LE renewal suddenly returns 404 via Webmin/Virtualmin

Hi there,

Help! Sudden problem with renewing a LE certificate. Here are some details.

My domain is: sendy.colcolmail.co.uk
My web server is (include version): nginx 1.10.3
The operating system my web server runs on is (include version): ubuntu 16.04.03
My hosting provider, if applicable, is: AWS EC2
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, webmin 1.941/virtualmin 6.08
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ?

Problem started on Jan 24th. Error message from the automatic webmin renewal service is:

An error occurred requesting a new certificate for sendy.colcolmail.co.uk from Let's
Encrypt : Web-based validation failed : Failed to request certificate : <pre>Traceback
(most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca,
disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
    raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path,
wellknown_url, e))
ValueError: Wrote file to /home/sendy/public_html/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg,
but couldn't download http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg:
Error:
Url: http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg
Data: None
Response Code: 404
Response: <html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>   DNS-based validation failed : Failed to request certificate : usage: acme_tiny.py  [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir
                    ACME_DIR [--quiet] [--disable-check]
                    [--directory-url DIRECTORY_URL] [--ca CA]
                    [--contact [CONTACT [CONTACT ...]]]
acme_tiny.py: error: argument --acme-dir is required

The acme-challenge file is there, so I am not sure why the 404 is returned. This seems to work: https://letsdebug.net/sendy.colcolmail.co.uk/97582

Have looked at the following:


https://unboundtest.com/m/CAA/sendy.colcolmail.co.uk/3KDJUUNK

The first link has some scary ‘fatal error’ text. I am not a techie, so I am not sure what is going on. Bit worried that my LE cert will now expire within 2 weeks without a renewal.

Virtualmin has had issues with LE renewals, with the latest releases referring to LE/certbot:


I update to v1.930 to v1941 on Jan 25th, so a day after the renewal failures started.

I will ask on the Virtualmin forum about this but thought I would ask here as well, just in case anyone has any ideas?

Maynard

1 Like

Hi @colcol

that’s curious.

Checked with my browser - the file is there.

Checked with a local download (like curl) - the file is there.

Checked directly via “check-your-website” - https://check-your-website.server-daten.de/?q=sendy.colcolmail.co.uk%2F.well-known%2Facme-challenge%2F3lkoagekexitrebco7vxkd-uoslsx8c7hi-jc9dlutg

The same address - has a http status 404 - Not Found:

Domainname Http-Status redirect Sec. G
http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagekexitrebco7vxkd-uoslsx8c7hi-jc9dlutg 52.16.62.68 GZip used - 141 / 178 - 20,79 % 404 Html is minified: 108,54 % 0.090 M
Not Found
https://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagekexitrebco7vxkd-uoslsx8c7hi-jc9dlutg 52.16.62.68 GZip used - 141 / 178 - 20,79 %
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 108,54 % 3.596 M
Not Found

Is there a bot detection system that blocks?

Looks like some ip addresses or too much checks are blocked.

Is it possible to skip that precheck in Webmin?


Yep, there must be another filter:

D:\temp>download http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg -h
SystemDefault
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 87
Content-Type: application/octet-stream
Date: Sun, 02 Feb 2020 18:50:26 GMT
ETag: “5e37100e-57”
Last-Modified: Sun, 02 Feb 2020 18:08:14 GMT
Server: nginx/1.10.3 (Ubuntu)

Status: 200 OK

126,27 milliseconds
0,13 seconds

D:\temp>curl http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg
3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg.S-ioFVYBdwo6CicVxA_rTWJ7OKa28s9vVg-8BzwwRa8
D:\temp>download http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagekexitrebco7vxkd-uoslsx8c7hi-jc9dlutg -h
SystemDefault
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (404) Nicht gefunden.
ProtocolError
Connection: keep-alive
Content-Length: 178
Content-Type: text/html
Date: Sun, 02 Feb 2020 18:56:24 GMT
Server: nginx/1.10.3 (Ubuntu)

Status: 404 NotFound
404

160,06 milliseconds
0,16 seconds

D:\temp>curl http://sendy.colcolmail.co.uk/.well-known/acme-challenge/3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg
3lkoagEKexItREBcO7Vxkd-UosLSx8C7hi-jc9dLUtg.S-ioFVYBdwo6CicVxA_rTWJ7OKa28s9vVg-8BzwwRa8
D:\temp>

Download - worked. Curl - worked. Again Download - doesn’t work. Curl - worked again.

You have to find and remove or deactivate that filter (if the path starts with /.well-known/). Perhaps it’s in your configuration or it’s your hoster.

1 Like

Many thanks for the prompt reply. Seems like a Webmin issue. I will await their response.
Regards
Maynard

1 Like

Same problem on centos 7 with:
Webmin version 1.941
Usermin version 1.791
Virtualmin version 6.08

2 Likes

I have asked at Virtualmin here:

2 Likes

I don’t know if that blocking instance is from Webmin or from another tool.

May be completely independend from Webmin. Then the virtualmin forum can’t help.

It’s your configuration.

1 Like

Hi Juergen,

Thanks for the reply. From the Virtualmin forum, the issue was Virtualmin, and it now needing certbot installed to work properly.

“Ubuntu 16 provides certbot package. Give it a try.”

apt-get install certbot

Maynard

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.