Since yesterday webmin keeps sending email "Let's Encrypt certificate renewal failed!" for just one domain.
Email content is the same as in the related issue:
An error occurred requesting a new certificate for www.mysite.net, eu2-www.mysite.net, us2-www.mysite.net, mysite.net from Let's Encrypt : Failed to request certificate : <pre>Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying eu2-www.mysite.net...
Wrote file to /.../.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU, but couldn't download http://eu2-www.mysite.net/.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU
Traceback (most recent call last):
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 202, in <module>
main(sys.argv[1:])
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 153, in get_crt
domain, challenge_status))
ValueError: eu2-www.mysite.net challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://eu2-www.mysite.net/.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PU'
...
...
</pre>
We have resolved the autorenew issue last week, as posted here, but since yesterday we're experiencing this issue.
We did deactivate in Virtuamin the Letsencrypt for the domain for which we get errors, but the error still come every 5 min or so (not regular).
And the error contains webmin lets encrypt scipt /usr/libexec/webmin/webmin/acme_tiny.py
Is there another thing in webmin that may request letsencrypt certificate (webmin SSL certificate does not use lets encrypt in our config) where can we see all letsencrypt certificates that will be renewed? is there a list some where?
Error email comes every 5 min and is synchronized with collectinfo.pl (comes at 03,08,13,18,23,28...)
But sometimes it skips and comes for ecample at 03,08,13,23...
Even after disabling Let's Encrypt certificate for the domain and replacing it by a self-signed certificate, emails with the same error keep arriving!
Comments
Submitted by Ivan2 on Tue, 12/06/2016 - 04:31 Comment #1
Submitted by Ivan2 on Tue, 12/06/2016 - 04:36 Comment #2
Submitted by andreychek on Tue, 12/06/2016 - 08:43 Comment #3
Howdy -- thanks for contacting us!
Just to clarify -- it sounds like your Let's Encrypt certificate is up to date? The problem is that even with the certificate being up to date, you're receiving renewal errors?
Also, which Webmin and Virtualmin version is it that you are using there?
Submitted by JamieCameron on Tue, 12/06/2016 - 09:41 Comment #4
Also, does this domain have some app installed that is redirecting requests in a way that would prevent the test file
/.well-known/acme-challenge/L22Sr8uDvnscGmgG8cyOMAVEfco3y_XaDIJs-Ylg4PUfrom being downloaded?Submitted by Ivan2 on Tue, 12/06/2016 - 10:18 Comment #5
Hi, no, there is also a dummy.txt file which is accessible without any problems, so there is nothing preventing access.
Yes, certificate was updated last week and it's up to date!
Submitted by JamieCameron on Tue, 12/06/2016 - 16:39 Comment #6
Which Virtualmin version are you running there? Because the latest release (1.820) would have a larger delay between cert renewal attempts.
Submitted by Ivan2 on Wed, 12/07/2016 - 00:30 Comment #7
We're running the latest version. Yesterday during the day the error emails simply stopped. So for the moment the issue seems resolved.
Submitted by andreychek on Wed, 12/07/2016 - 07:13 Comment #8
We're glad to hear things are working now! Let us know if this occurs again so we can look deeper into that.
Submitted by azcunaga on Mon, 04/03/2017 - 09:15 Comment #9
Hi there,
I'm running Webmin version 1.830 (latest available update) and since last night I am receiving these emails for two domains every 5 minutes. I have received over 300 e-mails over the past 12 hours.
I checked out the "rate limit adjustment" form offered by Let's Encrypt, however I do not have that many subdomains as they require.
What is the suggested course of action?
Thanks
Submitted by JamieCameron on Mon, 04/03/2017 - 17:56 Comment #10
First off, try turning off automatic renewal for these domains on the Manage SSL Certificate page.
Submitted by azcunaga on Tue, 04/04/2017 - 10:10 Comment #11
Thanks Jamie, this manages to stop the renewal attempts and thus the e-mails.
However -since I do want these autorenewals to eventually succeed- what would be a longer term solution to setting up Let's Encrypt?
I have Webmin 1.830 and Virtualmin 5.07 on two separate Ubuntu 16s with the same behavior.
One detail for these servers is that they were originally spun up as Ubuntu 12, upgraded to 14 and recently to 16, however the kernels on these DigitalOcean droplets is not upgrable to a more recent version like 4.4, so instead they run with "Linux 3.13.0-52-generic on i686".
This issue already proved to be a limitation for the installation of some applications, I wonder if this might be causing issues with Let's Encrypt too.
Thanks, Francisco
Submitted by JamieCameron on Tue, 04/04/2017 - 21:47 Comment #12
Can you first check if a manual renewal / re-request of the cert works?
Submitted by ladhani on Thu, 04/20/2017 - 11:24 Comment #13
Hi,
I have a similair issue witLet's Encrypt certificate renewal failed!h Virtual Min on Centos 6.5. I am getting now every 5 minutes mails:
Let's Encrypt certificate renewal failed!
I tried to set renewal to manual via Manage SSL Certificates -> tab Let's Encrypt -> Only renew manually -> button Only Update Renewal.
However, the mails for this domain do not stop....
Submitted by ladhani on Thu, 04/20/2017 - 11:22 Comment #14
Hi,
I have a similair issue with Let's Encrypt certificate renewal failed on Virtual Min on Centos 6.5. I am getting now every 5 minutes mails:
Let's Encrypt certificate renewal failed!
I tried to set renewal to manual via Manage SSL Certificates -> tab Let's Encrypt -> Only renew manually -> button Only Update Renewal.
However, the mails for this domain do not stop....
1 - Where can I find the Let's Encrypt configuration files on VirtualMin Centos 6.5? They are not in /etc/letsencrypt (which would be what I expected).
2 - And what is the name of the cron job used by VirtualMin for Letsencrypt auto updates?
3 - Is there a way to reset / re-install clean the letsencrypt part in VirtualMin? It would not be an issue for me to start clean as I used this machine to test letsencrypt first on VirtualMin 5.07gpl on Centos 6.5.
Thanks!
Here is a copy of the non-stoping e-mails every 5 minutes.
=================================================
An error occurred requesting a new certificate for [hidden] from Let's Encrypt : Failed to request certificate :
Parsing account key... Parsing CSR... Registering account.. . Already registered! Verifying [hidden]... [hidden] verified! Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 150, in get_crt os.remove(wellknown_path) OSError: [Errno 2] No such file or directory: '/home/[hidden]/public_html/.well-known/acme-challenge/gZRPLdRLGe9clr_cyUEPaViwQWNg1tW2KTjhH-tFV4M'========================================================
Submitted by risyasin on Fri, 05/19/2017 - 06:51 Comment #15
Hi, I have the same problem with letsencrypt. Keep getting automated task's error reports every 5 min.
root@ns1:/etc# virtualmin generate-letsencrypt-cert --domain ns1.mydomain.net --host mydomain.net --renew 3 Requesting SSL certificate for ns1.mydomain.net .. .. failed : Failed to request certificate : Parsing account key... Parsing CSR... Registering account... Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 99, in get_crt "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", File "/usr/share/webmin/webmin/acme_tiny.py", line 56, in _send_signed_request protected["nonce"] = urlopen(CA + "/directory").headers['Replay-Nonce'] File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 435, in open response = meth(req, response) File "/usr/lib/python2.7/urllib2.py", line 548, in http_response 'http', request, response, code, msg, hdrs) File "/usr/lib/python2.7/urllib2.py", line 473, in error return self._call_chain(*args) File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 556, in http_error_default raise HTTPError(req.get_full_url(), code, msg, hdrs, fp) urllib2.HTTPError: HTTP Error 504: Gateway Time-out
I see this line, thinking that there is a problem with letsencrypt's api.
urllib2.HTTPError: HTTP Error 504: Gateway Time-out
Endpoint is most likely:
DEFAULT_CA = "https://acme-v01.api.letsencrypt.org"
Maybe this helps to figure out problem. Thank you for this awesome project.
Submitted by toli on Fri, 05/19/2017 - 07:54 Pro Licensee Comment #16
I have the same problem with letsencrypt.
Submitted by JamieCameron on Fri, 05/19/2017 - 10:00 Comment #17
Make sure there's no firewall on your system or network that is preventing outgoing HTTP connections to https://acme-v01.api.letsencrypt.org
Submitted by gnilebein on Fri, 05/19/2017 - 14:34 Comment #18
A short question to all useres with this Problem:
Are you using HSTS for your Domain? And is your cert still valid? And the Domain is included in your cert?
Submitted by gnilebein on Fri, 05/19/2017 - 16:57 Comment #19
Lets encryypt is down at the moment.
See http://letsencrypt.status.io/
Submitted by gnilebein on Fri, 05/19/2017 - 18:15 Comment #20
They are up and running again...
Submitted by artcyb on Thu, 06/08/2017 - 11:31 Comment #21
I have the same problem with letsencrypt.
Submitted by gnilebein on Fri, 06/09/2017 - 01:55 Comment #22
Try it again. There was an planned maintenance....
https://letsencrypt.status.io/pages/history/55957a99e800baa4470002da
Submitted by ckwsp101 on Thu, 11/16/2017 - 00:19 Comment #23
Please update virtualmin GPL
Parsing account key...Parsing CSR...
Registering account...
Traceback (most recent call last):
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
main(sys.argv[1:])
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 106, in get_crt
raise ValueError("Error registering: {0} {1}".format(code, result))
ValueError: Error registering: 400 {
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
"status": 400
}
Submitted by ckwsp101 on Thu, 11/16/2017 - 07:50 Comment #24
Here is patch. Now works
*** acme_tiny.py 2017-11-16 13:44:57.093694672 +0000--- acme_tiny.py.orig 2017-10-09 02:46:21.000000000 +0000
***************
*** 96,102 ****
log.info("Registering account...")
code, result = _send_signed_request(CA + "/acme/new-reg", {
"resource": "new-reg",
! "agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
})
if code == 201:
log.info("Registered!")
--- 96,102 ----
log.info("Registering account...")
code, result = _send_signed_request(CA + "/acme/new-reg", {
"resource": "new-reg",
! "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
})
if code == 201:
log.info("Registered!")