Impossible to renew certificate via Virtualmin module, help please

Hello,

I’m french, so sorry for my poor english.
I have a big problem as I can’t renew my certificate for my domains.
The LE module should request a new certificate after 2 months, but it always fails.
Before, I could do it manually but now it’s not working anymore and I don’t know what to do.

Could you please help me with this problem ?

My domain is: hexa-gone.com

It produced this output:

Requesting a certificate for hexa-gone.com, www.hexa-gone.com from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

Parsing account key…
Parsing CSR…
Registering account…
Already registered!
Verifying hexa-gone.com
Wrote file to /home/hexa/www/.well-known/acme-challenge/dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg, but couldn’t download http://hexa-gone.com/.well-known/acme-challenge/dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg
Traceback (most recent call last):
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 235, in **
** main(sys.argv[1:])**
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 231, in main**
** signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)**
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 184, in get_crt**
** domain, challenge_status))**
ValueError: hexa-gone.com challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’addressesResolved’: [u’87.98.156.47’, u’2001:41d0:c:f12::1’], u’url’: u’https://hexa-gone.com/.well-known/acme-challenge/dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg’, u’hostname’: u’hexa-gone.com’, u’addressesTried’: [], u’addressUsed’: u’87.98.156.47’, u’port’: u’443’}, {u’addressesResolved’: [u’87.98.156.47’, u’2001:41d0:c:f12::1’], u’url’: u’http://hexa-gone.com/.well-known/acme-challenge/dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg’, u’hostname’: u’hexa-gone.com’, u’addressesTried’: [], u’addressUsed’: u’2001:41d0:c:f12::1’, u’port’: u’80’}], u’keyAuthorization’: u’dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg.wkeT0q-2nfnGV9BE9OYBzl8qA9tFe3W_lCv0KfPkhtM’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/YERmZFfEAPJw7HcrMgLroWad81iyYc0fRBWIIE8Sgh0/2338938780’, u’token’: u’dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg’, u’error’: {u’status’: 400, u’type’: u’urn:acme:error:connection’, u’detail’: u’Fetching https://hexa-gone.com/.well-known/acme-challenge/dJSuupA-uO3bP9b-uMsYfw0e04Iw4tHs_ov24Up6Zxg: Error getting validation data’}, u’type’: u’http-01’}

DNS-based validation failed : Failed to request certificate :

Parsing account key…
Parsing CSR…
Registering account…
Already registered!
Verifying hexa-gone.com
Undefined subroutine &main::get_bind_zone_for_domain called at /usr/share/webmin/webmin/letsencrypt-dns.pl line 21.
Traceback (most recent call last):
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 235, in **
** main(sys.argv[1:])**
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 231, in main**
** signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)**
** File “/usr/share/webmin/webmin/acme_tiny.py”, line 184, in get_crt**
** domain, challenge_status))**
ValueError: hexa-gone.com challenge did not pass: {u’status’: u’invalid’, u’keyAuthorization’: u’bl8vW_eTwGnsmQLRPeDvMOhDtuEvz0GUt-XeETx8ZJ8.wkeT0q-2nfnGV9BE9OYBzl8qA9tFe3W_lCv0KfPkhtM’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/UfocqbwRm2Ub5oEp4KeJeSUTgWbkZNNTk-UAWWUZ0UE/2338939091’, u’token’: u’bl8vW_eTwGnsmQLRPeDvMOhDtuEvz0GUt-XeETx8ZJ8’, u’error’: {u’status’: 400, u’type’: u’urn:acme:error:connection’, u’detail’: u’DNS problem: NXDOMAIN looking up TXT for _acme-challenge.hexa-gone.com’}, u’type’: u’dns-01’}

My web server is : Apache 2.4.10

The operating system my web server runs on is (include version): Debian 8.9

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin / Webmin 6.01.gpl-3

It probably has something to do with the different set up between IPv4 and IPv6.

With openssl, I can connect without a problem to hexa-gone.com. But openssls s_client connects to the IPv4 address…

When I try hexa-gone.com in Chromium, it connects to the IPv6 address with as a result:

This site can’t provide a secure connection

hexa-gone.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

When I telnet to the IPv6 address behind hexa-gone.com, I get this (notice the port 443, i.e., HTTPS port):

osiris@desktop ~ $ telnet 2001:41d0:c:f12::1 443
Trying 2001:41d0:c:f12::1...
Connected to 2001:41d0:c:f12::1.
Escape character is '^]'.
GET / HTTP/1.1
Host: hexa-gone.com

HTTP/1.1 200 OK
Date: Sun, 29 Oct 2017 18:33:52 GMT
Server: Apache/2.4.10
Last-Modified: Thu, 09 Feb 2017 08:54:36 GMT
ETag: "0-54815216f8716"
Accept-Ranges: bytes
Content-Length: 0
Content-Type: text/html

Connection closed by foreign host.
osiris@desktop ~ $ 

So it looks like your IPv6 host isn’t configured for HTTPS properly on port 443, while it should.

Why does this matter?

Because Let’s Encrypt prefers IPv6 above IPv4 and does follow redirects. And you’re redirecting HTTP to HTTPS, which results in the error above.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.