Certificate not deploying on Virtualmin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
xorex.rocks

I ran this command:
Virtualmin:Server Configuration:SSL Certificate:Let’s Encrypt:Request certificate for: Domain names listed here: xorex.rocks

It produced this output:
Requesting a certificate for xorex.rocks from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/xorex.rocks/public_html/.well-known/acme-challenge/7chSbLPN08aQA_laf1bLbXcriW34paoJhWxrBccXn6Q, but couldn’t download http://xorex.rocks/.well-known/acme-challenge/7chSbLPN08aQA_laf1bLbXcriW34paoJhWxrBccXn6Q: Error:
Url: http://xorex.rocks/.well-known/acme-challenge/7chSbLPN08aQA_laf1bLbXcriW34paoJhWxrBccXn6Q
Data: None
Response Code: 404
Response:

404 Not Found

Not Found

The requested URL was not found on this server.

DNS-based validation failed : Failed to request certificate :
usage: acme_tiny.py [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir
ACME_DIR [–quiet] [–disable-check]
[–directory-url DIRECTORY_URL] [–ca CA]
[–contact [CONTACT [CONTACT …]]]
acme_tiny.py: error: argument --acme-dir is required

My web server is (include version):
apache2 (2.4.38)

The operating system my web server runs on is (include version):
Debian 10

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Virtualmin (6.08)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
None. Managed by Virtualmin

Hi,

Fresh install of Virtualmin on a vanilla Debian 10. Updated and upgraded. Installed first virtual server (xorex.rocks) with these settings:

Enabled features
[DNS domain enabled?]
[Mail for domain enabled?]
[Apache website enabled?]
[Webalizer reporting enabled?]
[Apache SSL website enabled?]
[MySQL database enabled?]
[IP-based virtual FTP enabled?]
[Spam filtering enabled?]
[Virus filtering enabled?]
[Webmin login enabled?]
AWstats reporting
DAV login

When I try to establish the certificate the error tells me it cannot find the .well known/acme key.

Googled and read forums and it appears the redirection is preventing the key being read (but not written?).

Although I have added a specific redirect it does not appear to work and I do not know (or want to) remove the global redirect unless I can do it temporarily and replace it after establishing the certificate so that it auto renews. In the past this has just worked so I do not know why it is given me problems.

BTW: Clicking the link above for the key file takes me to the http site (which does not redirect for some reason). When I then approve access to the site it fails as there are too many redirects (from http to that’s and back again I assume?).

Advice appreciated.

1 Like

Hi @GeoffatMM

that’s

something you have to fix. May be a too old version of that client or of your VirtualMin.

And your domain is buggy - https://check-your-website.server-daten.de/?q=xorex.rocks

Domainname Http-Status redirect Sec. G
http://xorex.rocks/ 51.75.171.43 403 Html is minified: 100,00 % 0.074 M
Forbidden
http://www.xorex.rocks/ 51.75.171.43 403 Html is minified: 100,00 % 0.090 M
Forbidden
https://xorex.rocks/ 51.75.171.43 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 403 Html is minified: 100,00 % 2.456 N
Forbidden
Certificate error: RemoteCertificateChainErrors
https://www.xorex.rocks/ 51.75.171.43 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 403 Html is minified: 100,00 % 2.457 N
Forbidden
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://xorex.rocks/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 51.75.171.43 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 302 https://xorex.rocks/.well-known/acme-challenge/ Html is minified: 100,00 % 0.080 A
Visible Content: Found The document has moved here .
http://www.xorex.rocks/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 51.75.171.43 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 302 https://xorex.rocks/.well-known/acme-challenge/ Html is minified: 100,00 % 0.090 E
Visible Content: Found The document has moved here .
https://xorex.rocks/.well-known/acme-challenge/ Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 302 https://xorex.rocks/.well-known/acme-challenge/ Html is minified: 100,00 % 2.433 L
Certificate error: RemoteCertificateChainErrors
Visible Content: Found The document has moved here .

http + /.well-known/acme-challenge/random-file redirects to https without a file name, then a loop.

So it’s impossible to check the validation file.

1 Like

So i was having simliar issues with re-direct (and then subsequent failures with no re-direct in place)

My problem was eventually solved by modifying the acme_tiny.py to behave itself and disable a check, my full thread is here: https://community.letsencrypt.org/t/virtualmin-lets-encrypt-web-based-validation-failed/

However, the snippiets of information i suspect might help you (if you dont want to remove global redirects). Here was my .htaccess file with a redirect exception for the .well-known folder struture. Give it a try.

RewriteEngine On
RewriteRule ^.well-known/acme-challenge/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]

One thing mentioned to me also was that the Let’s encrypt script runs in memory, i was restarting apache, but i ended up just restarting my host to make 100% sure it wasnt anything within memory.

Depending on how that goes, and if you stop getting DNS failures, you might need to disable a check

add disable_check=True at line 139. Add it below the comment “# check that the file is in place”, but above “try:
wellknown_url = “http://{0}/.well-known/acme-challenge/{1}”.format(domain, token)”

blah blah.

Otherwise take a look at the first response in this post to try and resolve some of the other underlying issues your site has.

Also, you listed your webmin version in the above post (1.941), rather than your actual virutalmin version. Might be worth an edit to correct that so others can see.

For example, mine: image

2 Likes

Thanks for the response Juergen but I think you will have to walk me through it!

This is the latest version of Debian and Virtualmin/Webmin so no idea why it is not working.

I see that in public_html there is no .well-known directory and thus no acme directory either. I assumed that it would be written by the script for me. Are you saying I need to add the folder structure? If so it is a bit of a pain to do for every website.

What do I have to fix with acme_tiny.py? I did not install this it was in the virtualmin set up I presume. I am happy to explore what to do and feed it back to the Virtualmin team if it is an issue but I do not know how to start with it.

I do not really understand the output of the check your website query. http is globally forwarded to https for all requests. Is this a problem? I assumed the script would work its way around this by recognising that http is closed and https is in use?

The certificate errors are possible because there is only a self signed certificate at the moment as the SSL certificate cannot be generated. Or is it something else that is wrong on the server?

I have added the folder structure and tried xorex.rocks/.well-known/acme-challenge and first, it appears to bypass the https redirect and gives a 403. When I call https instead, it gives the same 403 response. Is this a permissions issue?

Sorry if my questions are naive but I am not an expert in these matters and am trying to understand them.

Appreciate your further help.

Geoff

1 Like

Hi fooby,

I have rebooted and also have both real and virtual memory so do not think that is the problem.

I will follow your suggestion as a last resort as I want to understand why a vanilla installation of virtualmin is not working so it can be fed back if it is an issue. 99% probability it is something I have done though!

If you have any more thoughts I would appreciate them.

1 Like

Juergen,

I checked and the key file has been written and the URL it says it cannot download from:

http://xorex.rocks/.well-known/acme-challenge/7chSbLPN08aQA_laf1bLbXcriW34paoJhWxrBccXn6Q

opens the web browser to show the two part key so I cannot understand why it cannot download the information it requires.

1 Like

I can’t download that file. There is a http status 404 - Not Found.

But I don’t know how VirtualMin works.

Looks like your webserver has some location definitions, so another directory is used. -> Ask in a VirtualMin - forum.

1 Like

Hi Juegen

I do not know when you tried to download it but I went in and deleted it this morning to see if that was the problem. It did not resolve the situation and now it is not writing it back in to the file structure at all.

I have raised it on the virtualmin forums. Thanks.

1 Like

Let me know what you hear back from virtualmin forums, as i was also debating bringing this to their attention.

My install is pretty much default in terms of front end web configuration. I have other websites on my box that were working correctly, but the one i was looking to fix didnt. Which is odd because they all run the same acme_tiny.py config.

I would seriously recommend not making any edits to files unless you understand why you are making them, its possible to make the problem worse.

In terms of the .well-known folder. No, you dont need to create it, the folder/file is generated at the point in time of the letsencrypt request within virtualmin SSL.

At this point i can only provide you with some of the knoweldge that was passed on to me. If i get some time i can attempt to look through the tools that i was given to troubleshoot me issue and i’ll see if i can diganose yours. But please dont wait for me.

Please keep this thread updated if you hear anything back from the virtualmin team.

1 Like

You, (and @GeoffatMM, and @HadyShaltout) should see if you can make something of these instructions: https://doxfer.webmin.com/Webmin/Let's_Encrypt

I don’t know if webmin will invoke certbot or if you’re supposed to make them work together.

1 Like

certbot and webmin are not comptable from my experiance. If you install certbot virtualmin gets very upset and refuses to manage the certs for you.

this doesn’t make any sense. they even suggest using certbot: http://www.webmin.com/changes.html

(is it really that useful of a software, webmin?)

1 Like

Fooby, I am still waiting for a response to my request for help on Virtualmin (it can be a but hit and miss at times) but I will share whatever I find from them.

9peppe, I will look at the links you have sent thanks. I understand that certbot is the alternative to acme_tiny.py? I will not change anything unless I can get confirmation from the virtualmin team that it is worth a try.

I previously tried other solutions and ended up having to rebuild the entire system from scratch so Fooby, I will not be amending files unwittingly!

1 Like

Yes. you should check with @HadyShaltout, they made it work pretty quickly.

1 Like

Thanks to all of you for your input. I thank especially Juergen for his input. It took a long time for me to understand the issues, research them, experiment building and rebuilding the virtual server and comparing it with working servers but finally I sorted the DNS issues out and it is working and the certificate is issuing correctly. Juegen’s site is not easy to understand (apologies Juergen) but once it is, it provides a wealth of information to help isolate and fix the DNS issues.

This post is now closed.

3 Likes

I was experiencing this same exact issue with a vanilla installation of Virtualmin on a fresh install of Debian 10. I decided to try loading Ubuntu 18.04 and installing Virtualmin on that and was able to obtain an SSL certificate from Let’s Encrypt with no issues. The problem must have to do with Virtualmin running on Debian 10.

This is getting too long and is now outdated so I have opened a new request under:

1 Like