Apache2 Webmin Error Upon Automated SSL Request

Tinker_Jet · October 14, 2021, 11:45pm

Hi there. I installed the SSL certificate manually and it is working fine, however, Let's Encrypt from the Webmin control panel (GUI) seems to be having issues requesting a certificate directly from Let's Encrypt or automating the process. After looking into the error logs a bit, I think it might be an error in Apache's configuration but I can't figure out what I need to change exactly.

My domain is:
website.net
website.ca

I ran this command: Using Webmin, I went to Webmin Configuration > SSL Encryption > Let's Encrypt > Request Certificate

It produced this output:
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/webmin/webmin/acme_tiny.py", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for website.ca: {'identifier': {'type': 'dns', 'value': 'website.ca'}, 'status': 'invalid', 'expires': '2021-10-21T10:20:08Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://website.ca/.well-known/acme-challenge/5ju3wnFdXWiIkvPU1HNFyh3QExFtUSD-TUrELiZLooQ [149.56.44.161]: "\n\n404 Not Found\n\n

Not Found

\n<p"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/39822958450/Ft6hmg', 'token': '5ju3wnFdXWiIkvPU1HNFyh3QExFtUSD-TUrELiZLooQ', 'validationRecord': [{'url': 'http://website.ca/.well-known/acme-challenge/5ju3wnFdXWiIkvPU1HNFyh3QExFtUSD-TUrELiZLooQ', 'hostname': 'website.ca', 'port': '80', 'addressesResolved': ['149.56.44.161'], 'addressUsed': '149.56.44.161'}], 'validated': '2021-10-14T23:31:01Z'}]}

My web server is (include version): Linux 4.19.0-18-amd64 on x86_64

The operating system my web server runs on is (include version): Debian Linux 10 (Buster)

My hosting provider, if applicable, is: OVH. I've already ruled out the firewall as a probable cause.

I can login to a root shell on my machine (yes or no, or I don't know): Yes. I use PuTTY.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, Webmin.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

rg305 · October 15, 2021, 12:22am

Hi @Tinker_Jet and welcome to the LE community forum

Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

and this:

Should be:
My web server is (include version): Apache/2.4.38 (Debian)

Tinker_Jet · October 15, 2021, 3:39am

Should be:
My web server is (include version): Apache/2.4.38 (Debian)

Thank you for correcting me. I'm still pretty new to Debian (Linux overall honestly) and Apache, so I wasn't sure how to format that.

vhost dump:

>VirtualHost configuration:
149.56.44.161:80       is a NameVirtualHost
         default server boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:1)
         port 80 namevhost boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:1)
                 alias www.boyfriendshitposting.com
                 alias webmail.boyfriendshitposting.com
                 alias admin.boyfriendshitposting.com
         port 80 namevhost cheesekitten.com (/etc/apache2/sites-enabled/cheesekitten.com.conf:1)
                 alias www.cheesekitten.com
                 alias webmail.cheesekitten.com
                 alias admin.cheesekitten.com
         port 80 namevhost getmypet.net (/etc/apache2/sites-enabled/getmypet.net.conf:1)
                 alias www.getmypet.net
                 alias webmail.getmypet.net
                 alias admin.getmypet.net
         port 80 namevhost justlooksblog.com (/etc/apache2/sites-enabled/justlooksblog.com.conf:1)
                 alias www.justlooksblog.com
                 alias webmail.justlooksblog.com
                 alias admin.justlooksblog.com
         port 80 namevhost mythoughtsunleashed.com (/etc/apache2/sites-enabled/mythoughtsunleashed.com.conf:1)
                 alias www.mythoughtsunleashed.com
                 alias webmail.mythoughtsunleashed.com
                 alias admin.mythoughtsunleashed.com
         port 80 namevhost raginguterus.com (/etc/apache2/sites-enabled/raginguterus.com.conf:1)
                 alias www.raginguterus.com
                 alias webmail.raginguterus.com
                 alias admin.raginguterus.com
         port 80 namevhost scribestories.com (/etc/apache2/sites-enabled/scribestories.com.conf:1)
                 alias www.scribestories.com
                 alias webmail.scribestories.com
                 alias admin.scribestories.com
         port 80 namevhost tappytalk.com (/etc/apache2/sites-enabled/tappytalk.com.conf:1)
                 alias www.tappytalk.com
                 alias webmail.tappytalk.com
                 alias admin.tappytalk.com
         port 80 namevhost templeofbufonidae.com (/etc/apache2/sites-enabled/templeofbufonidae.com.conf:1)
                 alias www.templeofbufonidae.com
                 alias webmail.templeofbufonidae.com
                 alias admin.templeofbufonidae.com
         port 80 namevhost theraginguterus.com (/etc/apache2/sites-enabled/theraginguterus.com.conf:1)
                 alias www.theraginguterus.com
                 alias webmail.theraginguterus.com
                 alias admin.theraginguterus.com
         port 80 namevhost toadtrails.com (/etc/apache2/sites-enabled/toadtrails.com.conf:1)
                 alias www.toadtrails.com
                 alias webmail.toadtrails.com
                 alias admin.toadtrails.com
         port 80 namevhost troidzone.com (/etc/apache2/sites-enabled/troidzone.com.conf:1)
                 alias www.troidzone.com
                 alias webmail.troidzone.com
                 alias admin.troidzone.com
         port 80 namevhost vnpreviews.com (/etc/apache2/sites-enabled/vnpreviews.com.conf:1)
                 alias www.vnpreviews.com
                 alias webmail.vnpreviews.com
                 alias admin.vnpreviews.com
149.56.44.161:443      is a NameVirtualHost
         default server boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:58)
         port 443 namevhost boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:58)
                 alias www.boyfriendshitposting.com
                 alias webmail.boyfriendshitposting.com
                 alias admin.boyfriendshitposting.com
         port 443 namevhost cheesekitten.com (/etc/apache2/sites-enabled/cheesekitten.com.conf:57)
                 alias www.cheesekitten.com
                 alias webmail.cheesekitten.com
                 alias admin.cheesekitten.com
         port 443 namevhost getmypet.net (/etc/apache2/sites-enabled/getmypet.net.conf:58)
                 alias www.getmypet.net
                 alias webmail.getmypet.net
                 alias admin.getmypet.net
         port 443 namevhost justlooksblog.com (/etc/apache2/sites-enabled/justlooksblog.com.conf:56)
                 alias www.justlooksblog.com
                 alias webmail.justlooksblog.com
                 alias admin.justlooksblog.com
         port 443 namevhost mythoughtsunleashed.com (/etc/apache2/sites-enabled/mythoughtsunleashed.com.conf:58)
                 alias www.mythoughtsunleashed.com
                 alias webmail.mythoughtsunleashed.com
                 alias admin.mythoughtsunleashed.com
         port 443 namevhost raginguterus.com (/etc/apache2/sites-enabled/raginguterus.com.conf:59)
                 alias www.raginguterus.com
                 alias webmail.raginguterus.com
                 alias admin.raginguterus.com
         port 443 namevhost scribestories.com (/etc/apache2/sites-enabled/scribestories.com.conf:61)
                 alias www.scribestories.com
                 alias webmail.scribestories.com
                 alias admin.scribestories.com
         port 443 namevhost tappytalk.com (/etc/apache2/sites-enabled/tappytalk.com.conf:59)
                 alias www.tappytalk.com
                 alias webmail.tappytalk.com
                 alias admin.tappytalk.com
         port 443 namevhost templeofbufonidae.com (/etc/apache2/sites-enabled/templeofbufonidae.com.conf:59)
                 alias www.templeofbufonidae.com
                 alias webmail.templeofbufonidae.com
                 alias admin.templeofbufonidae.com
         port 443 namevhost theraginguterus.com (/etc/apache2/sites-enabled/theraginguterus.com.conf:61)
                 alias www.theraginguterus.com
                 alias webmail.theraginguterus.com
                 alias admin.theraginguterus.com
         port 443 namevhost toadtrails.com (/etc/apache2/sites-enabled/toadtrails.com.conf:59)
                 alias www.toadtrails.com
                 alias webmail.toadtrails.com
                 alias admin.toadtrails.com
         port 443 namevhost troidzone.com (/etc/apache2/sites-enabled/troidzone.com.conf:59)
                 alias www.troidzone.com
                 alias webmail.troidzone.com
                 alias admin.troidzone.com
         port 443 namevhost vnpreviews.com (/etc/apache2/sites-enabled/vnpreviews.com.conf:73)
                 alias www.vnpreviews.com
                 alias webmail.vnpreviews.com
                 alias admin.vnpreviews.com

Ports 80 and 443 are both open via OVH and Webmin.

All of my websites successfully requested a new SSL certificate from Let's Encrypt with no problems. It was only my VPS addresses that failed when I tried requesting a new certificate for Webmin. I notice that my VPS address doesn't seem to appear in this list, though. Does it need to? If so, is there a way to add it without adding a whole other virtual server with its own database, etc?

rg305 · October 15, 2021, 3:48am

Yes.

I don't know how webmin reacts to manually editing/adding anything in Apache.
But it should be safe to do so; As you could simply remove whatever you added to revert back.
That said, I would add an HTTP vhost for "vps207680.vps.ovh.ca" (and enable it).
Then try the certbot command manually (in test mode) before moving to a real request (via menu).
certbot certonly -d vps207680.vps.ovh.ca --dry-run

Tinker_Jet · October 15, 2021, 6:10am

Updated vhost dump:

>VirtualHost configuration:
149.56.44.161:80       is a NameVirtualHost
         default server boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:1)
         port 80 namevhost boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:1)
                 alias www.boyfriendshitposting.com
                 alias webmail.boyfriendshitposting.com
                 alias admin.boyfriendshitposting.com
         port 80 namevhost website.net (/etc/apache2/sites-enabled/website.net.conf:1)
                 alias www.website.net
         port 80 namevhost cheesekitten.com (/etc/apache2/sites-enabled/cheesekitten.com.conf:1)
                 alias www.cheesekitten.com
                 alias webmail.cheesekitten.com
                 alias admin.cheesekitten.com
         port 80 namevhost getmypet.net (/etc/apache2/sites-enabled/getmypet.net.conf:1)
                 alias www.getmypet.net
                 alias webmail.getmypet.net
                 alias admin.getmypet.net
         port 80 namevhost justlooksblog.com (/etc/apache2/sites-enabled/justlooksblog.com.conf:1)
                 alias www.justlooksblog.com
                 alias webmail.justlooksblog.com
                 alias admin.justlooksblog.com
         port 80 namevhost mythoughtsunleashed.com (/etc/apache2/sites-enabled/mythoughtsunleashed.com.conf:1)
                 alias www.mythoughtsunleashed.com
                 alias webmail.mythoughtsunleashed.com
                 alias admin.mythoughtsunleashed.com
         port 80 namevhost raginguterus.com (/etc/apache2/sites-enabled/raginguterus.com.conf:1)
                 alias www.raginguterus.com
                 alias webmail.raginguterus.com
                 alias admin.raginguterus.com
         port 80 namevhost scribestories.com (/etc/apache2/sites-enabled/scribestories.com.conf:1)
                 alias www.scribestories.com
                 alias webmail.scribestories.com
                 alias admin.scribestories.com
         port 80 namevhost tappytalk.com (/etc/apache2/sites-enabled/tappytalk.com.conf:1)
                 alias www.tappytalk.com
                 alias webmail.tappytalk.com
                 alias admin.tappytalk.com
         port 80 namevhost templeofbufonidae.com (/etc/apache2/sites-enabled/templeofbufonidae.com.conf:1)
                 alias www.templeofbufonidae.com
                 alias webmail.templeofbufonidae.com
                 alias admin.templeofbufonidae.com
         port 80 namevhost theraginguterus.com (/etc/apache2/sites-enabled/theraginguterus.com.conf:1)
                 alias www.theraginguterus.com
                 alias webmail.theraginguterus.com
                 alias admin.theraginguterus.com
         port 80 namevhost toadtrails.com (/etc/apache2/sites-enabled/toadtrails.com.conf:1)
                 alias www.toadtrails.com
                 alias webmail.toadtrails.com
                 alias admin.toadtrails.com
         port 80 namevhost troidzone.com (/etc/apache2/sites-enabled/troidzone.com.conf:1)
                 alias www.troidzone.com
                 alias webmail.troidzone.com
                 alias admin.troidzone.com
         port 80 namevhost vnpreviews.com (/etc/apache2/sites-enabled/vnpreviews.com.conf:1)
                 alias www.vnpreviews.com
                 alias webmail.vnpreviews.com
                 alias admin.vnpreviews.com
         port 80 namevhost website.ca (/etc/apache2/sites-enabled/website.ca.conf:1)
                 alias www.website.ca
149.56.44.161:443      is a NameVirtualHost
         default server boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:58)
         port 443 namevhost boyfriendshitposting.com (/etc/apache2/sites-enabled/0-boyfriendshitposting.com.conf:58)
                 alias www.boyfriendshitposting.com
                 alias webmail.boyfriendshitposting.com
                 alias admin.boyfriendshitposting.com
         port 443 namevhost website.net (/etc/apache2/sites-enabled/website.net.conf:40)
                 alias www.website.net
                 alias webmail.website.net
                 alias admin.website.net
         port 443 namevhost cheesekitten.com (/etc/apache2/sites-enabled/cheesekitten.com.conf:57)
                 alias www.cheesekitten.com
                 alias webmail.cheesekitten.com
                 alias admin.cheesekitten.com
         port 443 namevhost getmypet.net (/etc/apache2/sites-enabled/getmypet.net.conf:58)
                 alias www.getmypet.net
                 alias webmail.getmypet.net
                 alias admin.getmypet.net
         port 443 namevhost justlooksblog.com (/etc/apache2/sites-enabled/justlooksblog.com.conf:56)
                 alias www.justlooksblog.com
                 alias webmail.justlooksblog.com
                 alias admin.justlooksblog.com
         port 443 namevhost mythoughtsunleashed.com (/etc/apache2/sites-enabled/mythoughtsunleashed.com.conf:58)
                 alias www.mythoughtsunleashed.com
                 alias webmail.mythoughtsunleashed.com
                 alias admin.mythoughtsunleashed.com
         port 443 namevhost raginguterus.com (/etc/apache2/sites-enabled/raginguterus.com.conf:59)
                 alias www.raginguterus.com
                 alias webmail.raginguterus.com
                 alias admin.raginguterus.com
         port 443 namevhost scribestories.com (/etc/apache2/sites-enabled/scribestories.com.conf:61)
                 alias www.scribestories.com
                 alias webmail.scribestories.com
                 alias admin.scribestories.com
         port 443 namevhost tappytalk.com (/etc/apache2/sites-enabled/tappytalk.com.conf:59)
                 alias www.tappytalk.com
                 alias webmail.tappytalk.com
                 alias admin.tappytalk.com
         port 443 namevhost templeofbufonidae.com (/etc/apache2/sites-enabled/templeofbufonidae.com.conf:59)
                 alias www.templeofbufonidae.com
                 alias webmail.templeofbufonidae.com
                 alias admin.templeofbufonidae.com
         port 443 namevhost theraginguterus.com (/etc/apache2/sites-enabled/theraginguterus.com.conf:61)
                 alias www.theraginguterus.com
                 alias webmail.theraginguterus.com
                 alias admin.theraginguterus.com
         port 443 namevhost toadtrails.com (/etc/apache2/sites-enabled/toadtrails.com.conf:59)
                 alias www.toadtrails.com
                 alias webmail.toadtrails.com
                 alias admin.toadtrails.com
         port 443 namevhost troidzone.com (/etc/apache2/sites-enabled/troidzone.com.conf:59)
                 alias www.troidzone.com
                 alias webmail.troidzone.com
                 alias admin.troidzone.com
         port 443 namevhost vnpreviews.com (/etc/apache2/sites-enabled/vnpreviews.com.conf:73)
                 alias www.vnpreviews.com
                 alias webmail.vnpreviews.com
                 alias admin.vnpreviews.com
         port 443 namevhost website.ca (/etc/apache2/sites-enabled/website.ca.conf:40)
                 alias www.website.ca
                 alias webmail.website.ca
                 alias admin.website.ca

Attempting to request a certificate through Webmin turns back this error:

>Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for website.ca: {'identifier': {'type': 'dns', 'value': 'website.ca'}, 'status': 'invalid', 'expires': '2021-10-22T06:07:29Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:unauthorized', 'detail': 'Invalid response from http://website.ca/.well-known/acme-challenge/wx6-rKX-I0XQC7O_UYoXkpXBTeq38iPMWE3XraPml5E [149.56.44.161]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p"', 'status': 403}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/40070756310/RitnWw', 'token': 'wx6-rKX-I0XQC7O_UYoXkpXBTeq38iPMWE3XraPml5E', 'validationRecord': [{'url': 'http://website.ca/.well-known/acme-challenge/wx6-rKX-I0XQC7O_UYoXkpXBTeq38iPMWE3XraPml5E', 'hostname': 'website.ca', 'port': '80', 'addressesResolved': ['149.56.44.161'], 'addressUsed': '149.56.44.161'}], 'validated': '2021-10-15T06:07:32Z'}]}

Thank you once again for helping me!

rg305 · October 15, 2021, 6:23am

There already seems to be a cert that covers that name being used in this vhost file:

Tinker_Jet:

         port 443 namevhost vps207680.vps.ovh.ca (/etc/apache2/sites-enabled/vps207680.vps.ovh.ca.conf:40)
                 alias www.vps207680.vps.ovh.ca
                 alias webmail.vps207680.vps.ovh.ca
                 alias admin.vps207680.vps.ovh.ca

Tinker_Jet · October 15, 2021, 6:25am

Yes, that's the one I downloaded manually.

I'm trying to make my server capable of automatically updating the cert so I don't have to keep doing it myself every 3 months.

rg305 · October 15, 2021, 6:29am

Then we would have to fix this:

Tinker_Jet · October 15, 2021, 6:29am

If you know how then I'd appreciate your guidance.

rg305 · October 15, 2021, 6:29am

Please show this file:

And the output of:
certbot certificates

Tinker_Jet · October 15, 2021, 6:45am

You're a trooper!

conf file:

><VirtualHost 149.56.44.161:80>
    SuexecUserGroup "#1038" "#1038"
    ServerName website.ca
    ServerAlias www.website.ca
    DocumentRoot /home/website/public_html
    ErrorLog /var/log/virtualmin/website.ca_error_log
    CustomLog /var/log/virtualmin/website.ca_access_log combined
    ScriptAlias /cgi-bin/ /home/website/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/website/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.0
    AddHandler fcgid-script .php7.1
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php
    FCGIWrapper /home/website/fcgi-bin/php7.0.fcgi .php7.0
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php7.1
    </Directory>
    <Directory /home/website/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.0
    RemoveHandler .php7.1
    php_admin_value engine Off
    FcgidMaxRequestLen 1073741824
    RedirectMatch ^/(?!.well-known)(.*)$ https://website.ca/$1
</VirtualHost>
<VirtualHost 149.56.44.161:443>
    SuexecUserGroup "#1038" "#1038"
    ServerName website.ca
    ServerAlias www.website.ca
    ServerAlias webmail.website.ca
    ServerAlias admin.website.ca
    DocumentRoot /home/website/public_html
    ErrorLog /var/log/virtualmin/website.ca_error_log
    CustomLog /var/log/virtualmin/website.ca_access_log combined
    ScriptAlias /cgi-bin/ /home/website/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/website/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.0
    AddHandler fcgid-script .php7.1
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php
    FCGIWrapper /home/website/fcgi-bin/php7.0.fcgi .php7.0
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php7.1
    </Directory>
    <Directory /home/website/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.0
    RemoveHandler .php7.1
    php_admin_value engine Off
    FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/website/ssl.combined
SSLCertificateKeyFile /home/website/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>

certbot certificates:

>root@website:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/website.net.conf produced an unexpected error: expected /etc/letsencrypt/live/website.net/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/website.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/website.ca/cert.pem to be a symlink. Skipping.
Found the following certs:
  Certificate Name: website.net-0001
    Serial Number: 36ffdf7599eb56a679b0d0df4d0ff40f952
    Key Type: RSA
    Domains: website.net
    Expiry Date: 2022-01-12 08:45:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/website.net-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/website.net-0001/privkey.pem
  Certificate Name: boyfriendshitposting.com
    Serial Number: 4f03e75ca1a52566754f1d0ad805c7c55f7
    Key Type: RSA
    Domains: boyfriendshitposting.com admin.boyfriendshitposting.com webmail.boyfriendshitposting.com www.boyfriendshitposting.com
    Expiry Date: 2022-01-10 06:28:32+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/boyfriendshitposting.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/boyfriendshitposting.com/privkey.pem
  Certificate Name: cheesekitten.com
    Serial Number: 31b2ce776d01bc3e34a06006aa9d45f61fd
    Key Type: RSA
    Domains: cheesekitten.com admin.cheesekitten.com webmail.cheesekitten.com www.cheesekitten.com
    Expiry Date: 2022-01-10 06:31:54+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/cheesekitten.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cheesekitten.com/privkey.pem
  Certificate Name: getmypet.net
    Serial Number: 368d0696eb35b918d5dffe66fd6b3de65bc
    Key Type: RSA
    Domains: getmypet.net admin.getmypet.net webmail.getmypet.net www.getmypet.net
    Expiry Date: 2022-01-10 06:32:48+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/getmypet.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/getmypet.net/privkey.pem
  Certificate Name: henrisoptical.com
    Serial Number: 3483b5149360aaf3621731bdadae470d948
    Key Type: RSA
    Domains: henrisoptical.com admin.henrisoptical.com webmail.henrisoptical.com www.henrisoptical.com
    Expiry Date: 2020-12-12 10:03:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/henrisoptical.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/henrisoptical.com/privkey.pem
  Certificate Name: mythoughtsunleashed.com
    Serial Number: 4d826011893740d22b9d6db87888db86926
    Key Type: RSA
    Domains: mythoughtsunleashed.com admin.mythoughtsunleashed.com webmail.mythoughtsunleashed.com www.mythoughtsunleashed.com
    Expiry Date: 2022-01-10 06:40:28+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/mythoughtsunleashed.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mythoughtsunleashed.com/privkey.pem
  Certificate Name: raginguterus.com
    Serial Number: 4729413fce446bad82f66a6beb981999ad3
    Key Type: RSA
    Domains: raginguterus.com admin.raginguterus.com webmail.raginguterus.com www.raginguterus.com
    Expiry Date: 2022-01-10 06:41:09+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/raginguterus.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/raginguterus.com/privkey.pem
  Certificate Name: scribestories.com
    Serial Number: 4a2bed34d949ea2baa1ea072bf600127869
    Key Type: RSA
    Domains: scribestories.com admin.scribestories.com webmail.scribestories.com www.scribestories.com
    Expiry Date: 2022-01-10 06:42:05+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/scribestories.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/scribestories.com/privkey.pem
  Certificate Name: tappytalk.com
    Serial Number: 4e6665f68259b7390d78af499d937de5ddd
    Key Type: RSA
    Domains: tappytalk.com admin.tappytalk.com webmail.tappytalk.com www.tappytalk.com
    Expiry Date: 2022-01-10 06:42:45+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/tappytalk.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tappytalk.com/privkey.pem
  Certificate Name: templeofbufonidae.com
    Serial Number: 475b782093819724e65522be5edee0196f7
    Key Type: RSA
    Domains: templeofbufonidae.com admin.templeofbufonidae.com webmail.templeofbufonidae.com www.templeofbufonidae.com
    Expiry Date: 2022-01-10 06:43:39+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/templeofbufonidae.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/templeofbufonidae.com/privkey.pem
  Certificate Name: theraginguterus.com
    Serial Number: 4f87dffe6fdf6e18f304112cb32682cc22d
    Key Type: RSA
    Domains: theraginguterus.com admin.theraginguterus.com webmail.theraginguterus.com www.theraginguterus.com
    Expiry Date: 2022-01-10 06:44:22+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/theraginguterus.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/theraginguterus.com/privkey.pem
  Certificate Name: toadtrails.com
    Serial Number: 3911beb51843408efc98e34205e63355e6f
    Key Type: RSA
    Domains: toadtrails.com admin.toadtrails.com webmail.toadtrails.com www.toadtrails.com
    Expiry Date: 2022-01-10 06:45:09+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/toadtrails.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/toadtrails.com/privkey.pem
  Certificate Name: troidzone.com
    Serial Number: 48d3721a4a250e0c5e830382d2ff0501b85
    Key Type: RSA
    Domains: troidzone.com admin.troidzone.com webmail.troidzone.com www.troidzone.com
    Expiry Date: 2022-01-10 06:45:50+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/troidzone.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/troidzone.com/privkey.pem
  Certificate Name: vnpreviews.com
    Serial Number: 321aa296dcd742ec4f4c7c2c85986015871
    Key Type: RSA
    Domains: vnpreviews.com admin.vnpreviews.com webmail.vnpreviews.com www.vnpreviews.com
    Expiry Date: 2022-01-10 06:46:27+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/vnpreviews.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/vnpreviews.com/privkey.pem
The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/website.net.conf
  /etc/letsencrypt/renewal/website.ca.conf

Tinker_Jet · October 15, 2021, 6:46am

Also, I apologize. I'm not sure how to stop it from forcing the italics on the forum here.

rg305 · October 15, 2021, 6:58am

I think something in this directory may be incompatible with certbot:

Tinker_Jet:

    <Directory /home/vps207680/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.0
    AddHandler fcgid-script .php7.1
    FCGIWrapper /home/vps207680/fcgi-bin/php7.1.fcgi .php
    FCGIWrapper /home/vps207680/fcgi-bin/php7.0.fcgi .php7.0
    FCGIWrapper /home/vps207680/fcgi-bin/php7.1.fcgi .php7.1
    </Directory>

We could try creating a specific location and directory for the challenge files...

rg305 · October 15, 2021, 6:59am

Also the "www" name doesn't resolve to anything, so that may break HTTP validation.
I would remove it.

Tinker_Jet · October 15, 2021, 7:07am

Removed "www" name.

root@website:~# cat /etc/apache2/sites-enabled/website.ca.conf

<VirtualHost 149.56.44.161:80>
    SuexecUserGroup "#1038" "#1038"
    ServerName website.ca
    DocumentRoot /home/website/public_html
    ErrorLog /var/log/virtualmin/website.ca_error_log
    CustomLog /var/log/virtualmin/website.ca_access_log combined
    ScriptAlias /cgi-bin/ /home/website/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/website/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.0
    AddHandler fcgid-script .php7.1
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php
    FCGIWrapper /home/website/fcgi-bin/php7.0.fcgi .php7.0
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php7.1
    </Directory>
    <Directory /home/website/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.0
    RemoveHandler .php7.1
    php_admin_value engine Off
    FcgidMaxRequestLen 1073741824
    RedirectMatch ^/(?!.well-known)(.*)$ https://website.ca/$1
</VirtualHost>
<VirtualHost 149.56.44.161:443>
    SuexecUserGroup "#1038" "#1038"
    ServerName website.ca
    DocumentRoot /home/website/public_html
    ErrorLog /var/log/virtualmin/website.ca_error_log
    CustomLog /var/log/virtualmin/website.ca_access_log combined
    ScriptAlias /cgi-bin/ /home/website/cgi-bin/
    DirectoryIndex index.html index.htm index.php index.php4 index.php5
    <Directory /home/website/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.0
    AddHandler fcgid-script .php7.1
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php
    FCGIWrapper /home/website/fcgi-bin/php7.0.fcgi .php7.0
    FCGIWrapper /home/website/fcgi-bin/php7.1.fcgi .php7.1
    </Directory>
    <Directory /home/website/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.website.ca
    RewriteRule ^(?!/.well-known)(.*) https://website.ca:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.0
    RemoveHandler .php7.1
    php_admin_value engine Off
    FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/website/ssl.combined
SSLCertificateKeyFile /home/website/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>

I can adjust the directory. Should I put anything in there or leave it empty?

rg305 · October 15, 2021, 7:13am

We would need an additional location statement (and the matching directory for it).

Tinker_Jet · October 15, 2021, 7:18am

I just looked at a conf file for another website where the certificates are working properly. It features a similar directory.

/home/websitename/public_html

Copy-paste of the conf file for reference.

root@website:~# cat /etc/apache2/sites-enabled/scribestories.com.conf

<VirtualHost 149.56.44.161:80>
SuexecUserGroup "#1017" "#1017"
ServerName scribestories.com
ServerAlias www.scribestories.com
ServerAlias webmail.scribestories.com
ServerAlias admin.scribestories.com
DocumentRoot /home/scribestories/public_html
ErrorLog /var/log/virtualmin/scribestories.com_error_log
CustomLog /var/log/virtualmin/scribestories.com_access_log combined
ScriptAlias /cgi-bin/ /home/scribestories/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/scribestories/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.0
AddHandler fcgid-script .php7.1
FCGIWrapper /home/scribestories/fcgi-bin/php7.1.fcgi .php
FCGIWrapper /home/scribestories/fcgi-bin/php7.0.fcgi .php7.0
FCGIWrapper /home/scribestories/fcgi-bin/php7.1.fcgi .php7.1
</Directory>
<Directory /home/scribestories/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.scribestories.com
RewriteRule ^(?!/.well-known)(.*) https://scribestories.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.scribestories.com
RewriteRule ^(?!/.well-known)(.*) https://scribestories.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.0
RemoveHandler .php7.1
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
RedirectMatch ^/(?!.well-known)(.*)$ https://scribestories.com/$1
Alias /dav /home/scribestories/public_html
<Location /dav>
DAV on
AuthType Basic
AuthName "scribestories.com"
AuthUserFile /home/scribestories/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5.6
RemoveHandler .php7.0
RemoveHandler .php7.1
RemoveHandler .php7.2
RemoveHandler .php7.4
RewriteEngine off
</Location>
php_value memory_limit 32M
IPCCommTimeout 41
</VirtualHost>
<VirtualHost 149.56.44.161:443>
SuexecUserGroup "#1017" "#1017"
ServerName scribestories.com
ServerAlias www.scribestories.com
ServerAlias webmail.scribestories.com
ServerAlias admin.scribestories.com
DocumentRoot /home/scribestories/public_html
ErrorLog /var/log/virtualmin/scribestories.com_error_log
CustomLog /var/log/virtualmin/scribestories.com_access_log combined
ScriptAlias /cgi-bin/ /home/scribestories/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/scribestories/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php7.0
AddHandler fcgid-script .php7.1
FCGIWrapper /home/scribestories/fcgi-bin/php7.1.fcgi .php
FCGIWrapper /home/scribestories/fcgi-bin/php7.0.fcgi .php7.0
FCGIWrapper /home/scribestories/fcgi-bin/php7.1.fcgi .php7.1
</Directory>
<Directory /home/scribestories/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.scribestories.com
RewriteRule ^(?!/.well-known)(.*) https://scribestories.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.scribestories.com
RewriteRule ^(?!/.well-known)(.*) https://scribestories.com:10000/ [R]
RemoveHandler .php
RemoveHandler .php7.0
RemoveHandler .php7.1
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/scribestories/ssl.cert
SSLCertificateKeyFile /home/scribestories/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Alias /dav /home/scribestories/public_html
<Location /dav>
DAV on
AuthType Basic
AuthName "scribestories.com"
AuthUserFile /home/scribestories/etc/dav.digest.passwd
Require valid-user
ForceType text/plain
Satisfy All
RemoveHandler .php
RemoveHandler .php5.6
RemoveHandler .php7.0
RemoveHandler .php7.1
RemoveHandler .php7.2
RemoveHandler .php7.4
RewriteEngine off
</Location>
<FilesMatch .php$>
># For Apache version 2.4.10 and above, use SetHandler to run PHP as a fastCGI process server
>SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
SSLCACertificateFile /home/scribestories/ssl.ca
php_value memory_limit 32M
IPCCommTimeout 41
</VirtualHost>

rg305 · October 15, 2021, 7:27am

I can't see any significant difference between the two HTTP vhost configs.

Tinker_Jet · October 15, 2021, 7:33am

Neither can I. It's puzzling, isn't it?

I still appreciate all of the time you put into helping me, though.

I'm sorry that this problem ended up being such a knob.

system · November 14, 2021, 7:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renew certificate with webmin Help	3	2831	January 17, 2021
Will not create SSL for webmin - acme Help	11	665	June 27, 2023
Attempted Webmin AND Apache certificates Help	3	1033	July 23, 2017
Key authorization file from the server did not match this challenge (for Apache with WSGI on Ubuntu VPS running Webmin/Virtualmin) Help	8	704	March 9, 2023
Virtualmin, unable to secure domain Server	6	4227	April 14, 2017

Apache2 Webmin Error Upon Automated SSL Request

Not Found

Related topics