Letsencrypt renewal constantly failing

GeoffatMM · August 5, 2020, 10:56am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
xorex.rocks

I ran this command:
Virtualmin:Server Configuration:SSL Certificate:Let’s Encrypt:Request certificate for: Domain names listed here:

xorex.rocks
www.xorex.rocks
mail.xorex.rocks
ftp.xorex.rocks

It produced this output:

Requesting a certificate for xorex.rocks, www.xorex.rocks, mail.xorex.rocks, ftp.xorex.rocks, m.xorex.rocks from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/xorex/public_html/.well-known/acme-challenge/4C6uQxNIxN-GdvICyelwhmP3072UZlmcPnQSxO9sy94, but couldn’t download http://xorex.rocks/.well-known/acme-challenge/4C6uQxNIxN-GdvICyelwhmP3072UZlmcPnQSxO9sy94: Error:
Url: http://xorex.rocks/.well-known/acme-challenge/4C6uQxNIxN-GdvICyelwhmP3072UZlmcPnQSxO9sy94
Data: None
Response Code: 404
Response:

404 Not Found

Not Found

The requested URL was not found on this server.

, DNS-based validation failed : Failed to request certificate :
usage: acme_tiny.py [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir
ACME_DIR [–quiet] [–disable-check]
[–directory-url DIRECTORY_URL] [–ca CA]
[–contact [CONTACT [CONTACT …]]]
acme_tiny.py: error: argument --acme-dir is required

My web server is (include version):
Apache version 2.4.38 (apache2)

The operating system my web server runs on is (include version):
Debian Linux 10

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes. Webmin version 1.942 Virtualmin version 6.09
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
No. Automated Virtualmin process

I have received over 40 error emails per day for the last couple of weeks from my server telling me that it fails renewing the certificate that I installed. If I try to renew or regenerate a certificate manually, the same happens.

I have tested everything I know that I can and it will not clear. The error message is not helpful so I have no idea what the problem is. It was all working fine, I have done nothing to change the server, the system simply started failing.

Can anyone please help me sort this out?

GeoffatMM · August 5, 2020, 10:58am

Additionally, I have had to turn off all email services so this is becoming increasingly critical.

GeoffatMM · August 5, 2020, 11:20am

More information. The python script is writing to the folder acme-challenge OK and both http and https calls to

http://xorex.rocks/.well-known/acme-challenge/9De4T0AFHFh7Dmd-c2wlLHuog-1ofOu-R7s2wltyaMc
https://xorex.rocks/.well-known/acme-challenge/9De4T0AFHFh7Dmd-c2wlLHuog-1ofOu-R7s2wltyaMc

Show in the web browser so why is it not being read by (downloaded by) the script?

Geoff

GeoffatMM · August 5, 2020, 11:26am

Also, from the error message, clicking the first link (which for some reason ends in a colon [:]) given after “…but couldn’t download” does not work but clicking the second link after “Error: Url:” does!

Thanks,

Geoff

JuergenAuer · August 5, 2020, 11:32am

Hi @GeoffatMM

the first link doesn't work, http status 404 - not found.

The second - again and again - your port 443 is a http port, not a https port. Same with your older checks - last from 2020-07-14 - https://check-your-website.server-daten.de/?q=xorex.rocks - Grade Q.

And (didn't checked your domain now) there are some critical Grade K - different ip addresses (ipv4 / ipv6) with different results.

Or short: Completely buggy configuration, some weeks old.

GeoffatMM · August 5, 2020, 1:54pm

Juergen

I apologise but I do not understand your reply, probably because i am an amateur and not a professional like you. I try to learn but it is not always that easy.

Both of the links in your response work for me so I do not know why you say that the first does not for you. All http calls except for .well-known are redirected to https by this directive in apache:

RewriteEngine on
RedirectMatch ^/(?!.well-known)(.*)$ https://xorex.rocks/$1

and this has been working for some time.

I do not understand your comment “The second - again and again - your port 443 is a http port, not a https port.”

I have not done anything to port 443 and I have (perhaps naively) assumed it automatically is an https port. If not, how do I change it? When the site is accessed the padlock comes up and shows the certificate so why do you say it is http and not https please? The virtual server says it is SSL enabled so i am unsure why it is not working properly (other than the certificate has expired!).

When I use Chrome I do get an error as it tells me the site is not secure but cannot now tell if that is because of a problem with port 443 or because the certificate is now invalid.

Could I start with how to solve this item from your server? (I have discovered I get the same message when I try):

http://xorex.rocks:443/ 51.75.171.43 400 Html is minified: 100.28 % 0.060 Q
Bad Request
Visible Content: Bad Request Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.

How do I overcome this and enable outgoing SSL communications?

Geoff

BenSjoberg · August 5, 2020, 3:39pm

The request succeeds when done over IPv4, but fails over IPv6:

$ curl -4 http://xorex.rocks/.well-known/acme-challenge/9De4T0AFHFh7Dmd-c2wlLHuog-1ofOu-R7s2wltyaMc
9De4T0AFHFh7Dmd-c2wlLHuog-1ofOu-R7s2wltyaMc.2M41MZZBg-QaUoqNW3Xai38jMM2wZ4E_dqBQm6lm-eE

$ curl -6 http://xorex.rocks/.well-known/acme-challenge/9De4T0AFHFh7Dmd-c2wlLHuog-1ofOu-R7s2wltyaMc

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL was not found on this server.</p>

</body></html>

If you see the correct text when visiting those URLs, it probably means whatever Internet connection you’re using only has IPv4. (Not uncommon.) But your web site is configured with IPv6 support, and since Let’s Encrypt supports IPv6 it will prefer the IPv6 address.

Web servers will normally respond identially over v4 and v6, so something strange is going on. Your server’s IPv4 address is 51.75.171.43 and its IPv6 address is 2001:41d0:801:2000::2097. Are you sure these are actually the same server? If not, you should update the AAAA record with the correct IPv6 address, or remove the AAAA record entirely if the correct server doesn’t actually support IPv6.

GeoffatMM · August 7, 2020, 9:34am

Ben

Thank you very much for your response and sorry it has taken time to get back to you. The entry of IPv6 was right but a reverse lookup (ptr:2001:41d0:801:2000::2097) does not find anything so something is not right. It is difficult for me as my ISP is SFR in France and they are not yet supporting IPv6 for my router.

I have removed the IPv6 entry from my BIND server and I guess it will take a little time to propagate so in will try now and then monitor it to see if the problem is resolved. I will sort IPv6 later!

Thanks again.

Geoff

GeoffatMM · August 18, 2020, 8:45am

Sadly this does not appear to have resolved the situation. Any other ideas?

GeoffatMM · August 21, 2020, 10:43am

Hi, I am still having problems. I have turned off IPv6 on my dns server but my secondary server (from OVH) is still issuing an IPv6 reference and I assume that could still be the problem.

Is there a way to force the renewal of the certificate to use IPv4 only?

If not, it looks like I will have to resolve the IPv6 issues on my server which I am not looking forward to.

Any ideas please?

JuergenAuer · August 21, 2020, 11:31am

That's

wrong, there is no ipv6.

Checking your domain - https://check-your-website.server-daten.de/?q=xorex.rocks - Grade I.

A certificate:

CN=xorex.rocks
	18.08.2020
	16.11.2020
expires in 87 days	ftp.xorex.rocks, m.xorex.rocks, 
mail.xorex.rocks, www.xorex.rocks, xorex.rocks - 5 entrie

used with both connections.

The wrong Grade Q is fixed.

Some minor mixed content, fix that.

PS: Using an Ipv6-ready-image on a site without AAAA record is a little bit curious.

GeoffatMM · August 21, 2020, 1:26pm

Juergen, thanks.

I do not know how that has got past me but it appears on the 19th the renewal went through and the site is working properly again.

I will continue to try to improve the site using your link.

Thanks.

Geoff

system · September 20, 2020, 1:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Impossible to renew certificate via Virtualmin module, help please Help	2	3089	November 28, 2017
Renewal 404 fail Help	29	1076	March 26, 2019
Cert renewable fails with 404 Help	11	1987	April 23, 2019
Renewal failed for some reason Help	44	2080	July 24, 2020
Challenge fails despite good conf [solved] Help	3	3701	February 18, 2016

Letsencrypt renewal constantly failing

Not Found

Related topics