Web-based validation failed

OS type and version Ubuntu Linux 20.04.5
Webmin version 2.013
Virtualmin version 7.5
Related packages SUGGESTED

After upgrade we gets error when trying to get a new Let’s Encrypt certificate.

Requesting a certificate for mydomain.com, www.mydomain.com from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.com
http-01 challenge for www.mydomain.com
Using the webroot path /home/mydomain.com/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain mydomain.com
Challenge failed for domain www.mydomain.com
http-01 challenge for mydomain.com
http-01 challenge for www.mydomain.com
Cleaning up challenges
Some challenges have failed.

Where to go from here?

Fix the problem. Connection refused seems like it should be easy to figure out.

Let’s Encrypt validation problems can only be, like, three things. So check those three things and fix whichever one is wrong. (Search the forum, for more depth on this. I’ve covered it many, many, times.)

  1. DNS. This is probably you. Connection refused likely indicates Let’s Encrypt validation server is not even sending the request to the right IP.
  2. Proxy or redirect rules preventing access to the .well-known path. This path must be served from the filesystem. Test this by putting a text or html file in ~/public_html/.well-known and seeing if you can browse to it. If not, this is your problem (this is probably not your problem, since you have connection refused, which is probably DNS).
  3. Virtual Host misconfiguration (this is a “wrong site shows up problem” discussed very frequently). You’d see this, though, if you just browse to the site yourself…if you don’t get the site you expect, obviously this is the problem.

There aren’t a lot of ways for it to fail, so check the ways it can fail and fix the one you have. Again, yours is probably DNS, but I guess it could also be firewall or something. Connection refused should be dead simple to troubleshoot, since it probably means nobody can browse to your site, at all, so obviously LE validation servers can’t either.

Edit: I think you probably have a fundamental brokenness and should forget about Let’s Encrypt until you’re able to serve a website from the server.

Thanks Joe.

After long time we found the solution.
It was fail2ban that blocked Lets encrypt.

How can we whitelist Lets encrypt?
They have different ip-numbers.
Is there another way?

That doesn’t make sense. That would mean you’d password-protected the website or similar. There’s no reason for Let’s Encrypt to have gotten any authentication failures that could trigger fail2ban. Or, perhaps you’ve added custom rules to fail2ban?

Ok. Yes I have. My fault. Sorry.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.