Error while trying to renew or create a new cert. Other domains in same server update fine

mnordhoff · April 7, 2020, 5:26pm

There was a recent thread about this:

(Though it's long and I haven't reread it!)

The issue is:

Your website redirects from HTTP to HTTPS. (This is fine!)
The ACME client, acme-tiny, makes its own HTTP request to your website to check if the validation works.
This request requires a valid certificate. (Even though Let's Encrypt's validation system ironically doesn't.)
acme-tiny has an option to disable the check; Webmin doesn't use it.
The website's current certificate is expired.

I think the very long thread suggests some workarounds.

Edit:

Warning: that thread also discusses at least one unrelated issue. You can ignore parts of it.

There's a pull request to disable certificate validation for the check, but it wasn't merged:

github.com/diafygi/acme-tiny

Disable Certificate Verify when validating hosted challenge

diafygi:master ← spidasoftware:self-signed-challenge

opened 05:49PM - 27 Feb 19 UTC

spidaKevinGentile

+7 -4

If `/.well-known/acme-challenge` is hosted under an https route using a self-sig…ned certificate the validation on the hosted challenge fails when redirecting http to https. The underlying exception is: ``` urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)> ``` The changes on this branch allow a context to be passed to `_do_request`, and the validation step disables certificate verification when calling `urlopen`