Web-based validation failed

My domain is: arms-rol.org

I ran this command: Desde Virtualmin, en certificados SSL-> Let's Encrypt
Renewal failed due to Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for arms-rol.org, www.arms-rol.org from Let's Encrypt ..

It produced this output:
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
cnx.do_handshake()
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl
.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.

El log de /var/log/letsencrypt/letsencrypt.log
2023-01-09 06:52:41,820:DEBUG:certbot.main:certbot version: 0.40.0
2023-01-09 06:52:41,821:DEBUG:certbot.main:Arguments: ['-q']
2023-01-09 06:52:41,821:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-01-09 06:52:41,835:DEBUG:certbot.log:Root logging level set at 30
2023-01-09 06:52:41,836:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-01-09 06:52:41,850:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f76db3f2d60> and installer <certbot.cli._Default object at 0x7f76db3f2d60>
2023-01-09 06:52:41,868:INFO:certbot.renewal:Cert not yet due for renewal
2023-01-09 06:52:41,869:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-01-09 06:52:41,875:INFO:certbot.renewal:Cert not yet due for renewal
2023-01-09 06:52:41,875:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-01-09 06:52:41,882:INFO:certbot.renewal:Cert not yet due for renewal
2023-01-09 06:52:41,882:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-01-09 06:52:41,887:INFO:certbot.renewal:Cert not yet due for renewal
2023-01-09 06:52:41,887:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-01-09 06:52:41,894:INFO:certbot.renewal:Cert not yet due for renewal
2023-01-09 06:52:41,895:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-01-09 06:52:41,895:DEBUG:certbot.renewal:no renewal failures

My web server is (include version): Linux 3.10.0-1160.53.1.vz7.185.3 on x86_64

The operating system my web server runs on is (include version): Debian Linux 9

My hosting provider, if applicable, is: Nuxit Magic Online

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 2.001 | Virtualmin version 7.5-1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

En este VPS tengo varios dominios. En la creación de sus certificados no he tenido ningún problema, pero llegado el momento de la renovación, en todos me está ocurriendo lo mismo.

Gracias!

Hello @Varden, welcome to the Let's Encrypt community. :slightly_smiling_face:

Seeing this makes me think likely you are redirecting http to https and your presently certificate being served is expired.

This online tool SSL Server Test (Powered by Qualys SSL Labs) is showing an expired certificate being served
SSL Server Test: www.arms-rol.org (Powered by Qualys SSL Labs)

This is the certificate I received

$ openssl s_client -showcerts -servername www.arms-rol.org -connect www.arms-rol.org:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = arms-rol.org
verify error:num=10:certificate has expired
notAfter=Jan  5 18:57:14 2023 GMT
verify return:1
depth=0 CN = arms-rol.org
notAfter=Jan  5 18:57:14 2023 GMT
verify return:1
---
Certificate chain
 0 s:CN = arms-rol.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct  7 18:57:15 2022 GMT; NotAfter: Jan  5 18:57:14 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgISBOYCmVttbcdniz3Yie+lN/fZMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjEwMDcxODU3MTVaFw0yMzAxMDUxODU3MTRaMBcxFTATBgNVBAMT
DGFybXMtcm9sLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMlx
lu0IHL7XBXyi0ubTjFOs5vJ45ahvRmwGCKby+ff2bZwVt5Xv2yxicXfLW2l3SFc3
5ywXl0T8lKxaHUeHShVG7TjLITgGvAbvu1J7JBvHJCsBWxwXkX+wAjvYXDbpg1hM
AjgRgTmDGqIpgJvOd7L3zqMFf+1h6wD6V7WyTdZoPVJ2MNEpd6AVyVcBkR+HjZfy
gOvcjbhf7s2LKUCg1+C3iPJFVhIveOs/0db9oKHt2HojE3XIOE9rFsfkOHxQpWO3
kYmccrq8lX8zsEJQemGmKfj0leH4U8j/0zRjyaZbvuj3ZvLR+Vq62e6xp13XtXxm
Vrjhwe3fQXNBvRo0NqsCAwEAAaOCAlkwggJVMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQURWbwaj66Ci33qxzERLJbiw6T5w0wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
KQYDVR0RBCIwIIIMYXJtcy1yb2wub3JnghB3d3cuYXJtcy1yb2wub3JnMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGDtAX/FgAABAMA
RzBFAiBMPjAzeMDHBoY5uowZk2Pl3Qqd6EJMTWHpvkEosiOvhAIhAJg+PYmHPC8k
ql3RcpMxMC949rqEp6QpdchO9Vt8sLuDAHYArfe++nz/EMiLnT2cHj4YarRnKV3P
sQwkyoWGNOvcgooAAAGDtAX/jgAABAMARzBFAiASBcaqS9eHTS4DkyC7y44bbaw5
MpSsuXaMQtOZxNMEjAIhAPTqJAE/ghWAH/Y2Tqr2t2S3PF+xdaIB5RLIBPHOZCa8
MA0GCSqGSIb3DQEBCwUAA4IBAQBVURgs9V4j0+4C2GjhKJDLSAS7Cff2ickfh7lu
kZIE9VoykPCUJMsoh4ka5FMoskv4AnTzF9gL/mvL0eqSoBchlDWe7W/uXPSmnTi0
W8olQ/FJs44eCXcDemEpVCZf9lG/Q7O0jyRrViVCRz8h4ZDju2ty1Pt5Ct4uLFL9
8k921Ev7sJE0aAQOEbUlbXSMZw1MYTmTmPC3EbEgmzOH5bcD8xr9qN+I+zyN7myE
4NTQcNfyTM1zoiu8FtzP86WGmgFYrd/1Qt/Wq2lwBHnP8F5p7P6C7EzNWiEDsMhT
sbhgyGmqlk6GypKmppKzAEH1WvpwqY8PGMPrHqDvcHFBh7Uc
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = arms-rol.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4730 bytes and written 444 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A4D06C472FFE0AAF617D88FF3474D0F73F330F016F49F0BDAC82365EDE110223
    Session-ID-ctx:
    Master-Key: F0ED2F41A80856576425050F2D6AFE813BCFDB349F78C4D96E6A14AF2F9AA6BA0A792F83F2CB338A11B6BF89CC3735B9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 82 7a 0b a4 bd 53 3b c5-bc e1 fa f0 a3 03 00 72   .z...S;........r
    0010 - 33 fb 02 d4 b2 70 2c 71-6a 51 08 1d 67 5b 8f ac   3....p,qjQ..g[..
    0020 - a2 2f 3b 3a 6e 23 e1 4e-8f fc 50 51 22 54 97 37   ./;:n#.N..PQ"T.7
    0030 - b5 c4 f7 76 95 34 cb 89-15 0d 2d 64 74 31 d2 5a   ...v.4....-dt1.Z
    0040 - a3 f5 ce 70 08 56 36 0e-0c 4d 94 0f 7d 98 17 8e   ...p.V6..M..}...
    0050 - d9 da bd 80 38 8b 22 cc-d8 fc 6b 51 e0 23 fa f5   ....8."...kQ.#..
    0060 - 08 0f 54 28 8c 50 0a 2a-fd 1e 4c cb 87 68 4a b1   ..T(.P.*..L..hJ.
    0070 - 1c 79 88 de 20 0f 55 17-c8 dc f2 6f 42 54 53 73   .y.. .U....oBTSs
    0080 - 08 0b 3c 7d 46 50 6d fd-46 95 ae 32 cd b1 c1 51   ..<}FPm.F..2...Q
    0090 - 4b a7 d4 59 71 d6 e2 85-57 3c 98 a4 34 66 9a 29   K..Yq...W<..4f.)
    00a0 - e0 ee ff 98 01 24 4c 0d-c3 27 ac 5b 4f f3 6a e9   .....$L..'.[O.j.
    00b0 - f2 a3 ea ad 8f 3f 0e 70-63 5b 6a c9 df 8a a2 87   .....?.pc[j.....
    00c0 - 93 c8 ca 7f af 56 46 3c-fd ab 4c ae 9c 3c 00 ad   .....VF<..L..<..

    Start Time: 1673282222
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---
DONE

Here is what I got with curl

$ curl -Ii http://www.arms-rol.org/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Found
Date: Mon, 09 Jan 2023 16:38:06 GMT
Server: Apache/2.4.25
Location: https://arms-rol.org/index.php
Content-Type: text/html; charset=iso-8859-1

That is an old version of Certbot see here for Certbot 2.1.0 Release

2 Likes

Yes, using this on line tool Redirect Checker | Check your Statuscode 301 vs 302 with an input of http://www.arms-rol.org/.well-known/acme-challenge/sometestfile shows redirection to https

Result

http://www.arms-rol.org/.well-known/acme-challenge/sometestfile
302 Found
https://arms-rol.org/index.php
301 Moved Permanently
https://www.arms-rol.org/
200 OK
1 Like

Hello @Bruce5051 and thank you for your prompt reply.

I have a redirect from http to https in my domain provider. Tomorrow I will change this to see if it was the problem. Also, I will try it updating the version of Certbot.

Thank you!

3 Likes

You are welcome @Varden! :slight_smile:
Do you understand why the failure is happening?
(Due to the HTTP-01 challenge being redirected to https with an expired certificate)

1 Like

What shows?:
certbot certificates

2 Likes

I don't think that is the cause of this error. The Let's Encrypt servers do not check the validity of the cert if they are redirected to HTTPS (see here).

This looks like a problem with their machine not validating the Let's Encrypt API cert

5 Likes

I stand corrected! Thanks @MikeMcQ! :slight_smile:

2 Likes

and

Ok, now I am confused! :confused:

FYI - certificates have been issued previously for the domain name crt.sh | arms-rol.org, latest being 2022-10-07.

1 Like

@Varden What does this show?

curl -v https://acme-v02.api.letsencrypt.org/directory

Also, are you able to run the command that rg305 showed?

3 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/arms-rol.org/cert.pem (are we offline?)


Found the following certs:
Certificate Name: arms-rol.org
Domains: arms-rol.org www.arms-rol.org
Expiry Date: 2023-01-05 18:57:14+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/arms-rol.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/arms-rol.org/privkey.pem


I have more domains in the same VPS, and in the text above appears also the others domains with the same information (except the expiry date).

curl -v https://acme-v02.api.letsencrypt.org/directory

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.65.32.248...

  • TCP_NODELAY set

  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)

  • ALPN, offering h2

  • ALPN, offering http/1.1

  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

  • successfully set certificate verify locations:

  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs

  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
    } [5 bytes data]

  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]

  • TLSv1.2 (IN), TLS handshake, Server hello (2):
    { [102 bytes data]

  • TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [2855 bytes data]

  • TLSv1.2 (OUT), TLS alert, Server hello (2):
    } [2 bytes data]

  • SSL certificate problem: unable to get local issuer certificate

  • Curl_http_done: called premature == 1

  • stopped the pause stream!

    0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/arms-rol.org/cert.pem (are we offline?)


Found the following certs:
Certificate Name: arms-rol.org
Domains: arms-rol.org www.arms-rol.org
Expiry Date: 2023-01-05 18:57:14+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/arms-rol.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/arms-rol.org/privkey.pem


I have more domains in the same VPS, and in the text above appears also the others domains with the same information (except the expiry date).

certbot 0.28.0

Try:
certbot renew --cert-name arms-rol.org --no-verify-ssl

That may need some updating.

2 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/arms-rol.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:845: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: Advanced Usage - urllib3 2.0.0a2 documentation
InsecureRequestWarning)
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arms-rol.org
http-01 challenge for www.arms-rol.org
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/arms-rol.org/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/arms-rol.org/fullchain.pem (success)


By the text, I understanded that it was solved and the domain had a ssl certificate, but it appears in virtualmin as expired, and in the url as insecure.

Show this again:

2 Likes

This is just a temporary workaround and should NOT be seen as a permanent fix. Your systems SSL root certificate store seems to be outdated and requires updating.

4 Likes

And that proved it :wink:

The road to recovery is long... taking small steps towards it.

2 Likes

I'm pretty sure that was already established by the curl output :wink:

But at least it's the only certificate issuance related issue that needs to be fixed, that was proven indeed.

With regard to Virtualmin: I have no clue.

4 Likes

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: arms-rol.org
Domains: arms-rol.org www.arms-rol.org
Expiry Date: 2023-04-10 07:20:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/arms-rol.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/arms-rol.org/privkey.pem


*This time didn't appear:

OCSP check failed for /etc/letsencrypt/live/arms-rol.org/cert.pem (are we offline?)

Thank you all for your help!

1 Like