Submitted by craigh on Sun, 09/01/2019 - 07:26 Pro Licensee
When trying to generate a Let's Encrypt certificate for two domains -- one an alias of the other -- I get the following output:
Request Certificate
In domain main-domain.ca
Validating configuration for main-domain.ca alias-domain.ca ..
.. no problems found
Requesting a certificate for main-domain.ca, www.main-domain.ca, alias-domain.ca, www.alias-domain.ca from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
Traceback (most recent call last):
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 250, in <module>
main(sys.argv[1:])
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/libexec/webmin/webmin/acme_tiny.py", line 154, in get_crt
resp = urlopen(wellknown_url)
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 437, in open
response = meth(req, response)
File "/usr/lib64/python2.7/urllib2.py", line 550, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib64/python2.7/urllib2.py", line 469, in error
result = self._call_chain(*args)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 656, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.7/httplib.py", line 1041, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 843, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1260, in connect
server_hostname=sni_hostname)
File "/usr/lib64/python2.7/ssl.py", line 348, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 609, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 839, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib64/python2.7/ssl.py", line 267, in match_hostname
% (hostname, ', '.join(map(repr, dnsnames))))
ssl.CertificateError: hostname 'www.alias-domain.ca' doesn't match either of 'main-domain.ca', 'www.main-domain.ca'
Virtualmin gives me the option to generate a certificate with all four domains (two domains with and without the "www.").
Virtualmin 1.930.
Craig
Status:
Active
Comments
Submitted by JamieCameron on Sun, 09/01/2019 - 12:14 Comment #1
Looks like you have a redirect setup from http to https, but the cert isn't valid. You should turn this off, at least for the /.well-known URL path.
Submitted by craigh on Sun, 09/01/2019 - 18:57 Pro Licensee Comment #2
Hi Jamie,
Thanks for your reply. If that's the case then this is a Virtualmin bug. This domain and its alias were suspended a while ago. In the meantime the certificate expired. When I reactivated the domain and tried to renew the certificate, this was the result.
Craig
Submitted by craigh on Sun, 09/01/2019 - 18:58 Pro Licensee Comment #3
Submitted by andreychek on Mon, 09/02/2019 - 19:39 Comment #4
Hmm, would it be possible to know the names of the domains in this case? That would help us better understand what's going on there.
That is, you mentioned the issue is with main-domain.ca and alias-domain.ca, what are those actual domain names though? Thanks!
Submitted by craigh on Mon, 09/02/2019 - 21:31 Pro Licensee Comment #5
Hi Eric. The main domain is we-need-a-fence.ca and the alias is weneedafence.ca.
Submitted by andreychek on Tue, 09/03/2019 - 13:43 Comment #6
Thanks for the info!
I'm re-reading the above, and wanted to be sure I understood properly -- you mentioned the domains were both disabled... do you actually wish to renew the SSL certificate?
Or are you just trying to address the notification that you're seeing that it's trying to renew, in spite of it being disabled?
We can help you renew it, if that's what you want -- but if this is an issue moreso with it trying to renew the certificate of a disabled domain, I can work with Jamie to sort out why it's attempting to do that. You're right, it certainly shouldn't be trying to renew an SSL certificate if the domains are disabled.
Submitted by craigh on Tue, 09/03/2019 - 17:01 Pro Licensee Comment #7
Yes, I do wish to renew the SSL certificate. The error in my original post is what I see when I try to renew the certificate. The domains are not currently disabled; they were disabled, and now they are not. There is no automated process trying to renew the certificate of a disabled domain.
Hope that's clear now.
Submitted by Jfro on Tue, 09/03/2019 - 17:22 Comment #8
If something went wrong with i almost always do first a self signed. After that the LE, and is most of the time working again.
( with some testing i can remember have problems to after delete and then new virtualserver same domainname but longer ago)
All out of virtulmin GUI. Don't know or old things ( LE) are deleted / withdrawn doing it that way?
Submitted by craigh on Tue, 09/03/2019 - 17:25 Pro Licensee Comment #9
I haven't tried changing to a self-signed certificate and then back to a Let's Encrypt certificate. Either way it's still a bug, as far as I can see.
Submitted by andreychek on Tue, 09/03/2019 - 18:30 Comment #10
Okay, that makes perfect sense craigh, just trying to make sure my suggestions are going in the right direction :-)
So Jamie will need to review why you got that message in the first place, but that doesn't appear to be the immediate issue.
I tried going to these two URL's --
http://we-need-a-fence.ca/.well-known/
http://weneedafence.ca/.well-known/
What I saw in both of those cases is that it's redirecting from HTTP to HTTPS, which will cause the Let's Encrypt validation to not work.
How is that redirect taking place, is there a .htaccess file in place that's performing that redirect? If so, you may want to try temporarily disabling that .htaccess file to see if it's able to work properly at that point.
Submitted by craigh on Wed, 09/04/2019 - 02:34 Pro Licensee Comment #11
Hi Eric. I took a look and it turns out there is a substantial (~50 kb) .htaccess file. I examined it and found that part of it was doing the HTTP-to-HTTPS redirect. When I renamed the file and renewed the certificate (and then renamed the file back), there were no errors.
That's essentially what Jamie said in his initial response, but I misunderstood. My apologies.
Craig
Submitted by craigh on Wed, 09/04/2019 - 02:35 Pro Licensee Comment #12
Submitted by Jfro on Wed, 09/04/2019 - 05:04 Comment #13
FYI.
We have redirect to https to but no problems. I don't understand while redirects in htaccess or vhosts should be ok to https. CENTOS 7.6.1810 Webmin version 1.930 Usermin version 1.780 Virtualmin version 6.06
Did a renew to test for http://2shop.eu/.well-known/ al fine.
I think there must be a WIKI / DOC / HOWTO /HELP redirect for webmin / virtualmin redirects to https without breaking the LE part?
@craigh you do have also a redirect to www , so maybe to order is somewhere wrong , you first have to redirect to same domain/ subdomain, then after that the https part.
So try explaining do not redirect from http://yourdomain.tld in one step to https://www.yourdomain.tld that is false . First do http://yourdomain.tld to https://yourdomain.tld and after that do redir to https://www.yourdomain.tld
It could ofcourse also be a wrong redirect for parts htaccess in code but therefore ask support here.
And i could be wrong to then sorry. ;)
Look at this test i suggest > ;)
https://check-your-website.server-daten.de/?q=weneedafence.ca
For better ssl / tls / ciphers. https://www.virtualmin.com/node/67087
While:
https://discovery.cryptosense.com/analyze/weneedafence.ca/f54cee1
ONly trying to help for the better. ok?
Submitted by andreychek on Wed, 09/04/2019 - 10:01 Comment #14
I'm glad to hear that worked craigh, thanks for letting us know!
It sounds like the immediate issue is fixed, but there may still be an underlying bug where it's trying to renew an SSL certificate of a disabled domain.
Did I understand that correctly in your original post, that this first came up when it was trying to renew the SSL certificate of a disabled domain?
Submitted by craigh on Fri, 09/06/2019 - 01:25 Pro Licensee Comment #15
Sorry, missed the email advising me that this had been updated.
No, there were no attempts by Virtualmin or anything else to automatically renew the certificate on a disabled domain. These were the steps I followed:
It was my manual action that was failing.