Renewal failed for some reason

viseguy · June 22, 2020, 10:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
maksikoms.lv
I ran this command:
I use Virtualmin Letsencrypt option
It produced this output:
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/maksikoms/public_html/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U, but couldn’t download http://maksikoms.lv/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U: Error:
Url: http://maksikoms.lv/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>
My web server is (include version):
Apache 2 on Debian 10 iwth Virtualmin
The operating system my web server runs on is (include version):
Debian 10 wth Virtualmin
My hosting provider, if applicable, is:
Own server
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Virtualmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

In addition I can confirm that using link
http://maksikoms.lv/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U
in browser from remote location I actually get file displayed.
I thought the problem was with SSL redirect for this folder, but after disabling redirect nothing changed.
I actually don’t see any requests from Letsencrypt servers to my site in firewall (I see all requests I do manually from external IPs). Does it mean that lestencrypt in fact do not check link?
I see that there is limitation of number od requests. As I found that renewal failed only after certificate expiration, it was probably enough requests to be over limit of 20. How can I check this?
Can I validate certificate manually to get it working for now?

If can’t make it working, the onlt way is disable letsencrypt and get some static certificate…
Thnaks in advance for any ideas,

rg305 · June 22, 2020, 10:23am

What says?:
apachectl -S

viseguy · June 22, 2020, 10:32am

[Mon Jun 22 13:31:11.611016 2020] [so:warn] [pid 8720] AH01574: module dav_module is already loaded, skipping
VirtualHost configuration:
10.0.2.109:443 is a NameVirtualHost
default server maxicom.lv (/etc/apache2/sites-enabled/0-maxicom.lv.conf:56)
port 443 namevhost maxicom.lv (/etc/apache2/sites-enabled/0-maxicom.lv.conf:56)
alias www.maxicom.lv
alias webmail.maxicom.lv
alias admin.maxicom.lv
port 443 namevhost e-meter.eu (/etc/apache2/sites-enabled/e-meter.eu.conf:69)
alias www.e-meter.eu
alias webmail.e-meter.eu
alias admin.e-meter.eu
port 443 namevhost maksikoms.lv (/etc/apache2/sites-enabled/maksikoms.lv.conf:58)
alias www.maksikoms.lv
wild alias *.maksikoms.lv
*:80 is a NameVirtualHost
default server maxicom.lv (/etc/apache2/sites-enabled/0-maxicom.lv.conf:1)
port 80 namevhost maxicom.lv (/etc/apache2/sites-enabled/0-maxicom.lv.conf:1)
alias www.maxicom.lv
alias webmail.maxicom.lv
alias admin.maxicom.lv
port 80 namevhost e-meter.eu (/etc/apache2/sites-enabled/e-meter.eu.conf:1)
alias www.e-meter.eu
alias webmail.e-meter.eu
alias admin.e-meter.eu
port 80 namevhost maksikoms.lv (/etc/apache2/sites-enabled/maksikoms.lv.conf:1)
alias www.maksikoms.lv
wild alias *.maksikoms.lv
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name=“www-data” id=33
Group: name=“www-data” id=33

rg305 · June 22, 2020, 10:40am

Can we see this file?:
/etc/apache2/sites-enabled/maksikoms.lv.conf

viseguy · June 22, 2020, 10:46am

Content of file:
<VirtualHost *:80>
SuexecUserGroup "#1004" "#1003"
ServerName maksikoms.lv
ServerAlias www.maksikoms.lv
#ServerAlias webmail.maksikoms.lv
#ServerAlias admin.maksikoms.lv
ServerAlias *.maksikoms.lv
DocumentRoot /home/maksikoms/public_html
ErrorLog /var/log/virtualmin/maksikoms.lv_error_log
CustomLog /var/log/virtualmin/maksikoms.lv_access_log combined
ScriptAlias /cgi-bin/ /home/maksikoms/cgi-bin/
ScriptAlias /awstats/ /home/maksikoms/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/maksikoms/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
AddHandler fcgid-script .php7.3
FCGIWrapper /home/maksikoms/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/maksikoms/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/maksikoms/fcgi-bin/php7.0.fcgi .php7.0
FCGIWrapper /home/maksikoms/fcgi-bin/php7.3.fcgi .php7.3
</Directory>
<Directory /home/maksikoms/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
<Directory /home/maksikoms/.well-known/acme-challenge>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.maksikoms.lv
RewriteRule ^(.*) https://maksikoms.lv:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.maksikoms.lv
RewriteRule ^(.*) https://maksikoms.lv:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RemoveHandler .php7.3
php_admin_value engine Off
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
<Files awstats.pl>
AuthName "maksikoms.lv statistics"
AuthType Basic
AuthUserFile /home/maksikoms/.awstats-htpasswd
require valid-user
</Files>
</VirtualHost>
<VirtualHost 10.0.2.109:443>
SuexecUserGroup "#1004" "#1003"
ServerName maksikoms.lv
ServerAlias www.maksikoms.lv
#ServerAlias webmail.maksikoms.lv
#ServerAlias admin.maksikoms.lv
ServerAlias *.maksikoms.lv
DocumentRoot /home/maksikoms/public_html
ErrorLog /var/log/virtualmin/maksikoms.lv_error_log
CustomLog /var/log/virtualmin/maksikoms.lv_access_log combined
ScriptAlias /cgi-bin/ /home/maksikoms/cgi-bin/
ScriptAlias /awstats/ /home/maksikoms/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/maksikoms/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
AddHandler fcgid-script .php7.0
AddHandler fcgid-script .php7.3
FCGIWrapper /home/maksikoms/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/maksikoms/fcgi-bin/php5.fcgi .php5
FCGIWrapper /home/maksikoms/fcgi-bin/php7.0.fcgi .php7.0
FCGIWrapper /home/maksikoms/fcgi-bin/php7.3.fcgi .php7.3
</Directory>
<Directory /home/maksikoms/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
#RewriteCond %{HTTP_HOST} =webmail.maksikoms.lv
#RewriteRule ^(.*) https://maksikoms.lv:20000/ [R]
#RewriteCond %{HTTP_HOST} =admin.maksikoms.lv
#RewriteRule ^(.*) https://maksikoms.lv:10000/ [R]
RemoveHandler .php
RemoveHandler .php5
RemoveHandler .php7.0
RemoveHandler .php7.3
php_admin_value engine Off
IPCCommTimeout 31
FcgidMaxRequestLen 1073741824
<Files awstats.pl>
AuthName "maksikoms.lv statistics"
AuthType Basic
AuthUserFile /home/maksikoms/.awstats-htpasswd
require valid-user
</Files>
SSLEngine on
SSLCertificateFile /home/maksikoms/ssl.cert
SSLCertificateKeyFile /home/maksikoms/ssl.key
SSLCACertificateFile /home/maksikoms/ssl.ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
</VirtualHost>

rg305 · June 22, 2020, 10:49am

Please edit your last post and add line above and below with just three back ticks:
```
your post
```

thanks
impossible to read without it

viseguy · June 22, 2020, 10:53am

What I can’t really understand – if I can download challenge file manually, than there must be no problem with validation, and the problem isn’t with apache config? But than I have nowhere to look…
I looked on issued certificates and for a moment thought that certificates are issued. But looking on date I see that it all worked for 2 years perfectly and stopped after 12th of march 2020, when last cert was issued.
I think, I installed some updates to server than.
Thanks in advance!

rg305 · June 22, 2020, 10:55am

There is a slight discrepancy within these two lines:

DocumentRoot /home/maksikoms/public_html
<Directory /home/maksikoms/.well-known/acme-challenge>

The .well-known/acme-challenge path should be appended to the document root path.
/home/maksikoms/public_html/.well-known/acme-challenge

rg305 · June 22, 2020, 10:57am

Unrelated, but worth noting:
<VirtualHost 10.0.2.109:443>
should probably be:
<VirtualHost *:443>

viseguy · June 22, 2020, 11:02am

My mistake, I added it when started to troubleshoot today. There was redirect to SSL set in .htaccess file, and before I found it, I added this directory statement. But now redirect is disabled.
Before, when redirect was enabled, entering test link in browser still provided file, but as cert was expired, it worked only if browser was accepting this site. Now it works without redirect, and I can get file in http:
I'll correct path now.

rg305 · June 22, 2020, 11:04am

Try getting a cert again and review the logs for clues:
/var/log/virtualmin/maksikoms.lv_error_log
/var/log/virtualmin/maksikoms.lv_access_log

viseguy · June 22, 2020, 11:08am

I see such lines(by 3, periodically):
17.58.88.210 - - [22/Jun/2020:14:02:14 +0300] “GET /.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U HTTP/1.1” 200 345 “-” “AppleNewsBot”

rg305 · June 22, 2020, 11:08am

Ignore:

viseguy · June 22, 2020, 11:10am

and in errors nothing really looks significant:

[Mon Jun 22 13:43:33.001580 2020] [fcgid:warn] [pid 9825] [client 46.229.168.138:5598] mod_fcgid: stderr: PHP Notice:  Undefined variable: tooltip in /home/maksikoms/public_html/templates/maxicom/html/com_attachments/attachments/default.php on line 119
[Mon Jun 22 13:50:38.605647 2020] [fcgid:warn] [pid 9833] [client 208.73.255.133:49750] mod_fcgid: stderr: PHP Notice:  Array to string conversion in /home/maksikoms/public_html/components/com_content/views/featured/tmpl/default.php on line 96

rg305 · June 22, 2020, 11:12am

Those are also unrelated (scanners/hackers).
Look for lines that contain /.well-known/acme-challenge/

viseguy · June 22, 2020, 11:16am

Only this appeared again, when tried to renew:

17.58.87.18 - - [22/Jun/2020:14:11:47 +0300] "GET /.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U: HTTP/1.1" 404 491 "-" "AppleNewsBot"
17.58.87.18 - - [22/Jun/2020:14:11:47 +0300] "GET /.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U HTTP/1.1" 200 345 "-" "AppleNewsBot"
17.58.87.18 - - [22/Jun/2020:14:11:48 +0300] "GET /.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U HTTP/1.1" 200 345 "-" "AppleNewsBot"

viseguy · June 22, 2020, 11:21am

Only see lines for “AppleNewsBot” , no letsencrypt related anything. But it shows that it is possible to download file. Can’t imagine, why bot needs it, probably downloads everything what it can download.

17.58.87.18 - - [22/Jun/2020:14:11:48 +0300] "GET /.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U HTTP/1.1" 200 345 "-" "AppleNewsBot"

rg305 · June 22, 2020, 11:23am

Then there may be a DNS problem form their end or access to your IP is blocked form their IP.
Geolocation blocking perhaps…
Do you have an IPS or other firewall inline that might block?

rg305 · June 22, 2020, 11:25am

Lets Debug doesn’t show a problem; and that is a very close test to what LE will do.
See: https://letsdebug.net/maksikoms.lv/187168

So, I’m leaning towards GeoLocation type blocking…

viseguy · June 22, 2020, 11:28am

By letsencrypt or by my firewall? I don’t have any GEO limitations on my FW. I even removed blacklists, in case letsencrypt got blocked by it.
Any ideas what else to do?