Will not create SSL for webmin - acme

Hi,

I hope you can help me. I have some problems issue a SSL certificat for my Webmin control panel

My domain is: webmin.futurenode.dk

I ran this command in webmin:

1865×373 62.9 KB

It produced this output:

Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 141, in get_crt
    assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 46, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: http://webmin.futurenode.dk/.well-known/acme-challenge/P31VwsIWj8WGFmKNwemipjW27WcOctbaEKku7IO2Nog
Data: None
Response Code: 404
Response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
</body></html>

During handling of the above exception, another exception occurred:

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built: 2023-03-01T22:43:55

The operating system my web server runs on is (include version):

Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:

Hetzner Dedicated Server

I can login to a root shell on my machine (yes or no, or I don't know):

YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

ISPConfig 3.2.9p1 And Webmin 2.021

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I don't know..

My vhost for "webmin.futurenode.dk"

<VirtualHost *:80>
     ServerName webmin.futurenode.dk
     DocumentRoot /var/www/webmin
     <Directory /var/www/webmin>
          Options Indexes FollowSymLinks
         AllowOverride All
         Require all granted
     </Directory>
           
     <FilesMatch ".php$"> 
         SetHandler "proxy:unix:/var/run/php/php8.2-fpm.sock|fcgi://localhost/"   
      </FilesMatch>

</VirtualHost>

Kind regards

Thomas

This means the Let's Encrypt server was not able to find the expected challenge file.

I don't know webmin or acme-tiny very well but I believe your DocumentRoot in Apache must match the folder value used by the --acme-dir option for acme-tiny. I don't know how webmin sets that value but it uses acme-tiny to make the cert request. A webmin forum might be better place to ask about that.

Also, I am pretty sure that '60' is far too many MONTHS between auto-renew. 2 is better and webmin should be asking about that as a percentage of days remaining instead of months. Ouch.

I assume the field "Website root directory for validation file" in de Webmin screenshot would set the --acme-dir option. But I also don't know Webmin any more than you do

Maybe Apache is configured incorrectly? Multiple conflicting virtualhosts perhaps? OP could check the output of apachectl -t -D DUMP_VHOSTS.

@Osiris - Here you go

root@skytower /etc/apache2/sites-enabled # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:8081                 skytower.futurenode.dk (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080                 skytower.futurenode.dk (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server skytower.futurenode.dk (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost skytower.futurenode.dk (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost webmin.futurenode.dk (/etc/apache2/sites-enabled/000-webmin.vhost:1)
         port 80 namevhost discord.futurenode.dk (/etc/apache2/sites-enabled/100-discord.futurenode.dk.vhost:7)
                 alias www.discord.futurenode.dk
         port 80 namevhost futurenode.dk (/etc/apache2/sites-enabled/100-futurenode.dk.vhost:7)
                 alias www.futurenode.dk
                 alias .futurenode.dk
         port 80 namevhost futurenode.net (/etc/apache2/sites-enabled/100-futurenode.net.vhost:7)
                 alias www.futurenode.net
         port 80 namevhost futurenode.org (/etc/apache2/sites-enabled/100-futurenode.org.vhost:7)
                 alias www.futurenode.org
         port 80 namevhost halfdaner.dk (/etc/apache2/sites-enabled/100-halfdaner.dk.vhost:7)
                 alias www.halfdaner.dk
         port 80 namevhost mycodingplace.net (/etc/apache2/sites-enabled/100-mycodingplace.net.vhost:7)
                 alias www.mycodingplace.net
         port 80 namevhost team-halfdaner.dk (/etc/apache2/sites-enabled/100-team-halfdaner.dk.vhost:7)
                 alias www.team-halfdaner.dk
         port 80 namevhost tmp.futurenode.dk (/etc/apache2/sites-enabled/100-tmp.futurenode.dk.vhost:7)
*:443                  is a NameVirtualHost
         default server discord.futurenode.dk (/etc/apache2/sites-enabled/100-discord.futurenode.dk.vhost:132)
         port 443 namevhost discord.futurenode.dk (/etc/apache2/sites-enabled/100-discord.futurenode.dk.vhost:132)
                 alias www.discord.futurenode.dk
         port 443 namevhost futurenode.dk (/etc/apache2/sites-enabled/100-futurenode.dk.vhost:131)
                 alias www.futurenode.dk
                 alias .futurenode.dk
         port 443 namevhost futurenode.net (/etc/apache2/sites-enabled/100-futurenode.net.vhost:151)
                 alias www.futurenode.net
         port 443 namevhost futurenode.org (/etc/apache2/sites-enabled/100-futurenode.org.vhost:151)
                 alias www.futurenode.org
         port 443 namevhost halfdaner.dk (/etc/apache2/sites-enabled/100-halfdaner.dk.vhost:151)
                 alias www.halfdaner.dk
         port 443 namevhost mycodingplace.net (/etc/apache2/sites-enabled/100-mycodingplace.net.vhost:143)
                 alias www.mycodingplace.net
         port 443 namevhost team-halfdaner.dk (/etc/apache2/sites-enabled/100-team-halfdaner.dk.vhost:151)
                 alias www.team-halfdaner.dk
         port 443 namevhost tmp.futurenode.dk (/etc/apache2/sites-enabled/100-tmp.futurenode.dk.vhost:89)
root@skytower /etc/apache2/sites-enabled #

Hm, looks fine to me. So I'm out of ideas.

Maybe someone else here knows something else, but I'd also try some Webmin support channel if I were you.

Ok.. I will - Thanks for trying

I think my brain was scrambled after seeing 60 Months for auto-renew

This is the only possible overlap:

Being that the webmin vhost name is first ("000..."), that doesn't seem very likely...
But, I got nothing else to explain the 404 error.

I'd put two separate sets of log files [one for each of those two vhosts], then place a test file in the expected challenge location:
/var/www/webmin/.well-known/acme-challenge/{file-name}
and see if it can be reached.
If not [very likely], see which of the two log files is showing the access request.

Good eye. But, there is a tmp.futurenode.dk VirtualHost after that wildcard name. Won't affect this thread's problem domain but the tmp domain is affected by this overlap.

Hawk eye!

Ha ha.. It was a user error - Fixed to 2 months..

I will use the IP instead..

Thanks for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.