Open willnode opened 1 year ago
You might want to open a support ticket with your hosting, and paste in your above issue. Those domain names are generated by their system. It's could be a problem on their end.
DNS problem: NXDOMAIN looking up A for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain;
DNS problem: NXDOMAIN looking up AAAA for uncomfortable-border-iui.domcloud.io - check that a DNS record exists for this domain',
'status': 400}
You might want to open a support ticket with your hosting, and paste in your above issue. Those domain names are generated by their system. It's could be a problem on their end.
I manage that hosting service. That's why I'm asking here.
I've been looking in some server configs like /etc/webmin/virtual-server/domains/<domain_id>
but nothing seems suspicious. No idea where else to look. I might try directly invoking certbot
later.
That NXDOMAIN error is expected. If I even create a virtual server on that uncomfortable-border-iui.domcloud.io
the validation is results in an error.
No idea where else to look.
What's the output of:
hostname
cat /etc/hosts
I might try directly invoking
certbot
later.
Don't. If you invoke certbot
, then virtulamin will forever refuse to manage the lets encrypt certificate issuing and renewals.
Virtualmin won't refuse, it just isn't involved. Virtualmin is not responsible for stuff you do outside of Virtualmin.
It appears that the verification process uses any domain that's listed in the last domain listed in /etc/pki/tls/openssl.cnf
.. For example
[ v3_ca ]
...............subjectAltName=DNS:xxxxxxx.domcloud.io.......... (so many domains here)
subjectAltName=DNS:uncomfortable-border-iui.domcloud.io
[ v3_req ]
...............subjectAltName=DNS::xxxxxxx.domcloud.io.......... (so many domains here)
subjectAltName=DNS:uncomfortable-border-iui.domcloud.io
It appears that if I commented on all the subjectAltName=
... domain verification works! Because subjectAltName=
for that domain will always appended at the end.
I rechecked again Rocky Linux 9's changelog and they mentioned OpenSSL 3.0.
Could it be that webmin doesn't support OpenSSL 3.0 yet?
I checked related stacktrace and it mentions acme_tiny.py's file in webmin. From quick reading it seems that syntaxes that the script use is different than I have in that file.
I confirmed that this affects all of my servers and downgrading OpenSSL seems not an option 🥲
I can live with that workaround currently. Just an additional script to do on my end.
This is a bug and shall be fixed in upcoming Webmin 2.020 version.
Thank you!
Howdy,
One of my servers recently can't validate Let's Encrypt correctly in any virtual servers because it keep uses wrong domain name to validate... Here's one example of the log:
You can see it uses
uncomfortable-border-iui.domcloud.io
instead oftest-plastic-profit-yuv.domcloud.io
. This happens to both old and new virtual servers, and it always points touncomfortable-border-iui.domcloud.io
... Even old virtual servers which previously have SSL validated via Let's Encrypt don't work now.The most recent change that happened yesterday is we upgraded the OS with Rocky Linux from 8 to 9... including everything else in yum repos... But I doubt that it's the root cause because my other servers don't have this problem. Rebooting doesn't work.
Is there any misconfiguration that needs to be fixed?
Rocky Linux 9.1
2.013
7.5