Web-based validation Failed to request certificate in webmin virtualmin using subdomain let's encrypt

Help! (Home for newbies)
1

My domain is: app.marketplaza.pe

I ran this command: I went to virtualmin chose server configuration then manage ssl certificate then generate certificate using let’s encrypt. I chose to apply certificate only to subdomain which has an A record pointing specifically only this subdomain to current webmin server.

It produced this output:

Requesting a certificate for app.marketplaza.pe from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/libexec/webmin/webmin/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for app.marketplaza.pe: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://app.marketplaza.pe/.well-known/acme-challenge/XXTZO8eLKhoUK2YTTUr5vH3Ujk00Q0HqcYuIB3TkFFA’, u’hostname’: u’app.marketplaza.pe’, u’addressUsed’: u’165.227.54.45’, u’port’: u’80’, u’addressesResolved’: [u’165.227.54.45’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/6501963603/cSzYgw’, u’token’: u’XXTZO8eLKhoUK2YTTUr5vH3Ujk00Q0HqcYuIB3TkFFA’, u’error’: {u’status’: 403, u’type’: u’urn:ietf:params:acme:error:unauthorized’, u’detail’: u’Invalid response from http://app.marketplaza.pe/.well-known/acme-challenge/XXTZO8eLKhoUK2YTTUr5vH3Ujk00Q0HqcYuIB3TkFFA [165.227.54.45]: “\r\n\r\n\r\n \r\n <meta http-equiv=\“X-UA-Compatible\” content=\“IE=edge\”>\r\n <tit”’}, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’app.marketplaza.pe’}, u’expires’: u’2020-08-20T04:32:58Z’}
, DNS-based validation failed : Only the offical Let’s Encrypt client supports DNS-based validation

My web server is (include version): Apache versión 2.4.6

The operating system my web server runs on is (include version): Cent OS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin 1.954 with Virtualmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2

Welcome Renzo, I’m not an expert but I’ll give you some suggestions.
You’ll see from the log there is an error
“Invalid response from http://app.marketplaza.pe/.well-known/acme-challenge/XXTZO8eLKhoUK2YTTUr5vH3Ujk00Q0HqcYuIB3TkFFA [165.227.54.45]”

So Let’s Encrypt is not able to find the file that it expects. Common reasons might be:

  1. The hostname app.marketplaza.pe resolves to the wrong IP address
  2. The authentication file is not being written to the correct place. Virtualmin writes it to a place in the file system but it has to be accessible through a URL. Note the difference.
  3. You don’t have the rights to create the authentication file (possibly because it is on another server?)
  4. There is no web server running for this (sub)domain.

You can’t use Virtualmin’s Let’s Encrypt feature to get a certificate for a different server.

First DNS
The names servers for marketplaza.pe resolve as ns1.boxsecured.com (153.192.2.3) and ns2.boxsecured.com (153.192.2.3)
And DNS resolves
marketplaza.pe internet address = 212.1.215.10
app.marketplaza.pe internet address = 165.227.54.45
Is this correct? Possibly, but it’s far more common that the subdomain resolves to the same IP address.
If these two IP addresses are on different servers then you will not be able to obtain a certificate.using Virtualmin.

If app.marketplaza.pe is really on a different server then you should obtain/install an SSL certificate on that server.
If you are unable to obtain a certificate using that server or install a certificate obtained externally then you could create the subdomain in Virtualmin and serve a file to display the “real” app server in an iframe.
But if you don’t have a certificate on the app server you would still be insecure between the virtualmin server and the app server.
Good luck!

3

Thank yoy @PeterP for taking your time in reading me. Virtualmin manages only app.marketplaza.pe. Actually, main domain is handled with a CPanel.
I have a laravel app there and at the apache virtual host it’s pointing to user home directory public_html/public but I have created my well-known directory at public_html/well-known so I think that’s the problem because it won’t find any file over there. I haven’t try it but I think this could be the issue.

4

Hi @PeterP sorry for answering too late. Could you please help me to understand this error log?

Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for app.marketplaza.pe: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://app.marketplaza.pe/.well-known/acme-challenge/yYdYiTTDMDnhmA_57BW4iYvyzT5gc0C0-F3nMc4LPQM', u'hostname': u'app.marketplaza.pe', u'addressUsed': u'165.227.54.45', u'port': u'80', u'addressesResolved': [u'165.227.54.45']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/6695710654/zvdyoQ', u'token': u'yYdYiTTDMDnhmA_57BW4iYvyzT5gc0C0-F3nMc4LPQM', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from http://app.marketplaza.pe/.well-known/acme-challenge/yYdYiTTDMDnhmA_57BW4iYvyzT5gc0C0-F3nMc4LPQM [165.227.54.45]: "<!DOCTYPE html>\\r\\n<html>\\r\\n<head>\\r\\n    <meta charset=\\"utf-8\\">\\r\\n    <meta http-equiv=\\"X-UA-Compatible\\" content=\\"IE=edge\\">\\r\\n    <tit"'}, u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'app.marketplaza.pe'}, u'expires': u'2020-08-29T04:36:23Z'}

For now I have installed a certificate generated with letsencrypt using cpanel at marketplaza.pe requesting a domain based wildcard certificate so then I download key and cert files and uploaded those to virtualmin. The problem is that certificates will autoupdate at cpanel but not at virtualmin so I don’t know what to do. Document root points to public_html folder but inside it I have a redirect .htaccess which points to public_html/public which is laravel default public dir so I am not sure where should I put that .well-known directory or what is virtualmin showing up there.

Hope you are doing good. Thanks!

5

Hi Renzo, @renzo.castillo,
I think the problem is still that the validation file is not accessible at the .well-known… URL.
In your error output the line ValueError is saying that the LE server can’t find the validation file. Virtualmin will have stored that file (with the long name of random characters) in public_html/.well-known/acme-challenge and LE is trying to find the same named file at
http://app.marketplaza.pe/.well-known/acme-challenge/ but failing.

Most likely the .htaccess redirect is redirecting everything to the public directory. You can test by creating two simple text files as follows
create public_html/.well-known/acme-challenge/test1 containing the text “Found in correct place”
create public_html/public/.well-known/acme-challenge/test1 containing the text “Found under public”
Also check that .htaccess in public_html/.well-known/acme-challenge/ that was created by Virtuamin is still there. It contains

AuthType None
Require all granted
Satisfy any

Then browse to http://app.marketplaza.pe//.well-known/acme-challenge/test1
It should display “Found in correct place”.
If it displays “Found under public” then you know your .htaccess is redirecting.to the wrong place.

I think Virtualmin will always store the challenge in the “correct” place defined by the local path on the server NOT a URL. So to keep the automated benefit of Virtualmin Let’s Encrypt functions you need a more selective .htaccess file in public_html that does not redirect the LE validation file URL.

I use something like this

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^app.marketplaza.pe$
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /public/$1
    RewriteCond %{HTTP_HOST} ^app.marketplaza.pe$
    RewriteRule ^(/)?$ public/index.php [L] 
    </IfModule>

You may need to change the last RewriteRule line to change index.php to your needs.
And a warning - I’m not an expert on .htacess and regular expressions. The example is taken from my redirect for “Wordpress in a subdirectory”. I copied it from somewhere a long time ago and it seems to work well with my Wordpress and other systems running in the same VM.

Good luck!
Peter

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.