Web-based validation failed

rg305 · January 10, 2023, 9:30am

We are not done yet.

You still need to:

restart/reload VirtualMin to serve the new cert.
update the OS so that it has the proper root certs in place.
possibly add a --deploy-hook [if one not normally executed]
possibly may need to modify the renewal conf to remove the --no-verify-ssl from future renewals

MikeMcQ · January 10, 2023, 1:30pm

@Varden What changed on your machine since you last got a certificate? Because it looks like your system CA Certificate store is damaged

Can you show results of these commands?

grep -E 'ISRG|DST|Daddy' /etc/ssl/certs/ca-certificates.crt
 
ls -l /etc/ssl/certs | grep -Ei 'ISRG|DST|Daddy'

Varden · January 10, 2023, 2:18pm

grep -E 'ISRG|DST|Daddy' /etc/ssl/certs/ca-certificates.crt
/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k

ls -l /etc/ssl/certs | grep -Ei 'ISRG|DST|Daddy'
lrwxrwxrwx 1 root root 23 Oct 26 14:52 219d9499.0 -> Go_Daddy_Class_2_CA.pem
lrwxrwxrwx 1 root root 58 Jun 29 2017 Go_Daddy_Class_2_CA.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
lrwxrwxrwx 1 root root 79 Jun 29 2017 Go_Daddy_Root_Certificate_Authority_-G2.pem -> /usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority-G2.crt
lrwxrwxrwx 1 root root 51 Oct 26 14:27 ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
lrwxrwxrwx 1 root root 44 Oct 26 14:52 bc3f2570.0 -> Go_Daddy_Root_Certificate_Authority-G2.pem
lrwxrwxrwx 1 root root 44 Oct 26 14:52 cbf06781.0 -> Go_Daddy_Root_Certificate_Authority-_G2.pem
lrwxrwxrwx 1 root root 23 Oct 26 14:52 f081611a.0 -> Go_Daddy_Class_2_CA.pem

MikeMcQ · January 10, 2023, 2:41pm

That looks good. What about this?

grep -Ei 'MIIFazCCA1OgAwIBAg' /etc/ssl/certs/ca-certificates.crt

Varden · January 10, 2023, 3:17pm

grep -Ei 'MIIFazCCA1OgAwIBAg' /etc/ssl/certs/ca-certificates.crt
Nothing happen.
I tried also with grep -E 'MIIFazCCA1OgAwIBAg' /etc/ssl/certs/ca-certificates.crt
but nothing in response.

MikeMcQ · January 10, 2023, 3:32pm

You should try updating your ca-certificates.crt using below. I think just the second update-ca-certificates is enough but both should be fine.

apt-get update ca-certificates
update-ca-certificates

Bruce5051 · January 10, 2023, 3:55pm

You can find here Certbot 2.1.0 Release

Varden · January 10, 2023, 4:19pm

update-ca-certificates
Updating certificates in /etc/ssl/certs... W: /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt not found, but listed in /etc/ca-certificates.conf.
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done.

Varden · January 10, 2023, 4:20pm

@rg305 and @Bruce5051 , I will try this option.

Osiris · January 10, 2023, 4:24pm

Well, that's weird. Did you also run apt-get update ca-certificates? Maybe somehow force an update so it'll write the certificates to disk "freshly" or something? (I don't have experience with apt..)

Varden · January 10, 2023, 4:38pm

apt-get update ca-certificates
The update command takes no arguments

Thank you all for your interest and time!

MikeMcQ · January 10, 2023, 4:41pm

Try like this:

Yes, your system CA folders are messed up. Hopefully this forces refresh

Osiris · January 10, 2023, 4:43pm

You could also try:

apt-get --reinstall install ca-certificates
update-ca-certificates

Varden · January 10, 2023, 4:45pm

I will try to update it manually.

In Webmin panel, i tried to update Certbot:

Building complete list of packages ..

Now updating certbot ..

Installing package(s) with command apt-get -y install certbot ..

Reading package lists...
Building dependency tree...
Reading state information...
certbot is already the newest version (0.28.0-1~deb9u2).
certbot set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

.. install complete.

No packages were installed. Check the messages above for the cause of the error.

Bruce5051 · January 10, 2023, 4:48pm

Often apt update is needed before other apt commands, I have found.

Varden · January 10, 2023, 4:48pm

apt-get update
Hit:1 Index of /vm/6/gpl/apt virtualmin-stretch InRelease
Hit:2 Index of /vm/6/gpl/apt virtualmin-universal InRelease
Ign:3 Index of /debian stretch InRelease
Hit:4 Index of /debian stretch-updates InRelease
Hit:5 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
Hit:6 Index of /debian stretch Release
Reading package lists...

update-ca-certificates
Updating certificates in /etc/ssl/certs...
W: /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt not found, but listed in /etc/ca-certificates.conf.
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done.

Osiris · January 10, 2023, 5:03pm

Please try apt-get --reinstall install ca-certificates and then update-ca-certificates.

rg305 · January 10, 2023, 5:20pm

To be clear:
#1: apt update
#2: apt-get update
#3: apt-get --reinstall install ca-certificates
#4: update-ca-certificates
#5: grep -Ei 'MIIFazCCA1OgAwIBAg' /etc/ssl/certs/ca-certificates.crt

Varden · January 11, 2023, 7:24am

I did the steps you said and I could renew all the certificates of the different domains.

Thank you all so much for your help!

system · February 10, 2023, 7:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.