Let's Encrypt certificate renewal failure

When I try to renew a certificate for the domain I get this

It is very important that I fix this before tomorrow. Please help!!!

Thanks, Giovanni

Requesting a certificate for inspections.e3bldg.com from Let's Encrypt ..
.. request failed : Failed to request certificate :
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 196, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: authorizations for these names not found or expired: xxxxxxxx.xxxxxxx.com",
  "status": 403
}
Status: 
Closed (fixed)

Comments

Howdy -- hmm, I'm not seeing a challenge file in "http://inspections.e3bldg.com/.well-known/acme-challenge/".

That should be created during the SSL renewal process.

Are you able to add a file there as that particular user, and then access it from a web browser?

Also, are you able to create or renew Let's Encrypt SSL certificates on other domains on your server?

I created a file info.php owned by root, you can launch it and see my php config

Status: Active » Closed (fixed)

Thanks for letting us know!

Jamie, the issues ttyllc was seeing with obtaining a Let's Encrypt cert appear to have been a bug with acme_tiny. Applying a patch fixed it.

We may want to ensure that the latest version of acme_tiny is going into the next Virtualmin version.

Ok, that would explain it - I guess some openssl update changed the format of that CN line and broke acme_tiny. That patch will be included in the next Webmin release though.

Hello,

i have the same problem with virtualmin 5.99. Today my Let's encrypt certificate expired and i tried to renew it manually but doesn't work. Last time it worked was three months ago and it was configured to update the certificate automatically every 2.8 months.

I upgraded Webmin to 5.99 version but it still does not work. I did not changed anything to my DNS, firewall, only upgraded webmin.

I really need tho get this bug fixed because my site is broken without SSL.

I get this error when i'm trying to renew the certificate from virtualmin:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.xxxxxxxxxxxxx...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: www.xxxxxxxxxxxxxxx challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'ixHf2KblIOQ3CYOnDkjPQSVIEo7naYtlEzpr0jNw8K0.lNXJCC5QfC9YOHAce9XBUu4PmgVHbJlBDHBl68hwIhQ', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/w02v0XZ2fxMzKe9rmiwamOFIZW7aJ56O0JtfV4wdKbc/1590101689', u'token': u'ixHf2KblIOQ3CYOnDkjPQSVIEo7naYtlEzpr0jNw8K0', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.xxxxxxxxxxxxx'}, u'type': u'dns-01'}

Thank you, Marius

It looks like it wasn't able to resolve the domain -- what is the domain name in question that you're trying to obtain this SSL cert for?

The domain name is aripisprecer.ro and I am able to resolve it directly or on www.

Yes, I can resolve it now - can you re-try the certificate request?

Yes, just a moment...

Let me try.

So, i've tried but i got the same error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.aripisprecer.ro...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: www.aripisprecer.ro challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'G3oRNyHth7SUF6zuEJEvyvygoh91jdyqhzhemJ5An4g.lNXJCC5QfC9YOHAce9XBUu4PmgVHbJlBDHBl68hwIhQ', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/s5AOQnHB2h5RbBa__vBc8f-IhTdnliBXCepRxMNlz7k/1592928644', u'token': u'G3oRNyHth7SUF6zuEJEvyvygoh91jdyqhzhemJ5An4g', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.aripisprecer.ro'}, u'type': u'dns-01'}

You're in a different timezone than we are, and it's also the weekend, so responses may be a bit slower.

I'm not seeing a DNS issue, I tested all four of your nameservers. However, Let's Encrypt seems to be struggling to resolve your domain name for some reason.

Just to rule it out as a possible issue, could you verify that you're using the most recent Webmin version? It includes a newer version of the Let's Encrypt library, which fixed a few unusual bugs we saw while requesting certificates.

Hi,

yes, i am using the last version:

Operating system Debian Linux 8
Webmin version 1.851
Usermin version 1.720
Virtualmin version 5.99
Theme version Authentic Theme 18.49-8
Time on system Saturday, July 22, 2017 8:49 PM
Kernel and CPU Linux 3.16.0-4-amd64 on x86_64
Processor information AMD FX(tm)-8150 Eight-Core Processor , 4 cores
System uptime 4 days, 6 hours, 57 minutes
Running processes 156
CPU load averages 1.30 (1 min) 0.95 (5 mins) 0.72 (15 mins)
Real memory 2.88 GB total / 968.55 MB used
Virtual memory 455.07 MB total / 257.47 MB used
Local disk space 19.11 GB total / 7.66 GB free / 11.46 GB used
Package updates All installed packages are up to date

I've just tried again but i've got the same error.

@JamieCameron,

i have tried without www and i got the same error

Is there a way to update the certificate manually , without webmin/virtualmin?

Ok, i tried to renew the certificate manually and it seems that letsencrypt-auto automatically installed / upgraded some packages on my system:

The following extra packages will be installed:
  dh-python libexpat1-dev libmpdec2 libpython-dev libpython2.7-dev libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib python-chardet-whl python-colorama-whl python-distlib-whl
  python-html5lib-whl python-pip-whl python-pkg-resources python-requests-whl python-setuptools-whl python-six-whl python-urllib3-whl python2.7-dev python3 python3-minimal
  python3-pkg-resources python3-virtualenv python3.4 python3.4-minimal zlib1g-dev
Suggested packages:
  augeas-doc augeas-tools python-distribute python-distribute-doc python3-doc python3-tk python3-venv python3-setuptools python3.4-venv python3.4-doc binfmt-support
Recommended packages:
  libssl-doc
The following NEW packages will be installed:
  augeas-lenses dh-python dialog libaugeas0 libexpat1-dev libffi-dev libmpdec2 libpython-dev libpython2.7-dev libpython3-stdlib libpython3.4-minimal libpython3.4-stdlib libssl-dev
  python-chardet-whl python-colorama-whl python-dev python-distlib-whl python-html5lib-whl python-pip-whl python-pkg-resources python-requests-whl python-setuptools-whl python-six-whl
  python-urllib3-whl python-virtualenv python2.7-dev python3 python3-minimal python3-pkg-resources python3-virtualenv python3.4 python3.4-minimal virtualenv zlib1g-dev
0 upgraded, 34 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.5 MB of archives.

After that, i tried to renew the certificate from webmin and this time i got another error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for aripisprecer.ro
dns-01 challenge for www.aripisprecer.ro
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. aripisprecer.ro (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT records found for DNS challenge, www.aripisprecer.ro (dns-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.aripisprecer.ro
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: aripisprecer.ro
   Type:   unauthorized
   Detail: No TXT records found for DNS challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
- The following errors were reported by the server:

   Domain: www.aripisprecer.ro
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.www.aripisprecer.ro

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I verifed and i have the TXT records...

could it be a problem from the firewall? the firewall uses another ip for NAT-ing for the vms (only outbound traffic) that my domain ip ... ?

but it is strange dat it was working before with exactly the same setup ...

It's me again...

excuse me for all the comments above. I found the problem after i was trying to renew the cert from ssh without any success.

I am using wordpress and it seems one of my plugins did changed something in the .htaccess file and it blocked the /public_html/.well-known/acme-challenge path.

After i renamed the .htaccess file and tried again from virtualmin, i was able to renew the certificate manually.

Thank you all for your time,

Marius