Submitted by hvillemoes on Mon, 03/01/2021 - 00:29 Pro Licensee
Sometime within the latest months the auto letsencrypt renewal has stoppen working. Manual renewal using the "Request Certificate"-button on the "Server Configuration" / "Let's Encrypt"-tab works fine.
"Re-Check Configuration" reports all ok"
Any ideas ? What to check ?
Status:
Active
Virtualmin version:
6.14
Webmin version:
6.14
Comments
Hello,
Thank you contacting us.
It would be interesting to have a look at relevant log entries from
/var/log/letsencrypton the day it failed - what does it say?Submitted by ewersk on Tue, 03/02/2021 - 02:15 Pro Licensee Comment #2
Hi,
It the same here on both virtualmin pro instances of mine (cent7-based and fully up to date) ... Just found out, in all /etc/webmin/virtualmin-server/domains/ there is an entry auto_letsencrypt=0 ... sounds like our problem?
Is it save to change this to 1 ? I can't find any documentation on this.
Stay healthy, -- Kai
Submitted by hvillemoes on Tue, 03/02/2021 - 03:03 Pro Licensee Comment #3
Hi Ilia It does not fail, it just does not run. So please reply Kai's question above. Thanks
Kai, no. I don't think it's the source of the problem as
auto_letsencryptis set upon domain creation time (or on initial post-install wizard for default domain) and either based on correspondent Virtualmin config option (if Let's Encrypt should be automatic up-on domain creation time) when domain is created with UI or when created using CLI, if it's manually set with additional--letsencryptparam. Laterauto_letsencryptis only tested when disabling/re-enabling SSL website feature for existing website.What is important here is that
apply_letsencrypt_cert_renewalsmust be called. Mentioned sub will not work ifletsencrypt_renewparam in domain config is not set or/and ifcollectinfo.plis not called.What is your case? What do you have set on Webmin ⇾ Webmin Configuration: Webmin Scheduled Functions for
collectinfo.pl? Doesletsencrypt_renewpresent on your domain config?Alright, I see what other issue and most likely the source of the problem is. Due to the recent change in Let's Encrypt it seems that they now have
issuer_cnset to R3 rather than what it was before, and thusapply_letsencrypt_cert_renewalsstops, thinking that it's not Let's Encrypt certificate. Currently Virtualmin 6.14 doesn't have this checked done right but upcoming Virtualmin 6.15 is have it fixed already!You could manually patch
feature-ssl.plfile and line 2437 from what it is now and replace it with:next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);I cannot say it's recommended way of doing it but it's better than not working automatic renewals.
Edit: After editing mentioned file you would have to restart Webmin with
/etc/webmin/restartcommand.Submitted by hvillemoes on Tue, 03/02/2021 - 10:16 Pro Licensee Comment #6
Well, I try changing it to: next if ($info->{'issuer_cn'} !~ /R3/i); The we'll see within the next month or so.
Yeah, sure. It'll work too!
I applied this fix 2 days ago ... it did not work .. webmin/virtualmin failed to update the ssl certs before expiry but manual update worked no problem
Submitted by ale.ab on Thu, 03/04/2021 - 10:34 Comment #9
i changed line like Ilia suggest
next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);
then restart webmin service (on few servers) or reboot (on other servers) and now works fine
thank you
Submitted by nodo50 on Thu, 03/04/2021 - 12:21 Pro Licensee Comment #10
I also confirm, the patch solve the issue in my servers, automatically cert renewals started a few minutes after aplly the patch on feature-ssl.pl
Submitted by hvillemoes on Thu, 03/04/2021 - 12:38 Pro Licensee Comment #11
My fix did'nt help, before I rebooted. Then it updated all certs older than 2 months.
Submitted by sinjab on Sat, 03/06/2021 - 08:00 Comment #12
LetsEncrypt auto-renewal has stopped for me too on many servers. It will simply let the certifications expire saying 0 days remaining. I had to press renew manually. Virtualmin version 6.14.
Yes, sorry about this.
We're about to announce Webmin 1.973 and a week later will try to do Virtualmin 6.15.
Meantime, you could apply the patch mentioned above in the comment #5 to address the problem.
Submitted by zulqarnainhabib on Tue, 03/09/2021 - 00:21 Comment #14
It worked for me too in Virtualmin 6.14.
I modified feature-ssl.pl file line 2437 and replaced it with (as asked by Ilia):
next if ($info->{'issuer_o'} !~ /Let's\s+Encrypt/i);
Submitted by JEMEDIACORP on Tue, 03/09/2021 - 08:56 Pro Licensee Comment #15
Chiming in here to say that we are experiencing the same issue on all of our Virtualmin servers (both GPL and Pro). The last Let's Encrypt auto-renewal e-mail I received from Virtualmin was on February 2nd. I will apply the patch mentioned in comment #5, hopefully that will resolve this issue for me as it has for others in this thread.
After editing mentioned file you would have to restart Webmin with
/etc/webmin/restartcommand.Submitted by JEMEDIACORP on Tue, 03/09/2021 - 20:49 Pro Licensee Comment #17
Just as it has for others, changing the line in feature-ssl.pl has resolved the auto-renew problem for me. I look forward to the official fix being included in the next Virtualmin release.
Maybe it will useful for someone else, I had to apply the fix at two different places in file /usr/share/webmin/virtual-server/feature-ssl.pl.
The first fix on line 2437 was not enough. There was another similar line on line 2626 that needed similar fix.
Must be the version that I am running?
Submitted by hvillemoes on Thu, 03/18/2021 - 06:44 Pro Licensee Comment #19
Solved in 6.15 - thank you
Yes, the patch above must not be applied for Virtualmin 6.15+.
Submitted by alstam on Fri, 04/23/2021 - 10:47 Pro Licensee Comment #21
Hi Ilia, my line 2437 is empty. Should i add the patch line there?
Thank you
Hi,
No, latest Virtualmin 6.16 and Webmin 1.973 have this issue fixed.
Submitted by alstam on Mon, 04/26/2021 - 13:42 Pro Licensee Comment #23
My ssl don't auto renew
Webmin version 1.942 Usermin version 1.791 Virtualmin version 6.09 Pro
Submitted by markfy on Mon, 05/03/2021 - 04:00 Comment #24
I've had this problem too, actually caused us quite an embarassment with one client a couple of weeks ago. I'm now checking and manually renewing as required.
On Virtualmin 6.14 and Webmin has just upgraded to 1.974. Not seeing a 6.15 or 6.16 upgrade coming through. By the looks of things 6.15 should have landed some time ago?
Mark
Submitted by xgarreau on Mon, 05/03/2021 - 04:31 Comment #25
Hi !
It looks like this bug is back with 6.16.
There is no more text input zone for renewal period and renewal is never triggered.
Xavier
Submitted by JamieCameron on Mon, 05/03/2021 - 23:17 Comment #26
In version 6.16, renewal is either on or off , and happens automatically when the cert is close to expiry.
You should check your repos or run
install.shscript with-sparam to setup repos and exit:Submitted by aarailfan on Tue, 05/04/2021 - 10:37 Comment #28
This was working in 6.15 but is not working for me on 6.16. Manual renewals are working fine, but no auto renewals seem to be taking place.
If you go to the domain for which auto-renewal doesn't work, how its virtual-server.name - Server Configuration ⇾ SSL Certificate / Let's Encrypt page look like? Could you make a screenshot?
Do you have Automatically renew certificate? set to Yes?
Submitted by aarailfan on Tue, 05/04/2021 - 15:09 Comment #30
So I had 6 domains that were at 21 days when my daily report ran at midnight this morning. All of these renewed today. Prior to this, they were renewing at 30 days or so. My next oldest ones are 37 days out currently, so I'll keep my eye on those and see what happens.
Submitted by aarailfan on Thu, 05/20/2021 - 13:10 Comment #31
Based on what I'm seeing, certificates are auto-renewing at 20 (or possibly 21) days now instead of the 30 days it was in the past. Is anyone else seeing the same thing?
This is expected and is recommended way of doing it.