Virtualmin continually tries to request LetsEncrypt certificate for disabled virtual server but fails

This is Virtualmin 5.05.

I actually discovered this due to getting the following for other virtual servers on same server.

Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 203, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 199, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 109, in get_crt
    raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
ValueError: Error requesting challenges: 429 {
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new authz :: Too many currently pending authorizations.",
  "status": 429

So I needed to find out why we were rate limited by Lets Encrypt. After switching on webmin debugging I found this..

root@vm4-public5:/var/webmin# grep 'openssl' webmin.debug
16285 [23/Feb/2017 10:48:10.065470] - - webmin CMD "cmd=openssl genrsa 2048 "
16285 [23/Feb/2017 10:48:10.146934] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/354582_16285_2_collectinfo.pl -out /tmp/.webmin/121049_16285_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
17115 [23/Feb/2017 10:53:06.267448] - - webmin CMD "cmd=openssl genrsa 2048 "
17115 [23/Feb/2017 10:53:06.551387] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/912262_17115_2_collectinfo.pl -out /tmp/.webmin/336970_17115_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
17869 [23/Feb/2017 10:58:11.001328] - - webmin CMD "cmd=openssl genrsa 2048 "
17869 [23/Feb/2017 10:58:11.331386] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/849276_17869_2_collectinfo.pl -out /tmp/.webmin/365606_17869_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
18529 [23/Feb/2017 11:03:07.634896] - - webmin CMD "cmd=openssl genrsa 2048 "
18529 [23/Feb/2017 11:03:07.818002] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/248200_18529_2_collectinfo.pl -out /tmp/.webmin/333915_18529_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
19350 [23/Feb/2017 11:08:13.479060] - - webmin CMD "cmd=openssl genrsa 2048 "
19350 [23/Feb/2017 11:08:13.779454] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/475743_19350_2_collectinfo.pl -out /tmp/.webmin/127040_19350_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
20199 [23/Feb/2017 11:13:04.486950] - - webmin CMD "cmd=openssl genrsa 2048 "
20199 [23/Feb/2017 11:13:04.609519] - - webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/229844_20199_2_collectinfo.pl -out /tmp/.webmin/665444_20199_4_collectinfo.pl -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"
20675 [23/Feb/2017 11:14:03.296873] root 172.16.0.20 webmin CMD "cmd=openssl genrsa 2048 "
20675 [23/Feb/2017 11:14:03.555035] root 172.16.0.20 webmin CMD "cmd=/usr/bin/openssl req -new -key /tmp/.webmin/54510_20675_1_letsencrypt.cgi -out /tmp/.webmin/550793_20675_3_letsencrypt.cgi -sha256 -subj \/CN\=elearning\.domain\.org -config /etc/ssl/openssl.cnf -reqexts v3_req -utf8 2>&1"

The domain elearning.domain.org (which is disabled) is trying to have its certifcate renewed, but is failing... (yes I changed the domain name to mask the real one)

If you need more detail let me know Thanks

Status: 
Closed (fixed)

Comments

Have you tried upgrading to Virtualmin 5.06? It adds a backoff if the Let's Encrypt renewal fails.

I did upgrade, but then there were issues with 5.06 so I downgraded back to 5.05.

To be fair, what's the point in backing off? The website is disabled and so could never satisfy the Lets Encrypt site validator regardless of if it was rate limited?

Surely it shouldn't try to renew?

Sorry, I missed that part of your bug report - I thought to issue was the rate of failed renewals.

The next release of Virtualmin (5.07) will fix the problem of attempting to renew the cert for a disabled domain.

Status: Active » Fixed