Cant request certificate invalid response etc

Trying to request a certificate for one of my sites I run Virtualmin for my hosting platform on a Debian 9 install.

I have 2 SSL sites my blog drguild.moip.me which works with certificates and my community forum cajgo-support.com which has is the main site and a forum at community@cajgo-support.com

In virtualmin the certificate is held by the top site cajgo-support.com and community is a sub server managed by the parent.
When requesting a certificate for the community site and forum in virtual this error shows:

Requesting a certificate for cajgo-support.com, community.cajgo-support.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/zNQ0ecFuflZzKvNq7ScZxAi3BpM7VwXpLTg95Iq8KeM [220.244.244.115]: "<!-- st"
DNS-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: No TXT record found at _acme-challenge.community.cajgo-support.com

The certificates were working, but I switched from Centos 6.9 to Debian 9 to rebuild the server and since I am getting errors requesting a new certificate.

My current certificate info is as follows.

Domain names listed here

  • cajgo-support.com
  • community.cajgo-support.com
    Months between automatic renewal Only renew manually
    Time since last renewal 0.37 months
    Last successful renewal 04/10/2019 1:19 PM
    Last failed renewal 06/09/2019 1:24 PM
    Renewal failed due to Web-based validation failed : Failed to request certificate :

community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/8ekI9ZtduRtiwJxInbe7MZM8Nc5kiSp5noC-Vy-RZo0 [220.244.244.115]: "<!-- st"

I have a test file in the acme-challenge folder which can be read so the folder can be accessed.

I don't know what needs to be changed as I haven't changed any settings backend in No-IP and I backed up and re-imported my server to Virtualmin.

Only thing I can think of at this stage is to wipe the forum server sub vhost and create a new one importing copying back the the web files and mysql database to get a new virtualmin config.
But I would rather fix the issue than to do that.

The error is only on the forum sub server and not the parent cajgo-support.com which shares the same certificate.

More info about my current certificate:
I have cleaned up the other domain names area to get rid of the initial unused testing sites 'sytes' and mail.

SSL certificate file /home/cajgo-admin/ssl.cert
SSL private key file /home/cajgo-admin/ssl.key
Web server hostname cajgo-support.com Issuer name Let's Encrypt Authority X3
Issuer organization Let's Encrypt, CN = Let's Encrypt Authority X3 Expiry date Jul 9 04:19:01 2019 GMT
Certificate type Signed by CA
Other domain names cajgo-support.com, cajgo-support.sytes.net, community.cajgo-support.com, community.cajgo-support.sytes.net, mail.cajgo-support.com.

Just saw something weird.

The files are being created in the main server cajgo-support.com as I can see them.
But it’s trying to get a response from the community support. site.

Hi @drguild

checking your two domains there are no major problems visible. One thing looks critical ( https://check-your-website.server-daten.de/?q=cajgo-support.com )

Host T IP-Address is auth. ∑ Queries ∑ Timeout
cajgo-support.com A 220.244.244.115
/Western Australia/AU yes 1 0
AAAA yes
www.cajgo-support.com A 34.198.182.201
Beaumont/Texas/US yes 1 0
AAAA yes

your www version has another ip address. But that's not a problem because the http redirects to non-www + https

But:

there is "manually renew". So you have to create the validation file manual -> there is something going wrong.

And you have two different certificates:

CN=cajgo-support.com
	10.04.2019
	09.07.2019
expires in 19 days	cajgo-support.com, cajgo-support.sytes.net, 
community.cajgo-support.com, community.cajgo-support.sytes.net, 
mail.cajgo-support.com - 5 entries

from your main site,

CN=community.cajgo-support.com
	15.05.2019
	13.08.2019
expires in 54 days	
community.cajgo-support.com, www.community.cajgo-support.com - 2 entries

from your community site ( https://check-your-website.server-daten.de/?q=community.cajgo-support.com ).

So if your community site uses an own certificate, remove the community domain name from your other certificate.

The ip for www can be easily explained as that's no-ip doing a dns redirect.
as for the two certificates that's very strange as the servers are sating the certificate is being shared in virtualmin and there is only 1 button to request a certificate.

As for the manual update its set for 2 months as per virtualmin defaults
There are 2 options on the same line in the virtualmin gui renew manually and months between renews.
Didn't translate too well here on copy/paste.

I doubt there's anyway to expire all certificates so I can redo them.

As it is I am fine with the community one totally expire and using the shared certificate from now on if that works.

For now I took out the community from the main certificate and its updated.
I will look at sharing again in the future soon.

unhooking the certificates the parent updated now my sub is showing as a privacy error and cannot update its certificate.

So I somehow lost the community ssl certificate and not sure how to fix it.

Requesting a certificate for community.cajgo-support.com, www.community.cajgo-support.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 250, in
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
resp = urlopen(wellknown_url)
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 435, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 467, in error
result = self._call_chain(*args)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 654, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1195, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.7/httplib.py", line 1042, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1082, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 844, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1263, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 363, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 611, in init
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 848, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib/python2.7/ssl.py", line 286, in match_hostname
% (hostname, dnsnames[0]))
ssl.CertificateError: hostname 'community.cajgo-support.com' doesn't match 'cajgo-support.com'
DNS-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: No TXT record found at _acme-challenge.community.cajgo-support.com

Now you have installed the wrong certificate ( https://check-your-website.server-daten.de/?q=community.cajgo-support.com ):

CN=cajgo-support.com
	20.06.2019
	18.09.2019
expires in 90 days	cajgo-support.com - 1 entry

Looks like your Virtualmin configuration is a little bit confused.

I hit the rate limit for the hour.
As I was still getting errors about invalid TXT etc stuff trying the sub server certificate.

Sigh this is annoying.

I opened a issue with with virtualmin and hope I can get this sorted out in a reasonable time.

1 Like

Got it working.
I created a self signed certificate then I could get a certificate from let’s encrypt.
I have 2 separate certificates now one for the top one for the community.
I will need to look into a shared certificate later which was the issue which I believe I need to redirect the community well-known directory so it uses the main sites one.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.