Unable to renew certificates

suhayls · March 7, 2020, 6:11pm

I ran this command: Tried to renew SSL Cert using virtualmin’s interface

It produced this output:
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/symworld.com/public_html/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c, but couldn’t download http://www.symworld.com/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: Error:
Url: http://www.symworld.com/.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>

My web server is (include version): Apache2 running on webmin/virtualmin

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin & virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

suhayls · March 7, 2020, 6:14pm

Checked my server access logs and seeing these records after the renewal has timed out:

65.19.128.70 - - [08/Mar/2020:02:12:29 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 439 “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
65.19.128.70 - - [08/Mar/2020:02:12:29 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 439 “-” “Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36”
79.244.52.28 - - [08/Mar/2020:02:13:01 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0”
17.58.82.220 - - [08/Mar/2020:02:13:43 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.82.220 - - [08/Mar/2020:02:13:43 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.80.10 - - [08/Mar/2020:02:13:59 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c: HTTP/1.1” 404 495 “-” “AppleNewsBot”
17.58.80.10 - - [08/Mar/2020:02:14:00 +0800] “GET /.well-known/acme-challenge/gfgICDjtij3qwWDM0a4VF70fvTs5nPTf8kMaf7Vhb8c HTTP/1.1” 404 495 “-” “AppleNewsBot”

JuergenAuer · March 7, 2020, 7:35pm

Hi @suhayls

your client tries to check the validation file. But that doesn't work because of a timeout.

Why is there a timeout?

There is a check of your domain, ~~ 2 hours old - https://check-your-website.server-daten.de/?q=symworld.com

Same picture - fetching some resources -> timeout.

And your nameserver ns1.symworld.com has the same ip address 103.230.125.235

Looks like a blocking instance, may be a firewall.

suhayls · March 8, 2020, 2:57am

Hi Juergen, I’ve checked with my server administrator and apparently there are no special blocking on HTTP/S requests. What are the URL/IP used for querying the let’s encrypt? Maybe I can try to trace from the server if it is indeed being blocked.

JuergenAuer · March 8, 2020, 7:38am

Letsencrypt uses multi perspective validation:

So you shouldn't block any ip address.

suhayls · March 9, 2020, 3:22am

I have checked with my server and the provider, it doesn’t seem like any IPs/Domains are currently blocked. Would a domain validation work instead?

JuergenAuer · March 9, 2020, 8:24am

That's

an error of your VirtualMin/WebMin. I don't know how that tool works.

May be a bug in that tool -> check if there is an update.
May be a bug in your configuration -> no idea.

suhayls · March 10, 2020, 3:54am

I’ve just tried to run the acme_tiny.py from the command line but I get the same problem. See output below:

root@symworld:/home/symworld.com# python /usr/share/webmin/webmin/acme_tiny.py --account-key ssl.key --csr ssl.csr --acme-dir /home/symworld.com/public_html/.well-known/acme-challenge/ > ssl.crt
Parsing account key...
Parsing CSR...
Found domains: symworld.com, www.symworld.com
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying symworld.com...
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 196, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 192, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/symworld.com/public_html/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY, but couldn't download http://symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY: Error:
Url: http://symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>

Also tested the URL and the file is valid and is accessible over HTTP/S.

9peppe · March 10, 2020, 9:34am

you are serving http on port 443, that should be https.

does this link work for you?
http://www.symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY
it redirects to https://www.symworld.com/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY and it complains a lot.

but this does work:
http://www.symworld.com:443/.well-known/acme-challenge/9_tYgJiVbK02okpb2WX1qOh5LlQmzC66GVvh-T8TRnY

don’t serve http over port 443. serve https. the validation procedure will accept a self signed certificate. (on ubuntu and probably debian, you should have a default snakeoil ready – or, well, there are websites that do that for you: https://www.selfsignedcertificate.com/)

suhayls · March 10, 2020, 5:47pm

I deleted all the SSL sites on the server and recreated them. That solved the issue and all the certs have been successfully renewed.

Thanks for your help and input.

Cheers!

system · April 9, 2020, 5:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I can't update my security certificate Help	6	798	July 12, 2020
Renew certificate with webmin Help	3	2834	January 17, 2021
Can't Request Certificate on Virtualmin Help	8	1861	October 30, 2021
Virtualmin: Failed to request certificate Help	2	836	May 26, 2020
Impossible to renew certificate via Virtualmin module, help please Help	2	3086	November 28, 2017

Unable to renew certificates

Related topics