Renew certificate with webmin

su1 · December 17, 2020, 8:41pm

Hi, I have been renewing automatically my Let’s encrypt certificate with Webmin for years, but a few weeks ago the renewal failed (which blocked apache which means my site is down at the moment). When I tried to request a certificate manually I got the error message below.

I ran this command: Renew certificate through Webmin

It produced this output:

.. request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/webmin/webmin/acme_tiny.py", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for www.website.net: {'expires': '2020-12-24T20:20:53Z', 'challenges': [{'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/9387379727/hLLYHQ', 'token': 'rw-IpRcbsVtzRJ9HxGeACcK_qizEKmc1MWCfWGRNxi8', 'status': 'invalid', 'type': 'http-01', 'validationRecord': [{'port': '80', 'url': 'http://www.website.net/.well-known/acme-challenge/rw-IpRcbsVtzRJ9HxGeACcK_qizEKmc1MWCfWGRNxi8', 'addressUsed': '2606:4700:3030::681c:d4d', 'addressesResolved': ['172.67.132.207', '104.28.12.77', '104.28.13.77', '2606:4700:3030::681c:d4d', '2606:4700:3034::681c:c4d', '2606:4700:3037::ac43:84cf'], 'hostname': 'www.website.net'}], 'error': {'detail': 'Invalid response from http://www.website.net/.well-known/acme-challenge/rw-IpRcbsVtzRJ9HxGeACcK_qizEKmc1MWCfWGRNxi8 [2606:4700:3030::681c:d4d]: "\n\n<!--[if IE 7]> <html class=\"no-js "', 'status': 403, 'type': 'urn:ietf:params:acme:error:unauthorized'}}], 'status': 'invalid', 'identifier': {'value': 'www.website.net', 'type': 'dns'}}
, DNS-based validation failed : Only the offical Let's Encrypt client supports DNS-based validation
My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu Linux 16.04.5

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.962

I’m also using Cloudflare to manage my DNS but I haven’t modified anything there recently.
Can you help me? Thanks!

Osiris · December 17, 2020, 8:55pm

Not only for DNS: your whole site is behind CloudFlares CDN.

Also, if your Apache is having issues (which is supported by the CloudFlare 521 "Web server is down" error), you should probably focus on your Apache first. Note that an expired certificate does not "block" Apache: Apache can very happily serve an invalid and expired certificate.

Please debug your Apache issue first, make sure CloudFlare can actually connect to your webserver and try again.

griffin · December 18, 2020, 2:38am

While you're at it, you might want to read about how SSL/TLS works with Cloudflare and save yourself some hassle by using a Cloudflare Origin CA certificate instead of a Let's Encrypt certificate.

system · January 17, 2021, 9:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.