Let's Encrypt certificate renewal failed!

Since yesterday webmin keeps sending email "Let's Encrypt certificate renewal failed!" for just one domain.

Email content is the same as in the related issue:

An error occurred requesting a new certificate for www.mysite.net, eu2-www.mysite.net, us2-www.mysite.net, mysite.net from Let's Encrypt : Failed to request certificate : <pre>Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying eu2-www.mysite.net...
Wrote file to /.../.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU, but couldn't download http://eu2-www.mysite.net/.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 202, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 153, in get_crt
    domain, challenge_status))
ValueError: eu2-www.mysite.net challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://eu2-www.mysite.net/.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU'
...
...
</pre>

We have resolved the autorenew issue last week, as posted here, but since yesterday we're experiencing this issue.

We did deactivate in Virtuamin the Letsencrypt for the domain for which we get errors, but the error still come every 5 min or so (not regular).
And the error contains webmin lets encrypt scipt /usr/libexec/webmin/webmin/acme_tiny.py

Is there another thing in webmin that may request letsencrypt certificate (webmin SSL certificate does not use lets encrypt in our config) where can we see all letsencrypt certificates that will be renewed? is there a list some where?

Error email comes every 5 min and is synchronized with collectinfo.pl (comes at 03,08,13,18,23,28...)
But sometimes it skips and comes for ecample at 03,08,13,23...

Even after disabling Let's Encrypt certificate for the domain and replacing it by a self-signed certificate, emails with the same error keep arriving!

Status: 
Active

Comments

Howdy -- thanks for contacting us!

Just to clarify -- it sounds like your Let's Encrypt certificate is up to date? The problem is that even with the certificate being up to date, you're receiving renewal errors?

Also, which Webmin and Virtualmin version is it that you are using there?

Also, does this domain have some app installed that is redirecting requests in a way that would prevent the test file /.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU from being downloaded?

Hi, no, there is also a dummy.txt file which is accessible without any problems, so there is nothing preventing access.
Yes, certificate was updated last week and it's up to date!

Which Virtualmin version are you running there? Because the latest release (1.820) would have a larger delay between cert renewal attempts.

We're running the latest version. Yesterday during the day the error emails simply stopped. So for the moment the issue seems resolved.

We're glad to hear things are working now! Let us know if this occurs again so we can look deeper into that.

Hi there,

I'm running Webmin version 1.830 (latest available update) and since last night I am receiving these emails for two domains every 5 minutes. I have received over 300 e-mails over the past 12 hours.

I checked out the "rate limit adjustment" form offered by Let's Encrypt, however I do not have that many subdomains as they require.

What is the suggested course of action?

Thanks

First off, try turning off automatic renewal for these domains on the Manage SSL Certificate page.

Thanks Jamie, this manages to stop the renewal attempts and thus the e-mails.

However -since I do want these autorenewals to eventually succeed- what would be a longer term solution to setting up Let's Encrypt?

I have Webmin 1.830 and Virtualmin 5.07 on two separate Ubuntu 16s with the same behavior.

One detail for these servers is that they were originally spun up as Ubuntu 12, upgraded to 14 and recently to 16, however the kernels on these DigitalOcean droplets is not upgrable to a more recent version like 4.4, so instead they run with "Linux 3.13.0-52-generic on i686".

This issue already proved to be a limitation for the installation of some applications, I wonder if this might be causing issues with Let's Encrypt too.

Thanks, Francisco

Can you first check if a manual renewal / re-request of the cert works?

Hi,

I have a similair issue witLet's Encrypt certificate renewal failed!h Virtual Min on Centos 6.5. I am getting now every 5 minutes mails:

Let's Encrypt certificate renewal failed!

I tried to set renewal to manual via Manage SSL Certificates -> tab Let's Encrypt -> Only renew manually -> button Only Update Renewal.

However, the mails for this domain do not stop....

Hi,

I have a similair issue with Let's Encrypt certificate renewal failed on Virtual Min on Centos 6.5. I am getting now every 5 minutes mails:

Let's Encrypt certificate renewal failed!

I tried to set renewal to manual via Manage SSL Certificates -> tab Let's Encrypt -> Only renew manually -> button Only Update Renewal.

However, the mails for this domain do not stop....

1 - Where can I find the Let's Encrypt configuration files on VirtualMin Centos 6.5? They are not in /etc/letsencrypt (which would be what I expected).

2 - And what is the name of the cron job used by VirtualMin for Letsencrypt auto updates?

3 - Is there a way to reset / re-install clean the letsencrypt part in VirtualMin? It would not be an issue for me to start clean as I used this machine to test letsencrypt first on VirtualMin 5.07gpl on Centos 6.5.

Thanks!

Here is a copy of the non-stoping e-mails every 5 minutes.

=================================================

An error occurred requesting a new certificate for [hidden] from Let's Encrypt : Failed to request certificate :

Parsing account key...

Parsing CSR...
Registering account..
.
Already registered!
Verifying [hidden]...

[hidden] verified!

Traceback (most recent call last):

  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in 
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 150, in get_crt
    os.remove(wellknown_path)
OSError: [Errno 2] No such file or directory: '/home/[hidden]/public_html/.well-known/acme-challenge/gZRPLdRLGe9clr_cyUEPaViwQWNg1tW2KTjhH-tFV4M'

========================================================

Hi, I have the same problem with letsencrypt. Keep getting automated task's error reports every 5 min.

root@ns1:/etc# virtualmin generate-letsencrypt-cert --domain ns1.mydomain.net --host mydomain.net --renew 3 Requesting SSL certificate for ns1.mydomain.net .. .. failed : Failed to request certificate : Parsing account key... Parsing CSR... Registering account... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 99, in get_crt "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", File "/usr/share/webmin/webmin/acme_tiny.py", line 56, in _send_signed_request protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce'] File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 435, in open response = meth(req, response) File "/usr/lib/python2.7/urllib2.py", line 548, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib/python2.7/urllib2.py", line 473, in error return self._call_chain(*args) File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 556, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) urllib2.HTTPError: HTTP Error 504: Gateway Time-out

I see this line, thinking that there is a problem with letsencrypt's api.

urllib2.HTTPError: HTTP Error 504: Gateway Time-out

Endpoint is most likely:

DEFAULT_CA = "https://acme-v01.api.letsencrypt.org"

Maybe this helps to figure out problem. Thank you for this awesome project.

I have the same problem with letsencrypt.

A short question to all useres with this Problem:

Are you using HSTS for your Domain? And is your cert still valid? And the Domain is included in your cert?

They are up and running again...

I have the same problem with letsencrypt.

Please update virtualmin GPL

Parsing account key...
Parsing CSR...
Registering account...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 106, in get_crt
    raise ValueError("Error registering: {0} {1}".format(code, result))
ValueError: Error registering: 400 {
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}

Here is patch. Now works

*** acme_tiny.py        2017-11-16 13:44:57.093694672 +0000
--- acme_tiny.py.orig   2017-10-09 02:46:21.000000000 +0000
***************
*** 96,102 ****
      log.info("Registering account...")
      code, result = _send_signed_request(CA + "/acme/new-reg", {
          "resource": "new-reg",
!         "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
      })
      if code == 201:
          log.info("Registered!")
--- 96,102 ----
      log.info("Registering account...")
      code, result = _send_signed_request(CA + "/acme/new-reg", {
          "resource": "new-reg",
!         "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
      })
      if code == 201:
          log.info("Registered!")