Getting certificates fails in some domains (Virtualmin)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Notes: I checked out the DNS records in the DNS forwarder in the control panel from BudgetVM, and with the support verified all the DNS records of my BIND service are ok.

What am I doing wrong? Because desatello and desarrollostello seem to be ok at the time to request the 4 certificates… (It’s a new installation)

My domain is:
desatello.com.ar
desarrollostello.com (alias of desatello.com.ar)
gesis.com.ar (offending)
quenchastre.com.ar (offending)

I ran this command:
Used the Let’s Encrypt module from Virtualmin

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gesis.com.ar
http-01 challenge for quenchastre.com.ar
Using the webroot path /home/desatello/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain gesis.com.ar
Challenge failed for domain quenchastre.com.ar
http-01 challenge for gesis.com.ar
http-01 challenge for quenchastre.com.ar
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

My web server is (include version):
Apache version 2.4.6

The operating system my web server runs on is (include version):
CentOS Linux 7.7.1908

My hosting provider, if applicable, is:
I’ve a VPS in BudgetVM

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, I can

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin version 1.941
Virtualmin version 6.08

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
$ certbot --version
certbot 1.0.0

1 Like

First one: gesis com.ar
It didn’t make the challenge file. I would check directory permissions to make sure certbot can create the file.

Second one: quenchastre.com.ar
Seems to have site code & tries to connect to a database. This should be a simple text file. It could be content generated by an app/rules on your apache config file for the domain.

1 Like

Thanks for your tips…

Renamed index.html, there is no .htaccess file, permissions are ok, same answer: 404 not found.
This is a php plain development (I though, I just administrate the VPS)

Renamed index.php, renamed .htaccess, permissions are ok, answer changed: 404 not found.
BTW, this is a wordpress site…

All the folders have the user owner and permissions OK…

Other ideas? Thanks in advance…

Run a namei on your Docroot to the file for each domain.

namei -l /path/to/docroot/.well-known/acme-challenge/randomfilename

Also did you run the command with --webroot?

ZetaRevan… I can’t run namei command over a path that doesn’t exist, neither in the domains where I though could be certified… So the process fails at all…

About the command with --webroot parameter, I said I’m using Webmin module for Let’s Encrypt…

So it fails once you get past your Docroot directory? That means that your LE module wasn’t able to create the directory or the file. That is usually a permissions issue.

And I apologize for missing that your were using the WebMin module. I will let someone else better versed in WebMin to assist with this.

@ZetaRevan, thanks for your effort :slight_smile: … BTW I’ll check again about the permissions, but if it is… Why in some folders doesn’t complain and in other it does?.. It’s courious…

I’ll wait another good soul… Thanks, again…

Well… Finally I find the way…

I’ve a missunderstanding about the procedure to request the certificate: I was trying to get from the Webmin module instead the Virtualmin interface…

I don’t know if this it’s right or not (I don’t understand the difference too).

So, for others who have the same problem first ensure this checklist:

  • If you are in a VPS, and it offer a DNS forwarder BE SURE to have a *.example.com A record pointing to the primary IP;
  • Ensure your BIND DNS records are OK (just in case Virtualmin fail);
  • In Virtualmin, verify in Server Features, Apache SSL enabled is checked (else check it and save)…

Then, still in Virtualmin, go to Server configuration (in the virtual server you need the certificate) and click in SSL Certificate, and VOILA!

Thanks @ZetaRevan to “push me” to think out the box…

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.