Hi everyone, I've been facing a problem for hours. Yersterday I noticed the ssl certificate of my website (xxx.fr) had to be renewed (I thought it was automatic though...).. To avoid the Firefox warning, I wrote a redirection in a htaccess (from https to http)
So I logged in Virtualmin (Debian 8, Virtualmin 6.00) and tried to renew the LE certificate but I keep coming across those errors:
.. request failed : Web-based validation failed : Failed to request certificate : Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 171, in get_crt raise ValueError("Gave up waiting for validation") ValueError: Gave up waiting for validation
and
DNS-based validation failed : Failed to request certificate : u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.xxx.fr'}, u'type': u'dns-01'}
Any help would be greatly welcome ;-)
The url http://www.xxx.fr/.well-known/acme-challenge/aSF70Pkxdwr3BxrH1goBiRVobRD... is ok.. And when I dig it, it's Ok...
dig TXT _acme-challenge.www.xxx.fr
;; ANSWER SECTION:
_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"
What am I doing wrong?
How comes I get this when reading values in Virtualmin > Servers > Bind DNS Servers
_acme-challenge.www.xxx.fr. 5 IN TXT 6tJCCY4oZNtFLQLzWHiORv2o011o8EGy4Rw1NjNC5e0and I get a different value when I dig through ssh:
_acme-challenge.www.xxx.fr. 1043 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"If someone could help me, that would be great.... ;-)
check your host name.. does
hostnameandhostname -fcommands should give you same outpu - aslo do you do your own dns or you doing it via registar?Configuring/troubleshooting Debian servers is always great fun
Thanks for answering! Here is the output:
user@xxx:~$ hostname
zzz
user@xxx:~$ hostname -f
zzz.xxx.org
As for the dns I handle them directly via Bind...
edit: By the way, xxx.xxx.org is the name known by Virtualmin (System hostname = xxx.xxx.org)
Configuring/troubleshooting Debian servers is always great fun
Ok I changed the hostname and now :
ValueError: Error checking challenge: 502 {u'type': u'urn:acme:error:serverInternal', u'detail': u'The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.'}Seems I have to wait until the end of the maintenance...
Thank you anyway for your help !
Ok as I said I changed the hostname so that it gives xxx.xxx.org for both hostname and hostname -f
but there's still a problem....
dig TXT _acme-challenge.www.xxx.fr
_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"but bind does not give the same value as dig in ssh.....
_acme-challenge.www.xxx.fr. 5 IN TXT VifmnH57Yh_GEggfMikLlixnR-el68Vo9q3LN2cKJnI
hostname and hostname -f should be different , ie. exactly the way you had them at the start.
you are wrong.. and if you set it as you saying - you would never ever be able to deal with this issues.. do you know how bind dns works? also how domain verification and dkim works? - if so, you would know already.
Configuring/troubleshooting Debian servers is always great fun
If we'd like to query each others credentials, well, why not at least read the man page for hostname, specifically the FQDN section.
https://manpages.debian.org/stretch/hostname/hostname.1.en.html
and then how resolution works
https://manpages.debian.org/stretch/manpages/hostname.7.en.html
Why have a -f argument at all if it is going to return the same thing as the base command? :)
All my stuff works just fine, btw.
Ok but it didn't work anyway in both cases...
As the https rises warning I added an urlrewriting in a htaccess to force https to http. Could it be the reason why it does not pass the Web-based validation?
I found a kind of workaround, let's say it's ok, ...
Would you mind to share the workaround you found ?
Forums are far more useful if the wisdom is shared. Please post how you fixed the problem.
The solution to Let's Encrypt not working is almost always DNS or some redirects getting in the way of validation. So, check your DNS, make sure you can browse to the link for the validation file (the URL looks like something like this:
http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).--
Check out the forum guidelines!
joe just said it right - that is what I mean it about my own comment regards bind and dns.. sorry if my answer was not very clear, however I did ask... did you resolve the problem noisemarine?
Configuring/troubleshooting Debian servers is always great fun
As problem the redirect https to http could be causing to fail same as more redirects in htaccess kind could, then probably a ,,,
i don't understand the http without s here ?
http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).PORT?Hello, i have the same problem, the solution: set all redirects in the apache conf & .htaccess from "http" to "https" back to only "http" and you can request a new let's encrypt certificate and works... but is not a renew, it is a new certificate! this is a bad solution because it is manually, i have 10+ hosts and i don't have time any 3 months to make this changes manually! any know a solution to works automatically? In theory a EXCEPTION in the apache conf. and .htaccess for http://domain.tld/.well-known/acme-challeng/.
@simon.b and others
....if you do request new cert make sure you do it every 2.5 or 2.0 months.. (authomated option) https must be valid when new request is done. If your old cert is not valid there would be an error of course and you would have to do it via http or manually.. .
Configuring/troubleshooting Debian servers is always great fun