Cannot download a new letsencrypt certificate and setup ssl on virtualmin GPL virtual server

11 posts / 0 new
Last post
#1 Tue, 10/03/2017 - 23:27
adamjedgar

Cannot download a new letsencrypt certificate and setup ssl on virtualmin GPL virtual server

hi guys, i am trying to replace the self signed ssl certificate on a virtualmin GPL virtual server.

  1. Virtualmin>Edit Virtual Server>Enabled Features (Apache ssl website enabled = yes)
  2. Virtualmin>Server Configuration>Manage SSL Certificate>Lets Encrypt (request certificate)
Requesting a certificate for whmcs.<mydomain>.com.au, www.whmcs.<mydomain>.com.au, autoconfig.whmcs.<mydomain>.com.au, autodiscover.whmcs.<mydomain>.com.au from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying autoconfig.whmcs.<mydomain>.com.au...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: autoconfig.whmcs.<mydomain>.com.au challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [], u'url': u'http://autoconfig.whmcs.<mydomain>.com.au/.well-known/acme-challenge/kfU4vlfl9nNhuB3MoXFL5Fo-bPtJuNr7FyaLGDIzT-A', u'hostname': u'autoconfig.whmcs.<mydomain>.com.au', u'addressesTried': [], u'addressUsed': u'', u'port': u'80'}], u'keyAuthorization': u'kfU4vlfl9nNhuB3MoXFL5Fo-bPtJuNr7FyaLGDIzT-A.LPn7lnznx_Cy-uIyknNx29iceyVMD3DeRyWoC9ITcMM', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/m4D0V1A-STsJ6Bwq98ts3ykHJ-s6njBAw7pAm9E2EOs/2125703813', u'token': u'kfU4vlfl9nNhuB3MoXFL5Fo-bPtJuNr7FyaLGDIzT-A', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up A for autoconfig.whmcs.<mydomain>.com.au'}, u'type': u'http-01'}
DNS-based validation failed : Failed to request certificate :
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying autoconfig.whmcs.<mydomain>.com.au...
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 122, in get_crt
    raise ValueError("Error requesting challenges: {0} {1}".format(code, result))
ValueError: Error requesting challenges: 429 {
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new authz :: Too many invalid authorizations recently.",
  "status": 429
}

I have followed Jamies advice i found on another forum post about this kind of error

If you're seeing that error about "couldn't download ..." , one way to debug what's happening is to create the directory /home/domain/www/.well-known/acme-challenge/ manually and create a small file named text.txt in it. Then run :

curl http://domain.net/.well-known/acme-challenge/test.txt

and see what output you get. If that doesn't download the file, it means that some .htaccess rule is blocking or redirecting access away from the directory, and so the Let's Encrypt client won't work.

Here is my output following Jamies advice...

[root@server3 ~]# curl http://domain.net/.well-known/acme-challenge/test.txt
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
100   345  100   345    0     0    118      0  0:00:02  0:00:02 --:--:--   118
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>404 - Not Found</title>
</head>
<body>
  <h1>404 - Not Found</h1>
</body>
</html>

here is the .htaccess file that is found within the directory where i placed test.txt

AuthType None
Require all granted
Satisfy any

and this is the .htaccess file that is inside home/whmcs/public_html/whmcs directory

RewriteEngine On

# Announcements
RewriteRule ^announcements/([0-9]+)/[a-z0-9_-]+\.html$ ./announcements.php?id=$1 [L,NC]
RewriteRule ^announcements$ ./announcements.php [L,NC]

# Downloads
RewriteRule ^downloads/([0-9]+)/([^/]*)$ ./downloads.php?action=displaycat&catid=$1 [L,NC]
RewriteRule ^downloads$ ./downloads.php [L,NC]

# Knowledgebase
RewriteRule ^knowledgebase/([0-9]+)/[a-z0-9_-]+\.html$ ./knowledgebase.php?action=displayarticle&id=$1 [L,NC]
RewriteRule ^knowledgebase/([0-9]+)/([^/]*)$ ./knowledgebase.php?action=displaycat&catid=$1 [L,NC]
RewriteRule ^knowledgebase$ ./knowledgebase.php [L,NC]

# OpenID Discovery Document (http://openid.net/specs/openid-connect-discovery-1_0.html)
RewriteRule ^.well-known/openid-configuration ./oauth/openid-configuration.php [L,NC]

Help!!!

(could i simply navigate to /home/whmcs/ and replace the existing "ssl.cert" and "ssl.key" with new ones i download manually from letsencrypt?)

Tue, 10/03/2017 - 23:37
Joe
Joe's picture

www is not the right path. It's gonna be /home/domain/public_html/.well-known/acme-challenge/

404 means you're either hitting the wrong directory (if you actually put it in www) or the wrong server (DNS) or the wrong domain (you have a default domain setup and its getting in the way, or you've got some VirtualHosts using *:80 and some using 192.168.1.1:80).

Make sure when you browse to that domain, you get the one you expect. i.e. create an index.html unique to this site in the root of the public_html directory, and see.

--

Check out the forum guidelines!

Wed, 10/04/2017 - 03:01 (Reply to #2)
adamjedgar

Hi,

i have the whmcs https:// website functioning on the virtualmin virtual server, so can there really be a dns issue? All i am trying to do is swap out the self signed certificate for a letsencrypt one.

The directory and subdirectories are as follows:

/home/whmcs/public_html

/.well-known
/phpmyadmin
/roundcube
/whmcs

I dont have anything other than the default index.html file in the webmin www directory. I am not using the webmin www directory and intend to delete that default index.html file, this certificate is for virtual server whmcs.mydomain.com.au.

Is this happening because of the way in which i have setup my parent domain as the webmin server, and the virtualmin virtual server is a subdomain and i am asking for a certificate for the subdomain on a virtual server instead of the parent domain for webmin?

I hope that makes sense...(i will try to simplify it below. my current certificate is a self signed one...i want to change it to letsencrypt)

Google Cloud Instance + Webmin/Virtualmin GPL = https://server3.foo.com.au

Virtualmin Virtual Server = https://whmcs.foo.com.au

I am also confused by this...in addition to the .htaccess and text.txt i added (which was meant to be test.txt i have just realised), i have 4 files added to .well-known>acme-challenge

.htaccess 46 bytes whmcs:whmcs 0755 2017/10/04 - 04:02:08
4tyxAsDrIrrXWHAwjNDNu53lEdWbEwJsJOGKNmAwK5g 87 bytes root:root 0777 2017/10/04 - 04:04:18
dFTWycVt2As_j-YY33HZLtFUDXQRDP_40MbLOWjidgc 87 bytes root:root 0777 2017/10/04 - 05:07:20
hWAYlCU5OosYAz6Erz23_XRq44tSyJWHJKFwCkIKxK4 87 bytes root:root 0777 2017/10/04 - 04:10:51
kfU4vlfl9nNhuB3MoXFL5Fo-bPtJuNr7FyaLGDIzT-A 87 bytes root:root 0777 2017/10/04 - 04:23:23
text.txt 0 bytes whmcs:whmcs 0644 2017/10/04 - 04:16:29

How did those files get there today, i didnt copy them in to that directory?They appear to be acme challenge files. since this process didnt work can i just delete them?

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 10/04/2017 - 03:35 (Reply to #3)
Joe
Joe's picture

"Is this happening because of the way in which i have setup my parent domain as the webmin server, and the virtualmin virtual server is a subdomain and i am asking for a certificate for the subdomain on a virtual server instead of the parent domain for webmin?"

I don't think so, but I have no idea what you mean. Webmin doesn't run on the same port as Apache; it has no relation to anything Apache does.

All that matters is that the domain name for the VirtualHost you want to get a certificate for resolves correctly and that you can get files from its document root. It doesn't matter what that name is. Subdomains are just names; literally no difference in how a subdomain works and a domain works.

Does a DNS lookup for the name you want a certificate for resolve to the right IP address?

Can you browse by name to that virtual host and retrieve files from the public_html directory?

--

Check out the forum guidelines!

Wed, 10/04/2017 - 05:12 (Reply to #4)
adamjedgar

Webmin doesn't run on the same port as Apache; it has no relation to anything Apache

what i meant was, if you look at the server via webmin filemanager, there is a website directory in /var/www and also, web directories in /home/users/public_html. I was talking about the /var/www one/ (I am not using /var/www)

Does a DNS lookup for the name you want a certificate for resolve to the right IP address?
Can you browse by name to that virtual host and retrieve files from the public_html directory?

I am not understanding this line of query. DNS lookup returns the following:

A whmcs.foo.com.au 35.189.xx.xx
United States Mountain View, California US
Google Inc. (AS15169) 60 min

Doesn't the fact i have a functioning website already in this directory prove both of these to be true? I have whmcs frontend website up and running in /home/whmcs/public_html/whmcs/ (I am looking at it).

The whmcs virtual server was installed using the virtualmin/webmin dashboard and, WHMCS website was installed using the virtualmin script installer.

If there is a problem with dns and ip address surely both of the above would have failed?? I am accessing the whmcs website via its URL(not ip address)...https://whmcs.foo.com.au/whmcs/

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 10/04/2017 - 05:12
noisemarine

DNS problem: NXDOMAIN looking up A for autoconfig.whmcs.<mydomain>.com.au

Just to reinforce what Joe is saying, you are requesting certificates for all of these names. Is that what you really wanted? It seems you are only wanting a certificate for whmcs.mydomain.com.au. The request is failing on autoconfig, and will also possibly fail on autodiscover if it ever makes it that far.

whmcs.<mydomain>.com.au 
www.whmcs.<mydomain>.com.au 
autoconfig.whmcs.<mydomain>.com.au 
autodiscover.whmcs.<mydomain>.com.au

Also, you've made too many attempts in too short of a period and now Let's Encrypt are ignoring you for a while (see their site for how long).

  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new authz :: Too many invalid authorizations recently.",

All of this is in your log that you posted. With some time, you'll get to understand what it all means. :)

Wed, 10/04/2017 - 05:27
noisemarine

Adam, I replied but my post is caught up in the filter due to me using using domain names. It will get released eventually, but the short version of my reply is, you are requesting a cert for four domain names. They are all listed in the first couple of lines of the initial log you posted. It is the last couple that are causing the request to fail. Read the log slowly and line by line, especially the part about being rate limited.

Wed, 10/04/2017 - 16:52 (Reply to #7)
adamjedgar

Ok i will check this out. I just accepted the defaults inputed by virtualmin in relation to this, i wondered about the last two as i dont know what they are for, but i expected the virtualmin control panel added them itself for an important reason.

Also, i have another question that might also be related...and its the dns line of inquiry that has me wondering about it.

I have been testing a number of google cloud instances and at least 3 different control panels. I have also been trialling vestacp and ispconfig on a google cloud compute micro instance (600MB RAM)... i was almost certain that i would not be able to use virtualmin on my server as the full version was way too resource heavy when compared with Vestacp and ispconfig. I realise that it is not actually the control panel that was the problem, but i needed a plug and play solution as i am learning and dont really know what can be removed and what cannot to ensure a functioning system...i have enough problems to deal with without this complicating said learning curve as well. However, now that i have installed the "minimal" virtualmin version, it has been fantastic and i am extremely impressed with it. When comparing my google cloud resource monitor, I have found virtualmin minimal install is actually an equally efficient setup alongside the other two panels i am testing. I think virtualmin has a little more control in its gui interface, which for windows educated users is easier to understand. Although it is still way too complicated in navigating the virtualmin/webmin administration dashboard layout...menus need refining to make more sense, they are too fragmented and too many similar menu names are in different places doing different functions across the combined dashboard...way too confusing)

Anyway, back on topic, my domain and subdomain have been used many times with different cpanels and different ip addresses. In addition to this, I may have had an ssl certificate when this domain was being hosted by my wholesale provider before i shutdown that website annd moved to google cloud (i am not sure)

I havent looked but i wonder if the parent domain already has a letsencrypt ssl certificate on a different server that is causing the problem?

Would this have any influence?

Finally, what do the following actually refer to?

autoconfig.whmcs.foo.com.au
autodiscover.whmcs.foo.com.au

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 10/04/2017 - 17:59
adamjedgar

Thanks guys, I have now managed to successfully get through the "Request Certificate" process in virtualmin.

I now have 5 entries (in addition to .htaccess and my text.txt files) in home/public_html/acme-challenge/.well-known

Do i really need all of these? Can i delete them? (i only asked for 2 domain certificates)

.htaccess 46 bytes whmcs:whmcs 0755 2017/10/04 - 04:02:08
4tyxAsDrIrrXWHAwjNDNu53lEdWbEwJsJOGKNmAwK5g 87 bytes root:root 0777 2017/10/04 - 04:04:18
dFTWycVt2As_j-YY33HZLtFUDXQRDP_40MbLOWjidgc 87 bytes root:root 0777 2017/10/04 - 05:07:20
hWAYlCU5OosYAz6Erz23_XRq44tSyJWHJKFwCkIKxK4 87 bytes root:root 0777 2017/10/04 - 04:10:51
kfU4vlfl9nNhuB3MoXFL5Fo-bPtJuNr7FyaLGDIzT-A 87 bytes root:root 0777 2017/10/04 - 04:23:23
text.txt 0 bytes whmcs:whmcs 0644 2017/10/04 - 04:16:29
zYn150PEzZdozgLjuCjhvZTCLnwbNozSLqyY4m1EAZY 87 bytes root:root 0777 2017/10/04 - 22:34:16

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Wed, 10/04/2017 - 20:22 (Reply to #9)
Joe
Joe's picture

Yes, once the request has completed, they aren't needed anymore. They should have been automatically removed. I'm not sure if Virtualmin handles the removal of the ACME tiny client does. It might not if the request fails.

--

Check out the forum guidelines!

Fri, 11/10/2017 - 02:58
echrom

@adamjedgar can you please share how you fixed this issue. i have the same problem. this seems to be a bug after changing domain name of a virtuialhost in virtualmin

Topic locked