Unable to renew lets encrypt certificate

21 posts / 0 new
Last post
#1 Thu, 09/28/2017 - 02:21

Unable to renew lets encrypt certificate

Hi everyone, I've been facing a problem for hours. Yersterday I noticed the ssl certificate of my website (xxx.fr) had to be renewed (I thought it was automatic though...).. To avoid the Firefox warning, I wrote a redirection in a htaccess (from https to http)

So I logged in Virtualmin (Debian 8, Virtualmin 6.00) and tried to renew the LE certificate but I keep coming across those errors:

.. request failed : Web-based validation failed : Failed to request certificate : Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 171, in get_crt raise ValueError("Gave up waiting for validation") ValueError: Gave up waiting for validation


DNS-based validation failed : Failed to request certificate : u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.xxx.fr'}, u'type': u'dns-01'}

Any help would be greatly welcome ;-)

Thu, 09/28/2017 - 05:40

The url http://www.xxx.fr/.well-known/acme-challenge/aSF70Pkxdwr3BxrH1goBiRVobRD... is ok.. And when I dig it, it's Ok...

dig TXT _acme-challenge.www.xxx.fr

_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

What am I doing wrong?

Thu, 09/28/2017 - 06:29

How comes I get this when reading values in Virtualmin > Servers > Bind DNS Servers

_acme-challenge.www.xxx.fr. 5 IN TXT 6tJCCY4oZNtFLQLzWHiORv2o011o8EGy4Rw1NjNC5e0

and I get a different value when I dig through ssh:

_acme-challenge.www.xxx.fr. 1043 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

If someone could help me, that would be great.... ;-)

Thu, 09/28/2017 - 11:26
unborn's picture

check your host name.. does hostname and hostname -f commands should give you same outpu - aslo do you do your own dns or you doing it via registar?

Configuring/troubleshooting Debian servers is always great fun

Thu, 09/28/2017 - 11:55

Thanks for answering! Here is the output:

user@xxx:~$ hostname

user@xxx:~$ hostname -f

As for the dns I handle them directly via Bind...

edit: By the way, xxx.xxx.org is the name known by Virtualmin (System hostname = xxx.xxx.org)

Fri, 09/29/2017 - 08:34 (Reply to #5)
unborn's picture
  • as I mentioned zzz and zzz.xxx.org is not same.. and i think its your problem it self.

Configuring/troubleshooting Debian servers is always great fun

Thu, 09/28/2017 - 12:29

Ok I changed the hostname and now :

ValueError: Error checking challenge: 502 {u'type': u'urn:acme:error:serverInternal', u'detail': u'The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.'}

Seems I have to wait until the end of the maintenance...

Thank you anyway for your help !

Thu, 09/28/2017 - 12:54

Ok as I said I changed the hostname so that it gives xxx.xxx.org for both hostname and hostname -f

but there's still a problem....

dig TXT _acme-challenge.www.xxx.fr

_acme-challenge.www.xxx.fr. 1800 IN TXT "QcCTV3OIwil0Q6vj_L2fzq62YgTXy4yQK2ZbhbK2k1o"

but bind does not give the same value as dig in ssh.....

_acme-challenge.www.xxx.fr. 5 IN TXT VifmnH57Yh_GEggfMikLlixnR-el68Vo9q3LN2cKJnI

Thu, 09/28/2017 - 15:56

hostname and hostname -f should be different , ie. exactly the way you had them at the start.

Fri, 09/29/2017 - 08:35 (Reply to #9)
unborn's picture

you are wrong.. and if you set it as you saying - you would never ever be able to deal with this issues.. do you know how bind dns works? also how domain verification and dkim works? - if so, you would know already.

Configuring/troubleshooting Debian servers is always great fun

Fri, 09/29/2017 - 18:11 (Reply to #10)

If we'd like to query each others credentials, well, why not at least read the man page for hostname, specifically the FQDN section.


and then how resolution works


Why have a -f argument at all if it is going to return the same thing as the base command? :)

All my stuff works just fine, btw.

Thu, 09/28/2017 - 16:16

Ok but it didn't work anyway in both cases...

Thu, 09/28/2017 - 16:41

As the https rises warning I added an urlrewriting in a htaccess to force https to http. Could it be the reason why it does not pass the Web-based validation?

Fri, 09/29/2017 - 02:15

I found a kind of workaround, let's say it's ok, ...

Sat, 09/30/2017 - 13:13

Would you mind to share the workaround you found ?

Thu, 10/05/2017 - 22:51

Forums are far more useful if the wisdom is shared. Please post how you fixed the problem.

Thu, 10/05/2017 - 23:32 (Reply to #16)
Joe's picture

The solution to Let's Encrypt not working is almost always DNS or some redirects getting in the way of validation. So, check your DNS, make sure you can browse to the link for the validation file (the URL looks like something like this: http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4).


Check out the forum guidelines!

Thu, 10/12/2017 - 12:10
unborn's picture

joe just said it right - that is what I mean it about my own comment regards bind and dns.. sorry if my answer was not very clear, however I did ask... did you resolve the problem noisemarine?

Configuring/troubleshooting Debian servers is always great fun

Thu, 10/12/2017 - 12:48

As problem the redirect https to http could be causing to fail same as more redirects in htaccess kind could, then probably a ,,,

i don't understand the http without s here ?   http://domain.tld/.well-known/acme-challeng/XDGS6B-og9RrtEBFAAwGpgIQ3g8P0jZlhPv983nsgK4). PORT?

Thu, 07/26/2018 - 09:55

Hello, i have the same problem, the solution: set all redirects in the apache conf & .htaccess from "http" to "https" back to only "http" and you can request a new let's encrypt certificate and works... but is not a renew, it is a new certificate! this is a bad solution because it is manually, i have 10+ hosts and i don't have time any 3 months to make this changes manually! any know a solution to works automatically? In theory a EXCEPTION in the apache conf. and .htaccess for http://domain.tld/.well-known/acme-challeng/.

Thu, 08/09/2018 - 05:28
unborn's picture

@simon.b and others

....if you do request new cert make sure you do it every 2.5 or 2.0 months.. (authomated option) https must be valid when new request is done. If your old cert is not valid there would be an error of course and you would have to do it via http or manually.. .

Configuring/troubleshooting Debian servers is always great fun

Topic locked