No renewal certificate error

Howdy -- thanks for your report!

I've asked Jamie for his thoughts on this, we'll see what he says.

Note that a workaround in the meantime may be to temporarily use the certbot client.

Sorry to ask or reply.

That V1 remark / announcement was known by 11-03-2019 and still not updated in virtualmin?

And this one in august 2019. https://community.letsencrypt.org/t/important-notice-to-acme-client-deve...

Due to the brownout today during the end of life plan, I am seeing this issue as well. Please address.

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/2

YUP i don't understand why to wait longer with this part?

You may want to use the workaround mentioned in Comment #1 above, that will resolve any issues relating to the ACME protocol version until we're able to modify the built-in client to use the new protocol.

I was able to wait a day this time now that the brownout is complete and not have to use the workaround. Will use it next if needed. Thanks for planning this in, andreychek.

THis could maybe help to get it quicker done? https://github.com/Neilpang/acme.sh . THIS ONE WORKS EVEN WITH CENTOS 8.

Commenting only for the sake of following this. Hopefully it's resolved by 10/31/19 :)

I have downloaded Virtualmin onto a new server and this still does not work...where are we at with this?

Same here, worked all month for me up until now, I deploy a new Vmin install almost every other day, but first time seeing this.

I wonder if this is actually the cause of all of my problems with email clients apps (particularly Microsoft Outlook mobile app) continuing to reject one of my client domain email SSL certs as being invalid?

following

The bash script at
git clone https://github.com/Neilpang/acme.sh.git worked for me. I was using centos 6 but others have said it works from centos 6 to 8

In the example below, replace example.com with your domain etc....

First as root:
yum install git
yum install socat

then as the user of the website:
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install --accountemail "youremailname@yourdomain.com"

The --accountemail "youremailname@yourdomain.com" is the email used to register account to Let's Encrypt, you will receive renewal notice email here.

Now get the cert (you don't have to try to update a broken cert, just get a new one)
domain name comes first and then subdomains (-d example.com -d www.exampe.com )

./acme.sh --issue -d example.com -d www.exampe.com -w /home/username/public_html

Your cert is in /home/username/.acme.sh/exampe.com/exampe.com.cer
Your cert key is in /home/username/.acme.sh/exampe.com/exampe.com.key
The intermediate CA cert is in /home/username/.acme.sh/exampe.com/ca.cer
And the full chain certs is there: /home/username/.acme.sh/exampe.com/fullchain.cer

Back in Virtualmin Edit the website
Edit Virtual Server
Server Configuration
SSL Certificate
CA Certificate
Choose "In file on server" and browse to /home/usrname/.acme.sh/example.com/ca.cer
Save
Update Certificate and Key
Signed SSL certificate
"In file on server" and browse to /home/usrname/.acme.sh/example.com/example.com.cer
Matching Private Key
"In file on server" and browse to /home/usrname/.acme.sh/example.com/example.com.key
Install Now

Now the cert is installed and pointing to the files on the users directory.
The users cronjob that was created when you install acme.sh will check daily and renew every 60 days.
Check this with:
crontab -l

Look in this file below for renewal dates so you can check back to see it is still working properly in 60 days.
/home/username/.acme.sh/example.com/example.com.conf

The next Virtualmin release should install certbot whenever a Let's Encrypt certificate is requested... and in the future we'll likely even install certbot automatically when Virtualmin is installed. It'll use that in place of the built-in client.

In the meantime, you'd just need to manually install certbot -- on newer Debian and Ubuntu versions, that's included in their repos, you can just run: apt-get install certbot

With CentOS, that's in EPEL, you can run: yum install certbot

Certbot can also be installed from the eff.org website here: https://certbot.eff.org/

If certbot is installed, Virtualmin will use it automatically.

Solved with:

Complete with a valid e-mail.
Try to request new Let's Encrypt

What do you do if after installing cerbot, virtualmin still isn't using it? (or if it is using it, it's still failing for requesting v1 type certificates)

CentOS Linux 7.7.1908 Webmin version 1.932 Virtualmin version 6.08 certbot.noarch 0:0.39.0-1.el7

If you followed the directions I gave, you can see that the cert has updated via the virtualmin SSL Certificate "Current Certificate" interface, but Virtualmin is not doing the updating, the cronjob created by the amce.sh script is doing that. Choosing the key and cert that was created by the amce.sh script in Virtualmin's "Update Certificate and Key" tool will install those certs in Apache and point at the certs in the users directory. The amce.sh cronjob will keep those certs up to date. This whole procedure is a hack or patch to make let's encrypt continue to work until Virtualmin fixes the problem on their end. You could probably just leave it be and forget the lets encrypt part of Virtualmin once you have installed this amce.sh script and used Virtualmin's SSL Cert tool to point at them. But, if this problem is fixed in a future release of Virtualmin, just use Virtualmin's let's encrypt tool to reinstall a cert.

I an not the author or maintainer of the amce.sh script. I just used it because I had run into this let's encrypt renewal bug and I needed to get a SSL cert working again. I found a link to the script, without docs, here in this forum, gave it a try and then tried to give back a little by documenting my experience and success with using it.

Script I used was found at: https://github.com/Neilpang/acme.sh.git

That's my backup plan. I was responding to andreychek's comment, that if certbot is installed, virtualmin will just "use it" by default. So I installed it, and found it wasn't being used after all.

At the moment, I've worked around the issue by routing all domains through cloudflare, which allows me to use self-signed certificates in virtualmin. But, that leaves me tied to cloudflare for the time being (until virtualmin updates let's encrypt).

I was just curious as to why certbot wasn't being used by virtualmin, and if there was some other file/config that needed to be done after installing certbot to get virtualmin to see/use it.

Sorry, not sure what cerbot is or if it is used by the amce.sh script. My info refers back the Comment #15 above, where I describe using the github script to add a lets encrypt cert to a broken virtualmin installation. The script and docs at https://github.com/Neilpang/acme.sh are quite extensive and it does work. The OS that I was using was Centos 06, but according to their docs, it should work with all the major linux releases.

Confirmed that installing certbot and registering works Ubuntu 18.04 LTS

Would be nice if there are howto's for such workarrounds provided by virtualmin? For the meantime.

Yeah confirmed running

Fixed the problem for me Ubuntu 18.04

this is ridiculous, none of the above work on Debian 9 with a fresh install of Virtualmin 6.08.

Edited to remove unnecessary language.

adamjedgar - does installing certbot not work?

adamjedgar, your post has been edited to remove the unnecessary language, let's keep things respectful here please :-)

Certbot should work on any system to get you a Let's Encrypt certificate. That's been the case for some time now. If you're having a problem, then we'll go over the issue and work on a way to get it fixed.

With the error you're seeing there, it looks like Virtualmin is still using the internal Let's Encrypt client. When certbot is installed though that shouldn't be the case... so we'd just need to look at why that's occurring.

This thread is a long enough and has enough different folks participating that we may need to break out some questions into separate requests, but a simple thing to check -- what output do you receive if you run these commands:

And as Jamie mentioned, if you hadn't tried the steps of installing certbot as I mentioned in Comment #16 (and Masplus sums up even better in Comment #17), you would indeed see the issue you described there.

I installed and registered certbot and Virtualmin won’t detect or use it. I’ve had to run certbot manually

h2ojunkie, what output do you see when running this command:

certbot --version

Also, what distro/version are you using?

I found this thread by searching the error I just got after trying to renew a cert after migrating to a new server. Reading it over, I installed certbot in Centos 7, and registered. I tried my request again and it worked perfectly. It looks like certbot is a great solution.

We had the same issue with a server running Ubuntu 18.04 today. There is a quick solution. You just have to update the ACME client manually.

You can find the current acme-tiny client here: https://github.com/diafygi/acme-tiny Simply download the acme_tiny.py and overwrite the file /usr/share/webmin/webmin/acme_tiny.py on your server. You should then be able to get Let's Encrypt certificates just like before.

I hope the development team will fix that soon.

CentOS Linux 7.7.1908

acme_tiny.py and overwrite the file /usr/libexec/webmin/webmin/acme_tiny.py

33 >> It is working correctly.

acme_tiny.py and overwrite the file /usr/libexec/webmin/webmin/acme_tiny.py

Will this stay after new upcomming update virtualmin/webmin?

So not changing then to certbot with update, because i don't know if changing / update/renew to much then the LIMITS of letsencrypt could be a problem if doing all sudden once?

I'm not aware of Virtualmin is handling it's own updates and if they overwrite. I would assume they don't. If they do, you have to redo this fix.

I have already created a patch and hopefully it will make it into the next release: https://github.com/webmin/webmin/pull/1143

We're actually considering just not including acme_tiny.py at all, and relying on users to install the official certbot client. This would remove the risk of ACME protocol compatability issues, but also means that users need to install certbot .... what do people think?

Hey Jamie, I think a good compromise would be to give the option at installation time to include the official certbot installation. I think if a base install doesn't have it, it'll be a support issue, and Virtualmin will be missing a critical feature. For the next update of existing servers, the administrator should get a prompt at first login to install certbot and run them through the registration routine. Or, as soon as somebody clicks the "SSL" option in server setup, it prompts the install if the rpm isn't already installed. At the very least, a page detailing the supported installation will be helpful.

As script plugin? ( so a complete one or prepared original with up to date howto / manual)

I guess depends also on license..... ?

Then the handling in GUI the SSL options virtualmin / webmin.

For most it is ........ which script as long as it works and is supported in GUI from WEBPANELS

This one has https://github.com/Neilpang/acme.sh License is GPLv3 the certbot however have more people working on it i guess, which must not be a better solution only mention this and the tiny acme which in use now pff.

If is was that easy to choose and have GUI in virtualmin working for ssl options .....

For those not comfortable on cli, this module works well to manage certbot configuration

https://github.com/AcuGIS/Certbot-Webmin-Module/blob/master/README.md

Yes, we will (or already have) added Certbot as a dependency during Virtualmin installs. I like the idea of prompting the admin to install it if missing though - we'll add that too.

Get Let's Encrypt free SSL working after 11/01/19 on Virtualmin.

Half a day to figure this out, hope it helps someone... my notes:

11/01/19 At this point Let's Encrypt has dropped Acme v1 on new certificate installs.

Let's Encrypt now uses Certbot ACME v2 protocol. You must install Certbot Acme v2, give out an email address and run one ssl request - all from the command line.

This assumes Centos 7 or Rhel 7 and Virtualmin install.sh . Let's Encrypt will error on any ssl request for new webmin or virtual servers. Log into your host server with ssh on putty on the self-signed certificate. Do not use the Webmin terminal, it will error also. Certbot Instructions are here: https://certbot.eff.org/lets-encrypt/centosrhel7-apache

Example:

Install Certbot: yum -y install certbot python2-certbot-apache

Get and install your certificates, just one time: certbot --apache

Here you are requested for an email address and several other easy questions. This will install a new certificate and activate certbot for use on the system. Now the Webmin and Virtualmin tools will work as before. No need to do command line again.

I tried this #33. It work great for me. Ubuntu 1804

you are better off just going to the certbot website directly and following the tutorial on how to setup.

It is really simple and easy to follow. I followed these instructions and it worked perfectly first go.

https://certbot.eff.org/instructions

A lot of this stuff on Virtualmin forum is vague and often doesn't work properly.

#33 worked great for me. Ubuntu 1604

andreychek is right. Thanks, Andrey!

On Ubuntu 18.04, installing socat and certbot packages and registering with certbot register makes Virtualmin start using certbot, and certificates are now being generated normally.

To JamieCameron: I vote to set certbot as a dependency. In this way, Virtualmin will be always compliant/compatible.

Yes, that is the plan..

Replacing acme_tiny.py with github version worked for me.

Just download acme-tiny from https://github.com/diafygi/acme-tiny and replace it in usr/libexec/webmin/webmin/acme_tiny.py for CentOS 7 as suggested by solution #33 .

Comment #17 worked perfectly for me. I am now able to use LetsEncrypt as normal.

#33 has it! That's definitely the best, easiest and safest solution! Many thanks @2ndkauboy! :D

Shouldn't be a problem for Jamie to simply include the new version of this "acme_tiny.py"-thingy in the next vmin update :)

Edit: this worked on 2 sites, but has since failed with script errors.

I tried using the latest acme_tiny.py from https://github.com/diafygi/acme-tiny as jorgecardenas1 suggested on a new install (Debian 10), as well as an existing Debian 9. In both cases it only worked sporadically, and I gave up.

THIS WORKED UNIVERSALLY, WITHOUT ANY KIND OF COMPROMISES IN TERMS OF VIRTUALMIN FUNCTIONALITY:

After completing this, I am able to make requests for new certs and renewals normally without issue from the Server Configuration > SSL Certificates > Let's Encrypt screen in Virtualmin.

From my point of view, I think a transition phase should be appropriated.

I just see that the last webmin version does not provide Let's encrypt anymore, unless you install certbot. It means thousand of servers will have their certificates not renewed soon, because certbot will not be installed automaticaly.

certbot package as well as others supported packages (letsencrypt.sh I guess?) are not provided on old OS like Debian <= 8. so Iit will cause dependencies issues, hard to resolve, hard to provide...

@JamieCameron I don't think packages are more reliable in time than libraries, and for sure they are less flexibles. Upgrading acme_tiny.py by in virtualmin seems to be easy, and I don't think Let's encrypt will change their protocol in the next 5 years.

Choose advisedly :)

Virtualmin is making a move from using acme_tiny to using certbot instead.

Some older distros don't have a "certbot" package, such as CentOS 6 and Debian 8. In those cases, it's possible to download the "certbot" or "certbot-auto" binary and copy that into /usr/local/bin.

Instructions for handling that on Debian 8 are here:

https://certbot.eff.org/lets-encrypt/debianjessie-apache.html

It's just a matter of downloading a file, copying it out to your server, and possibly tweaking the permissions.

I appreciate that the above does involve having to perform some maintenance on your servers, though trying to maintain certbot and acme_tiny was bringing it's own maintenance problems. The certbot program also supports all of the Let's Encrypt features, where acme_tiny does not.

Sorry for any inconvenience, but we felt the above was the best thing to do for both long-term maintenance and functionality.

from https://groups.google.com/forum/#!topic/virtualmin-announce/TURKamut5d0:

For Debian and Ubuntu, certbot is available in the OS standard repositories, and I believe it will be installed automatically when you upgrade.

Nope. At least for my environment (Debian 9.11), right after the Webmin 1.940 upgrade, Let's Encrypt wasn't there. Had to do:

sudo apt-get install certbot python-certbot-apache

I have updated to the latest version of webmin 1.940 and now I can't create certificates, I get this error:

"The Let's Encrypt client command letsencrypt or certbot was not found on your system"

I have centos 7.5

If you receive an error that certbot isn't installed, you would just need to install certbot. On CentOS, you can do that with "yum install certbot".

There's enough different topics included in this thread, that I think it's time to close this thread and start a new ones for any additional questions folks have.

We've released a Webmin 1.940 release, addressing the initial issue above.

If anyone sees a bug with that, feel free to file a bug report.

If Virtualmin GPL users have any questions on it, let us know in the Forums.

And if Virtualmin Pro users have any questions, they can create a new support request here.

Thanks!