Unable to renew certificates

My domain is: symworld.com

I ran this command: Tried to renew SSL Cert using virtualmin’s interface

It produced this output:
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/symworld.com/public_html/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c, but couldn’t download http://www.symworld.com/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: Error:
Url: http://www.symworld.com/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>

My web server is (include version): Apache2 running on webmin/virtualmin

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin & virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Checked my server access logs and seeing these records after the renewal has timed out:

65.19.128.70 - - [08/Mar/2020:02:12:29 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 439 “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [08/Mar/2020:02:12:29 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 439 “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
79.244.52.28 - - [08/Mar/2020:02:13:01 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0”
17.58.82.220 - - [08/Mar/2020:02:13:43 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.82.220 - - [08/Mar/2020:02:13:43 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.80.10 - - [08/Mar/2020:02:13:59 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.80.10 - - [08/Mar/2020:02:14:00 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “AppleNewsBot”

Hi @suhayls

your client tries to check the validation file. But that doesn’t work because of a timeout.

Why is there a timeout?

There is a check of your domain, ~~ 2 hours old - https://check-your-website.server-daten.de/?q=symworld.com

Same picture - fetching some resources -> timeout.

And your nameserver ns1.symworld.com has the same ip address 103.230.125.235

Looks like a blocking instance, may be a firewall.

Hi Juergen, I’ve checked with my server administrator and apparently there are no special blocking on HTTP/S requests. What are the URL/IP used for querying the let’s encrypt? Maybe I can try to trace from the server if it is indeed being blocked.

Letsencrypt uses multi perspective validation:

So you shouldn’t block any ip address.

I have checked with my server and the provider, it doesn’t seem like any IPs/Domains are currently blocked. Would a domain validation work instead?

That’s

an error of your VirtualMin/WebMin. I don’t know how that tool works.

May be a bug in that tool -> check if there is an update.
May be a bug in your configuration -> no idea.

I’ve just tried to run the acme_tiny.py from the command line but I get the same problem. See output below:

root@symworld:/home/symworld.com# python /usr/share/webmin/webmin/acme_tiny.py --account-key ssl.key --csr ssl.csr --acme-dir /home/symworld.com/public_html/.well-known/acme-challenge/ > ssl.crt
Parsing account key...
Parsing CSR...
Found domains: symworld.com, www.symworld.com
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying symworld.com...
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 196, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 192, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/symworld.com/public_html/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY, but couldn't download http://symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY: Error:
Url: http://symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>

Also tested the URL and the file is valid and is accessible over HTTP/S.

you are serving http on port 443, that should be https.

does this link work for you?
http://www.symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY
it redirects to https://www.symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY and it complains a lot.

but this does work:
http://www.symworld.com:443/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY

don’t serve http over port 443. serve https. the validation procedure will accept a self signed certificate. (on ubuntu and probably debian, you should have a default snakeoil ready – or, well, there are websites that do that for you: https://www.selfsignedcertificate.com/)

I deleted all the SSL sites on the server and recreated them. That solved the issue and all the certs have been successfully renewed.

Thanks for your help and input.

Cheers!