SSL (Let's Encrypt) Issues

[jstacklin]

I keep getting errors for any of my domains on my server. The error is below, along with some info about the server. Most all of my sites are DNS'ed through CloudFlare with all features (save DNS) disabled. I have disabled BIND on the server to reduce conflicts with CloudFlare and my other DNS services pointing to my server. Please help if you can.

Parsing account key... Parsing CSR... Registering account... Already registered! Verifying oipnetwork.ml... Wrote file to /home/default/public_html/.well-known/acme-challenge/7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM, but couldn't download http://oipnetwork.ml/.well-known/acme-challenge/7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca) File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt domain, challenge_status)) ValueError: oipnetwork.ml challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'23.95.245.8'], u'url': u'http://oipnetwork.ml/.well-known/acme-challenge/7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM', u'hostname': u'oipnetwork.ml', u'addressesTried': [], u'addressUsed': u'23.95.245.8', u'port': u'80'}], u'keyAuthorization': u'7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM.XduOZq3W286NJp_4QYAeIvZwyZRBMRYhyzsXcvzwEVU', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/3rd3W5x5h0zxSy0QdwC_CuGB9xvFSjA_xzgnwaIWr9U/1991276825', u'token': u'7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://oipnetwork.ml/.well-known/acme-challenge/7Yl64SdWWOK32-xfQgv7r2uYRBv00Ra476FytYW0ocM: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n\n\n\n

Not Found

\n<p"'}, u'type': u'http-01'}

I have re-built the server over and over to test if it was a config error, also I have tested with disabling the firewalld process entirely. Both to no avail.

[jcameron]

Do you have any apps installed on this domain or redirects setup that might be preventing the /.well-known URL path from being accessed? That's what Let's Encrypt uses to validate that you own the domain.

[jstacklin]

Nope. On Saturday, 16 September 2017 at 11:41 am Jamie Cameron notifications@github.com wrote:

Do you have any apps installed on this domain or redirects setup that might be preventing the /.well-known URL path from being accessed? That's what Let's Encrypt uses to validate that you own the domain.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jcameron]

Also, is there any caching proxy in front of this website - ie. are you using Cloudflare for web caching as well?

[jstacklin]

No. The only caching is that was installed with the software On Sunday, 17 September 2017 at 1:49 pm Jamie Cameron notifications@github.com wrote:

Also, is there any caching proxy in front of this website - ie. are you using Cloudflare for web caching as well?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[Zegorax]

Hello everyone.

I'm experiencing the same problem. I searched which rules are causing the problem and I found it !

When enabling the "Redirect HTTP to HTTPS by default?" in the Virtualmin Config, it creates the following Website Redirect :

RedirectMatch /(?!.well-known)(.*)$ https://---website_domain_here---/$1

Which corresponds to the Website Redirect : Image

However, when someone requests http://---website_domain_here---/.well-known/acme-challenge/foobar it redirects to httpS://---website_domain_here---/acme-challenge/foobar

As you can see, the .well-known part disappears, and that's why it cannot be found. So I suggest replacing the default rule with this one for the next patch of Virtualmin :

RedirectMatch /(.*)$ https://---website_domain_here---/$1

Which corresponds to this Website Redirect : Image

[jcameron]

Yes, that could be the cause. The next Virtualmin release will change the regexp in these redirects to ^/(?!.well-known)(.*)$

[Zegorax]

Okay thank you.

When will the next release available ?

[jcameron]

Hopefully in a week.

[chris001]

Still getting this error, running latest version of Virtualmin 6.01-3. The error message text from the Let's Encrypt web service says LE is attempting to validate a DNS TXT record to prove ownership control of the domain. That TXT record is nonexistent/missing, so the LE cert request fails.

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying server7.mydomain.com...
Undefined subroutine &main::get_bind_zone_for_domain called at /usr/share/webmin/webmin/letsencrypt-dns.pl line 21.
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: server7.mydomain.com challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'pexz4CF1HXTOsuRiDdjBsi0VUU0SrsrKjO7moGbdtr0.58YTdTg33UlkI_WaVnw11hw0SIHnWIY4-B3XhyCQWD8', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/AVfhppgLsLlmyPc8pTznRZFSl721imqmd8197oyTmUU/2323506058', u'token': u'pexz4CF1HXTOsuRiDdjBsi0VUU0SrsrKjO7moGbdtr0', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server7.mydomain.com'}, u'type': u'dns-01'}

DNS problem: NXDOMAIN looking up TXT for _acme-challenge.server7.mydomain.com

LE fails because it cannot find a TXT record inside the domain _acme-challenge.server7.mydomain.com, because that domain does not exist.

Virtualmin needs to temporarily create that domain in DNS for this acme challenge to work.

Or use a different type of challenge-response supported by Lets Encrypt. LE supports many different types.

Or use the supported, maintained, free, official EFF certbot-auto python script to do the work getting and renewing the LE certs. https://github.com/certbot/certbot

[chris001]

Fail also on the Web-based validation:

Web-based validation failed : Failed to request certificate :

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying server7.mydomain.com...
Wrote file to /home/server7/public_html/.well-known/acme-challenge/k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA, but couldn't download http://server7.mydomain.com/.well-known/acme-challenge/k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 235, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: server7.mydomain.com challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'aaa.bbb.ccc.ddd'], u'url': u'http://server7.mydomain.com/.well-known/acme-challenge/k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA', u'hostname': u'server7.mydomain.com', u'addressesTried': [], u'addressUsed': u'aaa.bbb.ccc.ddd', u'port': u'80'}], u'keyAuthorization': u'k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA.58YTdTg33UlkI_WaVnw11hw0SIHnWIY4-B3XhyCQWD8', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/RNmzrrR75BbMrsrkMAGlBInj9lwiJ88uBLIyTh-2DfA/2323505887', u'token': u'k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://server7.mydomain.com/.well-known/acme-challenge/k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>500 Internal Server Error</title>\n</head><body>\n<h1>Inter"'}, u'type': u'http-01'}

[chris001]

• Visiting the challenge URL http://server7.mydomain.com/.well-known/acme-challenge/k7e7oAoegaHVbgmgEmhahEwczwxn_AR75Hi7MWS5ODA directly gives:

  
  Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [no address given] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

* Looking at the `Edit virtual server` page, `Enabled features`:
`DNS Domain enabled`, 
`Nginx website enabled`, and 
`Nginx SSL website enabled`.

Does Virtualmin's `Manage SSL certificates`, `Let's Encrypt` feature require `Apache website enabled` and `Apache SSL website enabled` ??  Not running Apache due to low memory 1 GB RAM server.

[jcameron]

Let's Encrypt SSL cert requests should also work with Ngix. But from that error, it looks like either the webserver config or some app is blocking access to the /.well-known directory - you should check the webserver error log.

[chris001]

As soon as I disabled Nginx website, and Nginx SSL website, and enabled Apache website, and SSL website (too ambiguous, should be renamed to Apache SSL website), the Let's Encrypt SSL cert request worked

[shoulders]

this should be closed as it is really an old support issue and

Yes, that could be the cause. The next Virtualmin release will change the regexp in these redirects to ^/(?!.well-known)(.*)$

[jcameron]

Yes we've fixed several bugs in Nginx / Let's Encrypt support, so this should be good now.