Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: grunk.xyz
I ran this command: Virtualmon Certbot autorenewal
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for grunk.xyz and 4 more domains
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: admin.grunk.xyz
Type: connection
Detail: 2001:19f0:c:d51:5400:4ff:fe7c:fb7d: Fetching https://grunk.xyz:10000/.well-known/acme-challenge/F3st2_MWs4P9JMDCzU3tDZt3gGQrm6WfbaNDvVTctKg: Invalid port in redirect target. Only ports 80 and 443 are supported, not 10000
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for grunk.xyz and 4 more domains
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.22.1
The operating system my web server runs on is (include version): Debian 12.8
My hosting provider, if applicable, is: Vultr
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0
The renewal shouldn't request verification on port 10000; that's the port Webmin/Virtualmin runs on, and the verification will fail on that port. Virtualmin is only accessible from a different domain and port entirely.
Not only that but Let's Encrypt does not allow any ports other than 80 or 443 for HTTP Challenge redirects.
Maybe someone else will have specific advice about your setup but something on your system is redirecting all HTTP requests to that port. You need to stop doing that at least for URLs for the HTTP Challenge.
Note also the redirect goes from your admin subdomain to your apex domain
# Using your IPv6 address to your "Home" page redirects (so does IPv4)
curl -i6 http://admin.grunk.xyz
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.22.1
Location: https://grunk.xyz:10000/
# HTTP Challenges redirected in same way
curl -i6 http://admin.grunk.xyz/.well-known/acme-challenge/Test404
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.22.1
Location: https://grunk.xyz:10000/.well-known/acme-challenge/Test404
This issue was fixed in 2.3.0. Current Certbot version is 3.1.0. Please update your Certbot version. As Debian is probably lagging behind quite a while (because.. Well.. Debian..) it's recommended to use the snap installation method.
http://admin.grunk.xyz/ redirects to https://grunk.xyz:10000/. Please disable this redirect and try again.
I never realized that was what was going on. Virtualmin creates this redirect when a domain is added. I've updated certbot to 3.1.0 via snap and made sure it's what VIrtualmin would call (moved the old binary to a different name for now but didn't uninstall it (the snap version installed to /snap and not to the system itself; I've just symlinked the snap version to /usr/bin/certbot.)
I don't know what made me think of it, but I went and created an A record of _acme-challenge.admin.grunk.xyz and that problem went away. But now it's replaced with a whole new error.
Web-based validation failed.
error: unknown command "certonly", see 'snap help'.
DNS-based validation failed
error: unknown command "certonly", see 'snap help'.
This one is most confusing. I still haven't found where Virtualmin is doing the redirects.
I don't know how to figure this part out (what command Virtualmin is running.) For the life of me, I have no idea how Virtualmin is running snap certonly; that makes zero sense to me.
Here is the current info for the expired cert: Screenshot 1
And here is what I see on the SSL Providers tab: Screenshot 2
When I hit Request Certificate, it shows me the errors in red on the right but in its own window.
If I click "Only Update Renewal," it takes me back to the "Current Certificate" tab.
My question is this: Can I specify the expired cert on the command line and renew it that way? If I do certbot certonly -n --dns-route53 -d grunk.xyz, it installs the certs in /etc/letsencrypt/live/grunk.xyz-0002/fullchain.pem and /etc/letsencrypt/live/grunk.xyz-0002/privkey.pem. This is not where Virtualmin is expecting to look, which is `/etc/ssl/virtualmin//ssl{key,cert}.
That's really more a question for VirtualMin support or forum. Technically you don't renew certs. A renewal is just a term used to describe a new cert with the same domains as a previous one.
I don't want to guess whether doing things manually with Certbot will work out for you in the long run. VirtualMin is not working well. Doing something manually isn't likely to get it auto-renewing for you in the future.
Given you now have a -0002 Certbot profile that means this is the third (original plus two revisions) of a similar Certbot profile. Usually this means different combinations of names were requested with some overlap.
I think you need to step back and get VirtualMin running properly. Perhaps you have heard the old saying about what to do when you find yourself in a hole
Here is your cert history if this is at all helpful. I had to use two sources as the main one did not yet see your cert from today.