Virtualmin: Lets Encrypt Web Based Validation failed

Not apache, virtualmin.

OK, so redirection is only happening in the .htaccess file.

hmm…

Try it this way:

RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
1 Like

@9peppe, i wouldnt of thought i’d need to restart my entire virtualmin instance for an .htaccess file to be picked up. Surely thats only isolated to apache.

Anyway, @rg305, thanks i’ve done this now.

Same error:

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

I don’t see any redirection now [this is good].

curl -Iki http://sentinelfs.co/.well-known/acme-challenge/blahblahblah
HTTP/1.1 404 Not Found
Date: Mon, 23 Mar 2020 18:45:33 GMT
Server: Apache/2.4.25
Content-Type: text/html; charset=iso-8859-1

regular content does redirect [also good]:

curl -Iki http://sentinelfs.co/woohoo
HTTP/1.1 302 Found
Date: Mon, 23 Mar 2020 18:46:21 GMT
Server: Apache/2.4.25
Location: https://sentinelfs.co/woohoo
Content-Type: text/html; charset=iso-8859-1

It's not about the .htaccess anymore. Now it's the acme client that remembers a permanent redirect that's not there anymore. You see how it's validating a certificate but if you open the same link it's on http unencrypted?

You need to create that folder path and place a test text file in there.
Ensure it can be reached from the Internet.
Like: http://sentinelfs.co/.well-known/acme-challenge/test1234
[then we need to also review the LE logs]

ahhh yes, ok valid point. Well i can bounce the whole box thats not a problem (its my hardware) this is only a virtual server anyway. So i’ll do that. Then i’ll try whats been suggested later on down this thread if its not working

Ok, restarted, same problem. Boo lost my uptime :frowning_face:

Test folder/file created.

Happy to share any logfiles, however i went looking for them when i was trying to debug this myself and found none. A quick google pointed me to this link: https://virtualmin.com/node/65080 which seems to imply no log files… ? :confused: ill have a dig myself and see if i can find something.

ok, in an interesting turn of events.

I disabled SSL-enabled services for this domain (which caused it to remove everything, restart webmin etc), then re-enabled SSL Services for this domain.

It still fails… but whats interesting is i can actually browse the folder/file response (i checked it quickly). So it is generating a file and a response AND i could view it in my browser. But overall its failing

Requesting a certificate for sentinelfs.co, www.sentinelfs.co from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

You’re probably going to hit a limit soon, so slow down on the testing.

I do see the test text file and contents [this is good]:

curl -iki http://sentinelfs.co/.well-known/acme-challenge/test1234
HTTP/1.1 200 OK
Date: Mon, 23 Mar 2020 19:43:00 GMT
Server: Apache/2.4.25
Last-Modified: Mon, 23 Mar 2020 18:58:57 GMT
ETag: "13-5a18a3a2d2219"
Accept-Ranges: bytes
Content-Length: 19
Hello LetsEncrypt!

Which is confusing me as to why the authentication file would fail…

I can only think that maybe the naming of the file (case sensitivity), or its’ contents, are tripping some check.
Try naming a similar test text file as (one of the files requested):
Like: T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
And see if that one can also be accessed from the Internet.

EDIT: I see that file and content:

curl -iki http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
HTTP/1.1 200 OK
Date: Mon, 23 Mar 2020 19:51:50 GMT
Server: Apache/2.4.25
Last-Modified: Mon, 23 Mar 2020 19:03:21 GMT
ETag: "57-5a18a49e8a330"
Accept-Ranges: bytes
Content-Length: 87
T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA.y1a8M_oUMen2uKEvlV_SLnykQzaUHWqu7T2_yFaFgZ8

Now I’m really confused… :confused:

does your interface have access to this setting?

I gave the testing a rest last night to stop what you said might happen!.

It depends, where would you expect to see that setting? What sort of variable is it? Environement?

Tried again this morning, still fails. Really struggling to understand the issue :confused:

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 143, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

I don't know, in virtualmin's acme_tiny config, probably, or on a single certificate or single host basis.

I’ve had a good search through logs and virutalmin itself, it appears there is no configuration file that i can amend.

There is only acme_tiny.py under :/usr/share/webmin.

I wouldnt of thought i’d need to start modifying any default implmentation config from a standard virtuamin install (and fully updated)

you should apply this patch, imho: https://github.com/diafygi/acme-tiny/pull/221

ok, thank you, i’ll edit the config to apply what they’ve changed and test.

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 201, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 197, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 146, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: 404
Response:

404 Not Found

404 Not Found


nginx

One thing i noticed, if i click the URL i do get page not found, but if i remove the: at the end then i get a response.

If you edit the source but dont’ restart the process, nothing happens. It’s running from ram, not from disk.

Yep, understood. I did restart the webmin service. But i’ll bounce the box just to be sure.

i have bounced the box. But still the same problem.

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 201, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 197, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 146, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: 404
Response:

404 Not Found

404 Not Found


nginx