Renew Certificate Failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I have had this server up an running for 3 years and never have had a problem with the renewals occurring automatically. The webserver when to renew the cert the other day and failed. I don't know why as nothing has changed. I was hoping to be able to isolate down what was failing, or being looked for running some stuff manually, I tried certbot renew --dry-run , this came back successful, I tried looking into the logs to compare a successful log to renewal from last year to this one that failed to see if I could determine what was failing but nothing jumped out at me.

My domain is: www.microlite.com

I ran this command: Not sure, as I am receiving an email, that gives me the error,

It produced this output: Let's Encrypt : Domain has no website, and DNS-based validation is not possible

My web server is (include version): Apache, 2.4.37

The operating system my web server runs on is (include version): Rocky Linux 8.8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): VirtualMin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

What does this show

sudo certbot certificates

Because I see a fresh cert issued yesterday. See crt.sh | 12735675808

Also, you say you got an email about an error. Let's Encrypt would not email for errors. Your ACME Client, or perhaps a cert monitoring tool, might do that. And, those exact words are not something I recognize as coming from Let's Encrypt.

Who was the sender of that email?

Your Apache is not yet using this fresh cert so that is a different problem.

It appears that those emails are being sent by the virtualmin,

When I ran the certificates command, I do see what appears to be new certificates

Certificate Name: microlite.com
Serial Number: 3bf86c6c3c5a948539637b7decaaf19a72e
Key Type: RSA
Domains: microlite.com backupedge.com linuxbackups.com recoveredge.com unixbackups.com www.backupedge.com www.linuxbackups.com www.microlite.com www.recoveredge.com www.unixbackups.com
Expiry Date: 2024-07-14 19:00:05+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/microlite.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/microlite.com/privkey.pem

Which means clearly I do have the new certificates, like your records indicate but I am assuming that Apache not using the new one is the reason why I would be seeing the old Certificate dates when looking at www.microlite.com. If I look into the webmin ssl certification information, I am seeing it point to two file ssl.cert and ssl.key, Do I need to do some other file processing of the .pem files to create the ssl website friendly files? Sorry I am aware I know just enough to be dangerous and not enough to be useful here.

Yes, that is the reason.

I don't know enough about how VirtualMin interacts with Certbot to help sort out your config problem with those two. A VirtualMin forum might be best. Or possibly a different volunteer here with experience in VirtualMin.

I know you said nothing changed but something must have. I would focus on any changes to VirtualMin since the date of your previously issued cert (Feb3).

Possibly. Those are not the names of the .pem files created by Certbot. But why you didn't before and would need to now is odd. Seems like something VirtualMin should be handling for you.

If anyone happens to know that would be great, I will certainly try a forum over there. Thanks for your help I really appreciate it.

I just wanted to post the resolution for this, since I was not having luck searching for these files names, so that this might help anyone else who trips across this problem

To translate the pem files created by certbot to files for apache I did the following
cat /etc/letsencrypt/live/DOMAIN/privkey.pem >/home/DOMAIN/ssl.key
cat /etc/letsencrypt/live/DOMAIN/cert.pem >/home/DOMAIN/ssl.cert
cat /etc/letsencrypt/live/DOMAIN/chain.pem >/home/DOMAIN/ssl.ca
cat /etc/letsencrypt/live/DOMAIN/fullchain.pem >/home/DOMAIN/ssl.combined
cat /etc/letsencrypt/live/DOMAIN/privkey.pem /etc/letsencrypt/live/DOMAIN/fullchain.pem >/home/DOMAIN/ssl.everything

Then I restarted apache. This appears to manually have been the way to solve the problem regardless of what stopped working correctly with VirtualMin

Again thank you for all the help

Apache can use the .pem files directly from the /etc/letsencrypt/live/DOMAIN folder

You might want to change the Apache config to use them so you don't have to take this extra step to copy them.

On modern Apache you just need the two certificate config lines like

SSLCertificateFile    /etc/letsencrypt/live/DOMAIN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN/privkey.pem

If VirtualMin is modifying your Apache config though then manual changes might not persist.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.