search

virtualmin / virtualmin-gpl

Virtualmin web hosting control panel for Webmin
https://www.virtualmin.com
GNU General Public License v3.0
313 stars 97 forks source link

`generate-letsencrypt-cert` uses wrong domain name to validate certs #532

Open willnode opened 1 year ago

willnode commented 1 year ago

Howdy,

One of my servers recently can't validate Let's Encrypt correctly in any virtual servers because it keep uses wrong domain name to validate... Here's one example of the log:

[root@fra ~]# virtualmin generate-letsencrypt-cert --domain test-plastic-profit-yuv.domcloud.io --web
Requesting SSL certificate for test-plastic-profit-yuv.domcloud.io ..
.. failed : Web-based validation failed : Failed to request certificate : Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 149, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for uncomfortable-border-iui.domcloud.io: {'identifier': {'type': 'dns', 'value': 'uncomfortable-border-iui.domcloud.io'}, 'status': 'invalid', 'expires': '2023-03-20T00:03:32Z', 'challenges': [{'type': 'http-01', 'status': 'invalid', 'error': {'type': 'urn:ietf:params:acme:error:dns', 'detail': 'DNS problem: NXDOMAIN looking up A for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain', 'status': 400}, 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/210371143947/gLI1iw', 'token': 'IVE72gWXD5ntuslnM5CKRvj5bu8LPu9Ny5iQ1bYJdr0', 'validated': '2023-03-13T00:03:37Z'}]}

You can see it uses uncomfortable-border-iui.domcloud.io instead of test-plastic-profit-yuv.domcloud.io. This happens to both old and new virtual servers, and it always points to uncomfortable-border-iui.domcloud.io... Even old virtual servers which previously have SSL validated via Let's Encrypt don't work now.

The most recent change that happened yesterday is we upgraded the OS with Rocky Linux from 8 to 9... including everything else in yum repos... But I doubt that it's the root cause because my other servers don't have this problem. Rebooting doesn't work.

Is there any misconfiguration that needs to be fixed?

chris001 commented 1 year ago

You might want to open a support ticket with your hosting, and paste in your above issue. Those domain names are generated by their system. It's could be a problem on their end.

DNS problem: NXDOMAIN looking up A for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain; 
DNS problem: NXDOMAIN looking up AAAA for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain', 
'status': 400}
willnode commented 1 year ago

You might want to open a support ticket with your hosting, and paste in your above issue. Those domain names are generated by their system. It's could be a problem on their end.

I manage that hosting service. That's why I'm asking here.

I've been looking in some server configs like /etc/webmin/virtual-server/domains/<domain_id> but nothing seems suspicious. No idea where else to look. I might try directly invoking certbot later.

That NXDOMAIN error is expected. If I even create a virtual server on that uncomfortable-border-iui.domcloud.io the validation is results in an error.

chris001 commented 1 year ago

No idea where else to look.

What's the output of: hostname cat /etc/hosts

I might try directly invoking certbot later.

Don't. If you invoke certbot, then virtulamin will forever refuse to manage the lets encrypt certificate issuing and renewals.

swelljoe commented 1 year ago

Virtualmin won't refuse, it just isn't involved. Virtualmin is not responsible for stuff you do outside of Virtualmin.

willnode commented 1 year ago

It appears that the verification process uses any domain that's listed in the last domain listed in /etc/pki/tls/openssl.cnf.. For example

[ v3_ca ]
...............subjectAltName=DNS:xxxxxxx.domcloud.io.......... (so many domains here)
subjectAltName=DNS:uncomfortable-border-iui.domcloud.io

[ v3_req ]
...............subjectAltName=DNS::xxxxxxx.domcloud.io.......... (so many domains here)
subjectAltName=DNS:uncomfortable-border-iui.domcloud.io

It appears that if I commented on all the subjectAltName=... domain verification works! Because subjectAltName= for that domain will always appended at the end.

I rechecked again Rocky Linux 9's changelog and they mentioned OpenSSL 3.0.

Could it be that webmin doesn't support OpenSSL 3.0 yet?

I checked related stacktrace and it mentions acme_tiny.py's file in webmin. From quick reading it seems that syntaxes that the script use is different than I have in that file.

willnode commented 1 year ago

I confirmed that this affects all of my servers and downgrading OpenSSL seems not an option 🥲

I can live with that workaround currently. Just an additional script to do on my end.

iliajie commented 1 year ago

This is a bug and shall be fixed in upcoming Webmin 2.020 version.

willnode commented 1 year ago

Thank you!