Virtualmin: Lets Encrypt Web Based Validation failed

THIS IS A LOT BETTER.

I see the file just fine. http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA

acme-tiny doesn’t wait one second to let nginx pick it up: https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py#L135 curse the heavens.

hahah,

it doesnt want to give me a SSL cert does it!. Anything i can do to fettle the code to add a wait condition or something

from time import sleep
sleep(seconds)

and i should insert that (for say 2 seconds) in at line 134? Or something like this?

find the http-01 challenge and write the challenge file

    challenge = [c for c in authorization['challenges'] if c['type'] == "http-01"][0]
    token = re.sub(r"[^A-Za-z0-9_\-]", "_", challenge['token'])
    keyauthorization = "{0}.{1}".format(token, thumbprint)
    wellknown_path = os.path.join(acme_dir, token)
    from time import sleep
    sleep(2)
    with open(wellknown_path, "w") as wellknown_file:
        wellknown_file.write(keyauthorization)

that’s too early.

between 138 and 139, I’d say, after the comment and before the try block (or inside the try block)

ah right ok, makese sense now. Sorry only really a config fettler not much of a coder.

check that the file is in place

    from time import sleep
    sleep(2)
    try:
        wellknown_url = "http://{0}/.well-known/acme-challenge/{1}".format(domain, token)
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE
        assert(disable_check or _do_request(wellknown_url, context=ctx)[0] == keyauthorization)
    except (AssertionError, ValueError) as e:
        raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))

So did that, rebooted box.

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 203, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 199, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 148, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: 404
Response:

404 Not Found

404 Not Found


nginx

and I get the file, it does not.

I guess two seconds is not enough.

weird, really cant believe this sort of fettling is needed. Ill up it to 5 seconds and see what happens.

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 203, in
main(sys.argv[1:])
File “/usr/share/webmin/webmin/acme_tiny.py”, line 199, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 148, in get_crt
raise ValueError(“Wrote file to {0}, but couldn’t download {1}: {2}”.format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/sentinelfs/public_html/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA, but couldn’t download http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA: Error:
Url: http://sentinelfs.co/.well-known/acme-challenge/T5d2cmSY9zzCjdk36iPcLUA85btXXSrgyFWihbMSUiA
Data: None
Response Code: 404
Response:

404 Not Found

404 Not Found


nginx

still failed. It must be something else?

I don’t even.

You can try putting disable_check=True before the try block.

1 Like

Requesting a certificate for sentinelfs.co, www.sentinelfs.co from Let’s Encrypt …
… request was successful!

Configuring webserver to use new certificate and key …
… done

Applying web server configuration …
… done

!!!

yay :smiley:

Thank you very much for your help, what a mess on. Would kinda love to understand why we need to disable the check. But i guess thats for people smarter than me.

All this will be lost when virtualmin upgrades. You should check if you can switch clients.

(it can be a lot of things with your software, network, or both)

True, but there has been no upgrades i’m aware of from when it worked before and now. I’ll keep an eye on this and any upgrades i might need to do to virtualmin.