Let's Encrypt certificate failure

When trying to generate a Let's Encrypt certificate for two domains -- one an alias of the other -- I get the following output:

Request Certificate
In domain main-domain.ca
Validating configuration for main-domain.ca alias-domain.ca ..
.. no problems found

Requesting a certificate for main-domain.ca, www.main-domain.ca, alias-domain.ca, www.alias-domain.ca from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :

Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 250, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 246, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 154, in get_crt
    resp = urlopen(wellknown_url)
  File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 437, in open
    response = meth(req, response)
  File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib64/python2.7/urllib2.py", line 469, in error
    result = self._call_chain(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 656, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1260, in connect
    server_hostname=sni_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 839, in do_handshake
    match_hostname(self.getpeercert(), self.server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 267, in match_hostname
    % (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'www.alias-domain.ca' doesn't match either of 'main-domain.ca', 'www.main-domain.ca'

Virtualmin gives me the option to generate a certificate with all four domains (two domains with and without the "www.").

Virtualmin 1.930.

Craig

Status: 
Active

Comments

Looks like you have a redirect setup from http to https, but the cert isn't valid. You should turn this off, at least for the /.well-known URL path.

Hi Jamie,

Thanks for your reply. If that's the case then this is a Virtualmin bug. This domain and its alias were suspended a while ago. In the meantime the certificate expired. When I reactivated the domain and tried to renew the certificate, this was the result.

Craig

Category: Support request » Bug report

Hmm, would it be possible to know the names of the domains in this case? That would help us better understand what's going on there.

That is, you mentioned the issue is with main-domain.ca and alias-domain.ca, what are those actual domain names though? Thanks!

Hi Eric. The main domain is we-need-a-fence.ca and the alias is weneedafence.ca.

Thanks for the info!

I'm re-reading the above, and wanted to be sure I understood properly -- you mentioned the domains were both disabled... do you actually wish to renew the SSL certificate?

Or are you just trying to address the notification that you're seeing that it's trying to renew, in spite of it being disabled?

We can help you renew it, if that's what you want -- but if this is an issue moreso with it trying to renew the certificate of a disabled domain, I can work with Jamie to sort out why it's attempting to do that. You're right, it certainly shouldn't be trying to renew an SSL certificate if the domains are disabled.

Yes, I do wish to renew the SSL certificate. The error in my original post is what I see when I try to renew the certificate. The domains are not currently disabled; they were disabled, and now they are not. There is no automated process trying to renew the certificate of a disabled domain.

Hope that's clear now.

If something went wrong with i almost always do first a self signed. After that the LE, and is most of the time working again.

( with some testing i can remember have problems to after delete and then new virtualserver same domainname but longer ago)

All out of virtulmin GUI. Don't know or old things ( LE) are deleted / withdrawn doing it that way?

I haven't tried changing to a self-signed certificate and then back to a Let's Encrypt certificate. Either way it's still a bug, as far as I can see.

Okay, that makes perfect sense craigh, just trying to make sure my suggestions are going in the right direction :-)

So Jamie will need to review why you got that message in the first place, but that doesn't appear to be the immediate issue.

I tried going to these two URL's --

http://we-need-a-fence.ca/.well-known/

http://weneedafence.ca/.well-known/

What I saw in both of those cases is that it's redirecting from HTTP to HTTPS, which will cause the Let's Encrypt validation to not work.

How is that redirect taking place, is there a .htaccess file in place that's performing that redirect? If so, you may want to try temporarily disabling that .htaccess file to see if it's able to work properly at that point.

Hi Eric. I took a look and it turns out there is a substantial (~50 kb) .htaccess file. I examined it and found that part of it was doing the HTTP-to-HTTPS redirect. When I renamed the file and renewed the certificate (and then renamed the file back), there were no errors.

That's essentially what Jamie said in his initial response, but I misunderstood. My apologies.

Craig

Category: Bug report » Support request

FYI.

We have redirect to https to but no problems. I don't understand while redirects in htaccess or vhosts should be ok to https. CENTOS 7.6.1810 Webmin version 1.930 Usermin version 1.780 Virtualmin version 6.06

Did a renew to test for http://2shop.eu/.well-known/ al fine.

I think there must be a WIKI / DOC / HOWTO /HELP redirect for webmin / virtualmin redirects to https without breaking the LE part?

@craigh you do have also a redirect to www , so maybe to order is somewhere wrong , you first have to redirect to same domain/ subdomain, then after that the https part.

So try explaining do not redirect from http://yourdomain.tld in one step to https://www.yourdomain.tld that is false . First do http://yourdomain.tld to https://yourdomain.tld and after that do redir to https://www.yourdomain.tld

It could ofcourse also be a wrong redirect for parts htaccess in code but therefore ask support here.

And i could be wrong to then sorry. ;)

Look at this test i suggest > ;)

https://check-your-website.server-daten.de/?q=weneedafence.ca

For better ssl / tls / ciphers. https://www.virtualmin.com/node/67087

While:

https://discovery.cryptosense.com/analyze/weneedafence.ca/f54cee1

ONly trying to help for the better. ok?

I'm glad to hear that worked craigh, thanks for letting us know!

It sounds like the immediate issue is fixed, but there may still be an underlying bug where it's trying to renew an SSL certificate of a disabled domain.

Did I understand that correctly in your original post, that this first came up when it was trying to renew the SSL certificate of a disabled domain?

Sorry, missed the email advising me that this had been updated.

No, there were no attempts by Virtualmin or anything else to automatically renew the certificate on a disabled domain. These were the steps I followed:

  1. Re-enable domain
  2. Renew SSL certificate
  3. Fail with errors in original post

It was my manual action that was failing.