026-04-09 15:47:14,831:INFO:certbot._internal.auth_handler:Cleaning up challenges
2026-04-09 15:47:14,831:DEBUG:certbot._internal.plugins.webroot:Removing /home/test2/public_html/.well-known/acme-challenge/0MmDGMIAOAfDOhq2qpCSQjDMkskU8vwvXOlm1re5d0A
2026-04-09 15:47:14,831:DEBUG:certbot._internal.plugins.webroot:Removing /home/test2/public_html/.well-known/acme-challenge/gI_PHnKWMw5BdqhkaouL9RMVujFEB-9df3wS89NEOAM
2026-04-09 15:47:14,832:DEBUG:certbot._internal.plugins.webroot:Removing /home/test2/public_html/.well-known/acme-challenge/8nCPzV_eWX-w2KUNmOCLiW9Uimff6vRD2vIY9TTi5gs
2026-04-09 15:47:14,832:DEBUG:certbot._internal.plugins.webroot:Removing /home/test2/public_html/.well-known/acme-challenge/JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA
2026-04-09 15:47:14,832:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2026-04-09 15:47:14,832:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/5528/bin/certbot", line 6, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/main.py", line 1886, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/main.py", line 1598, in certonly
    lineage = _get_and_save_cert(le_client, config, sans, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(sans, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/client.py", line 533, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(sans)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/client.py", line 434, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/client.py", line 512, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5528/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2026-04-09 15:47:14,834:ERROR:certbot._internal.log:Some challenges have failed.

Joe · April 9, 2026, 6:34pm

You’re misinterpreting that. The log is showing the output from the Let’s Encrypt API server, which happens to run nginx. The web server Let’s Encrypt’s API server is running has nothing to do with why your validation is failing.

The problem is this:

  Identifier: admin.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://admin.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/0MmDGMIAOAfDOhq2qpCSQjDMkskU8vwvXOlm1re5d0A: 403

  Identifier: test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/gI_PHnKWMw5BdqhkaouL9RMVujFEB-9df3wS89NEOAM: 403

  Identifier: webmail.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://webmail.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/8nCPzV_eWX-w2KUNmOCLiW9Uimff6vRD2vIY9TTi5gs: 403

  Identifier: www.test-domain2.poseidon.salford.ac.uk
  Type:   unauthorized
  Detail: 172.167.31.187: Invalid response from http://www.test-domain2.poseidon.salford.ac.uk/.well-known/acme-challenge/JZIr8kWnz5L2IR0GSoirGUq4kxgGe4YCSWKzzBYIlUA: 403

You’re not allowing access to the .well-known directory. This is always the same two or three problems. Something is sucking up requests to that path (a redirect or proxy rule that isn’t excluding .well-known), DNS is wrong, or you have a “the wrong site shows up” problem.

I’m confused how using certbot directly works, though.

But, to troubleshoot, put a file in .well-known and try to browse to it. Check the error log for that domain to see why it fails and fix it. It’s probably a redirect or proxy rule, either in the Apache configuration or the .htaccess file for that domain You must exclude .well-known from any redirect or proxy rules. Virtualmin automatically does this for apps it sets up, but anything you did you’d need to explicitly add that exclusion.