Let's Encrypt problem

I'm experiencing the same issue, with exactly the same error message. This seems to be a general webmin / letsencrypt problem.

Howdy,

Yeah that is indeed a bug (due to the Let's Encrypt ToS changing)... there's a report for that here (including a temporary workaround):

https://www.virtualmin.com/node/41565

https://www.virtualmin.com/node/41644:

sed -i s#'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf'#'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'# /usr/share/webmin/webmin/acme_tiny.py

@all: issue seems to be fixed in update 1.810

informative information thanks for sharing... Buy Viagra Online http://www.genericviagraus.net

Provided agreement URL error fix
Go to webmin -> Others -> File Manger
edit File -> /usr/share/webmin/webmin/acme_tiny.py
line 99 replace -> "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
with -> "agreement": json.loads(urlopen(CA + "/directory").read().decode('utf8'))['meta']['terms-of-service'],
hope this helpful

I replaced the contents of acme_tiny.py from this https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py to make it work.

@jaldeguer .... I've just tried your bug fix and still ran into a problem, but not the original reported issue. It seems that it is expecting a "subscriber agreement ".

Nigel.

Parsing account key... Parsing CSR... Registering account... Already registered! Verifying podcasts.soft-focus-imagining.com... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 196, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 192, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 104, in get_crt raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) ValueError: Error requesting challenges: 403 { "type": "urn:acme:error:unauthorized", "detail": "Must agree to subscriber agreement before any further actions", "status": 403 }

DNS-based validation failed : Failed to request certificate :

usage: acme_tiny.py [-h] --account-key ACCOUNT_KEY --csr CSR --acme-dir ACME_DIR [--quiet] [--ca CA] acme_tiny.py: error: argument --acme-dir is required

@jaldeguer - Yes I did, but I did run this before when it was broken, could it have left "files" behind that are now interfering?

@jaldeguer : I don't know if this will help or not, but here is the email that webmin sent me. This was from a few minutes ago. 8:14 PM 17th Nov.

reason: acme_tiny.py:106:get_crt:ValueError: Error registering: 400 { cmdline: /bin/python2.7 /usr/libexec/webmin/webmin/acme_tiny.py --account-key /etc/webmin/webmin/letsencrypt.pem --csr /tmp/.webmin/16184_25847_3_letsencrypt.cgi --acme-dir /home/podcasts/public_html/.well-known/acme-challenge executable: /usr/libexec/webmin/webmin/acme_tiny.py package: webmin-1.860-1 component: webmin pid: 25871 hostname: apache-web-server.twin-peaks-video.com count: 6 abrt_version: 2.1.11 analyzer: Python architecture: x86_64 duphash: eea2832f10a33b034751c429cc2e91f691fad601 event_log:
kernel: 3.10.0-693.5.2.el7.x86_64 last_occurrence: 1510974754 os_release: CentOS Linux release 7.4.1708 (Core) pkg_arch: noarch pkg_epoch: 0 pkg_fingerprint: D97A 3AE9 11F6 3C51 pkg_name: webmin pkg_release: 1 pkg_vendor: Jamie Cameron pkg_version: 1.860 runlevel: N 5 time: Wed 15 Nov 2017 05:50:51 AM MST type: Python uid: 0 ureports_counter: 6 username: root uuid: eea2832f10a33b034751c429cc2e91f691fad601

reported_to:

:uReport: BTHASH=6954f9fc26a96990d1c2f472c15746f92e5615b0

:ABRT Server: URL=https://retrace.fedoraproject.org/faf/reports/bthash/6954f9fc26a96990d1c...

backtrace:

:acme_tiny.py:106:get_crt:ValueError: Error registering: 400 {

"type": "urn:acme:error:malformed",

"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

"status": 400 :} : :Traceback (most recent call last):

File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in

main(sys.argv[1:])

File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main

signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)

File "/usr/libexec/webmin/webmin/acme_tiny.py", line 106, in get_crt

raise ValueError("Error registering: {0} {1}".format(code, result)) :ValueError: Error registering: 400 {

"type": "urn:acme:error:malformed",

"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

"status": 400 :} : :Local variables in innermost frame: :code: 400 :san: u'DNS:www.podcasts.soft-focus-imagining.com' :account_key: '/etc/webmin/webmin/letsencrypt.pem' :pub_hex: u'c7:b6:eb:61:30:d5:fc:d9:e1:f5:a8:16:96:c7:\n 2d:f2:65:ac:44:c8:4d:c6:87:97:83:c1:bd:87:a4:\n 16:f2:54:87:d0:18:cd:52:0d:0f:d6:fd:d6:97:54:\n 33:a4:36:33:c9:db:f5:45:47:9c:bc:cc:11:c8:93:\n 30:bf:da:c3:28:4c:34:bf:6b:40:ac:c0:a6:88:86:\n 18:93:4c:bb:fe:63:9d:a8:6f:80:d2:fd:e1:b6:90:\n 95:d6:b1:eb:e4:61:e4:12:a0:1e:e6:2d:78:2b:d6:\n c6:dc:c5:4a:fe:f6:db:75:61:09:0e:04:67:14:03:\n 02:77:09:a3:9c:84:d9:fa:c4:87:d9:a4:ea:84:b3:\n 11:52:95:8e:ec:7d:74:54:4e:5c:27:c3:f1:e0:67:\n 0c:41:dd:1a:ea:0f:9b:61:f6:82:6f:e6:1c:35:b4:\n 06:dc:25:63:2e:a3:11:64:55:12:b4:0d:7c:b6:3e:\n 7f:18:28:a1:50:b7:9e:ea:70:63:01:ab:59:33:12:\n fa:81:95:c6:9c:e7:0c:62:52:85:1e:db:75:43:1a:\n be:71:26:ac:45:b7:25:bc:a4:65:8e:5e:70:0c:24:\n df:d4:a8:76:94:04:87:0b:91:3e:6b:33:18:9b:90:\n 2f:7e:14:bd:a7:50:62:56:2c:a7:f1:c7:c8:f5:87:\n 06:05:62:c0:d4:f6:3b:12:06:83:8b:cf:5e:a4:2f:\n 07:19:d3:4e:ea:49:06:48:6a:61:19:de:32:1a:00:\n c2:52:5c:63:26:24:55:f0:d0:dd:94:2a:2f:cd:5f:\n fa:9b:79:04:76:69:e9:e2:42:5b:02:6f:bf:6f:0a:\n ba:53:dd:d4:05:90:d1:ff:d0:1e:5e:b3:36:e8:04:\n ed:10:cc:28:b2:76:2d:dc:65:e2:14:c0:db:aa:c0:\n 29:bf:72:84:f4:1d:4e:1a:e7:7b:eb:00:9e:10:22:\n d4:5e:8b:8a:98:f4:62:3b:ae:43:71:a4:cb:9c:0f:\n d8:8e:a2:ca:bd:e0:2b:85:49:60:3b:b3:88:eb:93:\n 81:52:82:c9:66:43:fd:01:9d:6e:48:5e:58:0c:b6:\n 60:c7:bd:26:f9:53:6e:ff:ec:df:b1:75:36:ce:79:\n 20:b4:a0:07:61:f6:d8:04:63:01:01:b9:36:5c:b4:\n 40:8d:3b:fe:b8:f2:30:84:f1:31:13:d6:a4:4d:f2:\n cc:0e:2b:68:d8:aa:7d:f8:3b:68:16:6e:80:15:d3:\n 80:fe:02:c9:aa:3f:da:34:82:1a:d3:9b:b8:b8:62:\n 63:26:8f:9f:68:ce:83:87:4a:67:cf:0e:21:a5:e0:\n 23:4d:57:0e:6e:40:5f:cc:f5:e9:e0:df:3d:6e:f5:\n 8d:11:d9' :header: {'alg': 'RS256', 'jwk': {'e': u'AQAB', 'kty': 'RSA', 'n': u'x7brYTDV_Nnh9agWlsct8mWsRMhNxoeXg8G9h6QW8lSH0BjNUg0P1v3Wl1QzpDYzydv1RUecvMwRyJMwv9rDKEw0v2tArMCmiIYYk0y7_mOdqG-A0v3htpCV1rHr5GHkEqAe5i14K9bG3MVK_vbbdWEJDgRnFAMCdwmjnITZ-sSH2aTqhLMRUpWO7H10VE5cJ8Px4GcMQd0a6g-bYfaCb-YcNbQG3CVjLqMRZFUStA18tj5_GCihULee6nBjAatZMxL6gZXGnOcMYlKFHtt1Qxq-cSasRbclvKRljl5wDCTf1Kh2lASHC5E-azMYm5AvfhS9p1BiViyn8cfI9YcGBWLA1PY7EgaDi89epC8HGdNO6kkGSGphGd4yGgDCUlxjJiRV8NDdlCovzV_6m3kEdmnp4kJbAm-bwq6U93UBZDR_9AeXrM26ATtEMwosnYt3GXiFMDbqsApv3KE9B1OGud76wCeECLUXouKmPRiO65DcaTLnA_YjqLKveArhUlgO7OI65OBUoLJZkP9AZ1uSF5YDLZgx70m-VNu-zfsXU2znkgtKAHYfbYBGMBAbk2XLRAjTv-uPIwhPExE9akTfLMDito2Kp9-DtoFm6AFdOA_gLJqj_aNIIa05u4uGJjJo-faM6Dh0pnzw4hpeAjTVcObkBfzPXp4N89bvWNEdk'}} :result: '{\n "type": "urn:acme:error:malformed",\n "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",\n "status": 400\n}' :common_name: <sre.SRE_Match object at 0x293f8a0> :dns_hook: None :out: 'Certificate Request:\n Data:\n Version: 0 (0x0)\n Subject: CN=podcasts.soft-focus-imagining.com\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n Public-Key: (2048 bit)\n Modulus:\n 00:b3:26:45:c5:80:76:02:9e:95:a7:ff:30:37:c7:\n cd:71:3b:cf:ca:26:91:ab:b7:9f:f6:90:2b:3c:76:\n eb:6a:a3:b6:b5:6b:3f:d6:f2:ab:87:db:2c:9c:fb:\n d2:f0:66:e3:9d:eb:fb:e6:40:03:f0:9c:33:99:80:\n 04:32:30:23:20:9d:14:93:e0:3e:2d:e3:2d:6a:ef:\n 53:d6:8b:3f:0f:7f:4b:ab:8b:47:00:ca:c3:c1:b4:\n df:37:60:86:3e:55:99:d9:a2:bc:39:56:da:74:16:\n 9b:34:2a:64:d5:bc:98:d3:fd:72:8f:5a:63:db:bb:\n 64:ef:1e:c5:43:69:3b:c1:4c:99:24:cd:b6:cb:33:\n 85:83:af:f1:9f:60:c9:15:74:40:45:1e:ad:74:44:\n 57:a5:c1:a4:00:35:a1:65:f4:ae:c1:f5:c6:2b:25:\n 2c:fb:b8:45:35:15:d8:fb:de:71:8c:89:f3:07:f4:\n 41:32:35:38:55:d0:46:ff:de:04:c2:f6:26:cc:5d:\n 41:2e:43:93:87:35:11:d5:d2:78:2a:73:6f:f1:4a:\n 47:12:89:a3:ed:6c:4c:e0:73:cb:74:41:c7:00:20:\n 24:91:89:0e:27:d7:62:16:bd:ec:04:0a:f1:2a:1c:\n 9f:ff:0d:ae:46:95:0b:3c:54:21:7f:63:b1:27:18:\n 99:e9\n Exponent: 65537 (0x10001)\n Attributes:\n Requested Extensions:\n X509v3 Subject Alternative Name: \n DNS:www.podcasts.soft-focus-imagining.com\n X509v3 Basic Constraints: \n CA:FALSE\n X509v3 Key Usage: \n Digital Signature, Non Repudiation, Key Encipherment\n Signature Algorithm: sha256WithRSAEncryption\n 0f:2d:32:d8:ca:1d:fc:35:40:87:5b:71:fa:d1:21:4e:83:ef:\n d8:0a:5a:3c:a1:fd:29:41:3f:49:cd:72:b2:8b:b1:c6:13:4c:\n 66:1c:cb:c1:f2:53:35:5a:04:3d:07:90:5b:9d:50:a5:34:df:\n 58:ed:d7:78:a4:ad:db:e5:c9:a3:54:3b:3e:02:52:0a:d1:4f:\n 80:e5:ae:43:a2:6e:56:1a:f6:5e:d6:e1:a1:e8:ec:cc:eb:20:\n 26:41:28:d7:1e:1e:3e:c2:92:bd:94:87:14:b0:ea:49:06:6a:\n e1:03:ec:70:5d:2d:da:91:3d:5a:d4:2a:96:fa:23:81:01:4e:\n 0b:43:03:ce:7b:c0:dc:a6:cb:7d:ed:43:4d:86:6a:3f:7f:71:\n 5c:97:3e:54:af:2c:af:07:bf:d6:49:e6:f1:87:b9:44:b3:fe:\n 7c:b0:af:46:76:27:a2:ae:b3:9c:35:fc:3e:0b:7d:67:1c:f4:\n 35:cc:60:de:a5:b9:4a:57:af:6f:f5:cd:d8:59:1f:65:4a:6b:\n a9:6a:d8:8f:7b:78:dd:8c:eb:28:50:22:6c:07:0f:ca:e2:ae:\n 62:99:4a:d8:d0:6e:2b:cd:ef:52:fc:ce:c4:5f:84:51:e1:e0:\n 89:e4:49:c8:c0:dc:49:a0:43:ae:d0:ef:98:e1:58:a2:7c:7b:\n 97:cc:4c:a1\n' :log: <logging.Logger object at 0x27e9f50> :acme_dir: '/home/podcasts/public_html/.well-known/acme-challenge' :proc: <subprocess.Popen object at 0x293c910> :csr: '/tmp/.webmin/16184_25847_3_letsencrypt.cgi' :cleanup_hook: None :CA: 'https://acme-v01.api.letsencrypt.org' :thumbprint: u'9qrs9sc0v1a_9zu35zBfWLp4HC0ZzR2EhR9C-L6rj9o' :subject_alt_names: <_sre.SRE_Match object at 0x293f828> :err: '' :_b64: :pub_exp: '010001' :alt_names: None :domains: set([u'www.podcasts.soft-focus-imagining.com', u'podcasts.soft-focus-imagining.com']) :_send_signed_request: :accountkey_json: '{"e":"AQAB","kty":"RSA","n":"x7brYTDV_Nnh9agWlsct8mWsRMhNxoeXg8G9h6QW8lSH0BjNUg0P1v3Wl1QzpDYzydv1RUecvMwRyJMwv9rDKEw0v2tArMCmiIYYk0y7_mOdqG-A0v3htpCV1rHr5GHkEqAe5i14K9bG3MVK_vbbdWEJDgRnFAMCdwmjnITZ-sSH2aTqhLMRUpWO7H10VE5cJ8Px4GcMQd0a6g-bYfaCb-YcNbQG3CVjLqMRZFUStA18tj5_GCihULee6nBjAatZMxL6gZXGnOcMYlKFHtt1Qxq-cSasRbclvKRljl5wDCTf1Kh2lASHC5E-azMYm5AvfhS9p1BiViyn8cfI9YcGBWLA1PY7EgaDi89epC8HGdNO6kkGSGphGd4yGgDCUlxjJiRV8NDdlCovzV_6m3kEdmnp4kJbAm-_bwq6U93UBZDR_9AeXrM26ATtEMwosnYt3GXiFMDbqsApv3KE9B1OGud76wCeECLUXouKmPRiO65DcaTLnA_YjqLKveArhUlgO7OI65OBUoLJZkP9AZ1uSF5YDLZgx70m-VNu-zfsXU2znkgtKAHYfbYBGMBAbk2XLRAjTv-uPIwhPExE9akTfLMDito2Kp9-DtoFm6AFdOA_gLJqj_aNIIa05u4uGJjJo-faM6Dh0pnzw4hpeAjTVcObkBfzPXp4N89bvWNEdk"}' environ: :DOCUMENT_REALROOT=/usr/libexec/webmin :HTTP_REFERER=https://twin-peaks-video.com:10000/virtual-server/cert_form.cgi?dom=1422... :SERVER_PROTOCOL=HTTP/1.0 :SERVER_SOFTWARE=MiniServ/1.860 :SCRIPT_NAME=/virtual-server/letsencrypt.cgi :REQUEST_METHOD=GET :PATH_INFO= :HOME=/root :QUERY_STRING=dom=142221603313276&dname_def=1&renew_def=0&renew=2 :PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin :LD_LIBRARY_PATH= :SERVER_REALROOT=/usr/libexec/webmin :BASE_REMOTE_USER= :REMOTE_USER=root :HTTP_CONNECTION=keep-alive :HTTP_COOKIE=redirect=0; testing=1; file-manager-response=; file-manager-response_count= :SERVER_NAME=twin-peaks-video.com :REMOTE_ADDR=192.168.1.50 :SHLVL=1 :SERVER_ROOT=/usr/libexec/webmin :SERVER_PORT=10000 :WEBMIN_VAR=/var/webmin :DOCUMENT_ROOT=/usr/libexec/webmin :SCRIPT_FILENAME=/usr/libexec/webmin/virtual-server/letsencrypt.cgi :SERVER_ADMIN= :PERLLIB=/usr/libexec/webmin :HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 :HTTP_HOST=twin-peaks-video.com:10000 :HTTPS=ON :HTTP_UPGRADE_INSECURE_REQUESTS=1 :_=/bin/python2.7 :REQUEST_URI=/virtual-server/letsencrypt.cgi?dom=142221603313276&dname_def=1&renew_def=0&renew=2 :HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 :GATEWAY_INTERFACE=CGI/1.1 :WEBMIN_CONFIG=/etc/webmin :HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5 :HTTP_ACCEPT_ENCODING=gzip, deflate, br :PWD=/usr/libexec/webmin/virtual-server/ :MINISERV_CONFIG=/etc/webmin/miniserv.conf :REMOTE_ADDR_PROTOCOL=4 :REMOTE_HOST=192.168.1.50 :MINISERV_PID=1760 machineid: :systemd=c3a31d8a5e454450b99eb43ff0bd5dd3 :sosreport_uploader-dmidecode=46255f390645b38f4d3e92af33dcf17afa83c0952af33eb97e0dd7bec5b1bdf9 os_info: :NAME="CentOS Linux" :VERSION="7 (Core)" :ID="centos" :ID_LIKE="rhel fedora" :VERSION_ID="7" :PRETTY_NAME="CentOS Linux 7 (Core)" :ANSI_COLOR="0;31" :CPE_NAME="cpe:/o:centos:centos:7" :HOME_URL="https://www.centos.org/" :BUG_REPORT_URL="https://bugs.centos.org/" : :CENTOS_MANTISBT_PROJECT="CentOS-7" :CENTOS_MANTISBT_PROJECT_VERSION="7" :REDHAT_SUPPORT_PRODUCT="centos" :REDHAT_SUPPORT_PRODUCT_VERSION="7" :

Any one have any ideas as to why I'm still running into an issue?

I'd really like to get this working across my web sites :)

It took some finding but I know have everything working all OK. It was a created file (from my first attempt) that caused the second issue.

etc/webmin/webmin/letsencrypt.pem

This now lead me to Lets Encrypt having issues writing the confirmation file in .well-known

This was being blocked by mod-security - once mod-security was "off" every site worked with no hiccups.

But hopefully someone can answer this. Will mod_security stop the "Update renewal" from working?

Many Thanks - Nigel

Hello Guys,

I ran into the same problem and here is my solution: 1) Go to Webmin ->Others->File Manager and browse to /usr/libexec/webmin/webmin/ 2) Edit the acme_tiny.py file 3) Go to line: 99 and replace the current "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" with "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" and save the file. 4) Go to Virtualmin ->Server Configuration->Manage SSL Certificate and select Let's Encrypt tab and click on Request Certificate. 5) The above steps worked for me. I think the acme_tiny.py needed to be updated with the new "LET’S ENCRYPT SUBSCRIBER AGREEMENT". Good luck and let me know if it worked for you.

Yup, that helped me out too, liveandlearn! Thanks for the tip :)

SOLUTION:

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. you can get the error:

The problem is in line 72 where extracts the CN from the certificate using the regex:

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

The fix is to change line 72 to:

Note: Please make sure to keep line intend before common_name when you copy and past above fix.

This also applies to Virtualmin in /usr/share/webmin/virtual-server/feature-ssl.pl line 1345

if ($ex) {
        return "<tt>".&html_escape($out)."</tt>";
        }
elsif ($out !~ /subject\s*=\s*.*(CN|O)=/) {
        return $text{'cert_esubject'};
        }
else {
        return undef;
        }
}