Skip to content
Sudonix

sudonix

Virtualmin Letsencrypt Renewal

Solved Hosting
  • undefined

    I have a main domain chadjessen.com. I have a subdomain publicapi.chadjessen.com. Letsencrypt renewed the certificate for chadjessen.com just fine but I have been trying and pulling my hair out to try and figure out why it won’t renew for publicapi.chadjessen.com. I can ping it, I can go to dns lookup and everything goes through just fine. Below is the message that comes up after requesting the certificates. This was working before, so not sure what happened.

    		Saving debug log to /var/log/letsencrypt/letsencrypt.log
    		Plugins selected: Authenticator webroot, Installer None
    		Renewing an existing certificate
    		Performing the following challenges:
    		http-01 challenge for publicapi.chadjessen.com
    		http-01 challenge for www.publicapi.chadjessen.com
    		Using the webroot path /home/chadjessen/domains/publicapi.chadjessen.com/public_html for all unmatched domains.
    		Waiting for verification...
    		Challenge failed for domain publicapi.chadjessen.com
    		Challenge failed for domain www.publicapi.chadjessen.com
    		http-01 challenge for publicapi.chadjessen.com
    		http-01 challenge for www.publicapi.chadjessen.com
    		Cleaning up challenges
    		Some challenges have failed.
    		IMPORTANT NOTES:
    		 - The following errors were reported by the server:
    		 
    		   Domain: publicapi.chadjessen.com
    		   Type:   unauthorized
    		   Detail: Invalid response from
    		   http://publicapi.chadjessen.com/.well-known/acme-challenge/SvIpe5TGPgHACfcYg_ezswBJJso7CAT4S2ZoW4EHLGE
    		   [143.244.152.107]: "<!DOCTYPE html>\n<html
    		   lang=\"en\">\n<head>\n<meta
    		   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
    		   GET /.well-known/"
    		 
    		   Domain: www.publicapi.chadjessen.com
    		   Type:   unauthorized
    		   Detail: Invalid response from
    		   http://www.publicapi.chadjessen.com/.well-known/acme-challenge/_zWHJoOZf3szsMh36hmhV5O-iqQtZp60jePqgL9KH94
    		   [143.244.152.107]: "<!DOCTYPE html>\n<html
    		   lang=\"en\">\n<head>\n<meta
    		   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
    		   GET /.well-known/"
    		 
    		   To fix these errors, please make sure that your domain name was
    		   entered correctly and the DNS A/AAAA record(s) for that domain
    		   contain(s) the right IP address.
    		  DNS-based validation failed :
    		Saving debug log to /var/log/letsencrypt/letsencrypt.log
    		Plugins selected: Authenticator manual, Installer None
    		Renewing an existing certificate
    		Performing the following challenges:
    		dns-01 challenge for publicapi.chadjessen.com
    		dns-01 challenge for www.publicapi.chadjessen.com
    		Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    		Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    		Waiting for verification...
    		Challenge failed for domain publicapi.chadjessen.com
    		Challenge failed for domain www.publicapi.chadjessen.com
    		dns-01 challenge for publicapi.chadjessen.com
    		dns-01 challenge for www.publicapi.chadjessen.com
    		Cleaning up challenges
    		Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    		Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    		Some challenges have failed.
    		IMPORTANT NOTES:
    		 - The following errors were reported by the server:
    		 
    		   Domain: publicapi.chadjessen.com
    		   Type:   dns
    		   Detail: DNS problem: NXDOMAIN looking up TXT for
    		   _acme-challenge.publicapi.chadjessen.com - check that a DNS record
    		   exists for this domain
    		 
    		   Domain: www.publicapi.chadjessen.com
    		   Type:   dns
    		   Detail: DNS problem: NXDOMAIN looking up TXT for
    		   _acme-challenge.www.publicapi.chadjessen.com - check that a DNS
    		   record exists for this domain
    0
  • undefined Madchatthew

    @phenomlab I do. It is in the domains folder under chadjessen.com. I set it up as a subdomain through virtualwin.

    undefined

    @madchatthew that’s odd. Let’s Encrypt is complaining about the lack of .well-known which is required for activation. Seeing as you created this as a sub domain it should work without issue.

    Do you have certbot installed at all ? If not, have a look at this and go from step 4

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined Madchatthew

    I have a main domain chadjessen.com. I have a subdomain publicapi.chadjessen.com. Letsencrypt renewed the certificate for chadjessen.com just fine but I have been trying and pulling my hair out to try and figure out why it won’t renew for publicapi.chadjessen.com. I can ping it, I can go to dns lookup and everything goes through just fine. Below is the message that comes up after requesting the certificates. This was working before, so not sure what happened.

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for publicapi.chadjessen.com
http-01 challenge for www.publicapi.chadjessen.com
Using the webroot path /home/chadjessen/domains/publicapi.chadjessen.com/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain publicapi.chadjessen.com
Challenge failed for domain www.publicapi.chadjessen.com
http-01 challenge for publicapi.chadjessen.com
http-01 challenge for www.publicapi.chadjessen.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: publicapi.chadjessen.com
   Type:   unauthorized
   Detail: Invalid response from
   http://publicapi.chadjessen.com/.well-known/acme-challenge/SvIpe5TGPgHACfcYg_ezswBJJso7CAT4S2ZoW4EHLGE
   [143.244.152.107]: "<!DOCTYPE html>\n<html
   lang=\"en\">\n<head>\n<meta
   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
   GET /.well-known/"

   Domain: www.publicapi.chadjessen.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.publicapi.chadjessen.com/.well-known/acme-challenge/_zWHJoOZf3szsMh36hmhV5O-iqQtZp60jePqgL9KH94
   [143.244.152.107]: "<!DOCTYPE html>\n<html
   lang=\"en\">\n<head>\n<meta
   charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot
   GET /.well-known/"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

      DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for publicapi.chadjessen.com
dns-01 challenge for www.publicapi.chadjessen.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain publicapi.chadjessen.com
Challenge failed for domain www.publicapi.chadjessen.com
dns-01 challenge for publicapi.chadjessen.com
dns-01 challenge for www.publicapi.chadjessen.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: publicapi.chadjessen.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.publicapi.chadjessen.com - check that a DNS record
   exists for this domain

   Domain: www.publicapi.chadjessen.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.www.publicapi.chadjessen.com - check that a DNS
   record exists for this domain
    undefined

    @madchatthew do you have a sub domain setup for publicapi.chadjessen.com setup n VirtualMin ?

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab

    @madchatthew do you have a sub domain setup for publicapi.chadjessen.com setup n VirtualMin ?

    undefined

    @phenomlab I do. It is in the domains folder under chadjessen.com. I set it up as a subdomain through virtualwin.

    0
  • undefined Madchatthew

    @phenomlab I do. It is in the domains folder under chadjessen.com. I set it up as a subdomain through virtualwin.

    undefined

    @madchatthew that’s odd. Let’s Encrypt is complaining about the lack of .well-known which is required for activation. Seeing as you created this as a sub domain it should work without issue.

    Do you have certbot installed at all ? If not, have a look at this and go from step 4

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab

    @madchatthew that’s odd. Let’s Encrypt is complaining about the lack of .well-known which is required for activation. Seeing as you created this as a sub domain it should work without issue.

    Do you have certbot installed at all ? If not, have a look at this and go from step 4

    undefined

    @phenomlab I thought the same thing. I will try these steps a little later today and let you know the results. Thanks

    0
  • undefined

    So I installed certbot and went through the steps. It was successful. My publicapi.chadjessen.com is now secured again. I made sure that the auto renewal was set and did a dry run to make sure that everything would go through. I didn’t have to add the ppa like it said in the instructions. I am running Ubuntu 20.04. I just had to run the install part of the program.

    It is weird that Virtualmin wouldn’t renew it. I will make sure just to use certbot if I have any other issues with it.

    Thanks for your help Mark, I really appreciate it.

    1
  • undefined Madchatthew has marked this topic as solved on 2 Oct 2021, 13:26
  • undefined Madchatthew has marked this topic as unsolved on 2 Oct 2021, 13:26
  • undefined Madchatthew has marked this topic as solved on 2 Oct 2021, 13:26
  • undefined Madchatthew

    So I installed certbot and went through the steps. It was successful. My publicapi.chadjessen.com is now secured again. I made sure that the auto renewal was set and did a dry run to make sure that everything would go through. I didn’t have to add the ppa like it said in the instructions. I am running Ubuntu 20.04. I just had to run the install part of the program.

    It is weird that Virtualmin wouldn’t renew it. I will make sure just to use certbot if I have any other issues with it.

    Thanks for your help Mark, I really appreciate it.

    undefined

    @madchatthew no problems Chad. Always happy to help out. I’ve come across this before myself hence the suggestion as it worked for me previously as it did for you. The only gotcha here is that you won’t be able to manage that particular cert through WebMin or VirtualMin in terms of renewal etc - it needs to be done from CLI.

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab unlocked this topic on 6 Oct 2021, 17:24
  • undefined

    A quick update for anyone reading this thread, and attempting to follow the links. It seems that the PPA has been deprecated, meaning that

    sudo add-apt-repository ppa:certbot/certbot will NOT work.

    You’ll need to download the .deb files manually from here, then use sudoi dkpg -i <deb> to install

    Additionally, if you’re a Webmin user and are looking for a way to install Certbot there, details for that are here.

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab

    A quick update for anyone reading this thread, and attempting to follow the links. It seems that the PPA has been deprecated, meaning that

    sudo add-apt-repository ppa:certbot/certbot will NOT work.

    You’ll need to download the .deb files manually from here, then use sudoi dkpg -i <deb> to install

    Additionally, if you’re a Webmin user and are looking for a way to install Certbot there, details for that are here.

    undefined

    @phenomlab Else ye’ can also always opt for some Dehydrated Boulders and be done with it, eh? 👍

    Opinionated two bit opinions are my own. Caveat emptor, eh?

    0
  • undefined gotwf

    @phenomlab Else ye’ can also always opt for some Dehydrated Boulders and be done with it, eh? 👍

    undefined

    @gotwf Yes, you could… 🙂

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab

    @gotwf Yes, you could… 🙂

    undefined

    @phenomlab Indubitably. I have been using dehydrated since early days of Let’s Encrypt. I favor KISS engineering and Dehydrated is a “simple” shell script. And in so being, also easy to automate via cron jobs. No big mussin’ or fussin’ about with the evil systemd. 🤡

    Dehydrated has been under +/- continual incremental development since those early days (who’d of thunk it?) and scratches my itches.

    My $0.02. Caveat emptor.

    Opinionated two bit opinions are my own. Caveat emptor, eh?

    undefined 2 Replies
    0
  • undefined gotwf

    @phenomlab Indubitably. I have been using dehydrated since early days of Let’s Encrypt. I favor KISS engineering and Dehydrated is a “simple” shell script. And in so being, also easy to automate via cron jobs. No big mussin’ or fussin’ about with the evil systemd. 🤡

    Dehydrated has been under +/- continual incremental development since those early days (who’d of thunk it?) and scratches my itches.

    My $0.02. Caveat emptor.

    undefined

    @gotwf KISS - now there’s a phrase I’ve not heard for a while… I have a blog article about that I’ll out up soon.

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined gotwf

    @phenomlab Indubitably. I have been using dehydrated since early days of Let’s Encrypt. I favor KISS engineering and Dehydrated is a “simple” shell script. And in so being, also easy to automate via cron jobs. No big mussin’ or fussin’ about with the evil systemd. 🤡

    Dehydrated has been under +/- continual incremental development since those early days (who’d of thunk it?) and scratches my itches.

    My $0.02. Caveat emptor.

    undefined

    @gotwf said in Virtualmin Letsencrypt Renewal:

    I favor KISS engineering

    Then I think you’ll be able to appreciate this
    https://content.sudonix.com/keep-it-simple-stupid/

    Author of OGProxy, Swatch, Threaded, Card, and most of Sudonix's bugs…

    0
  • undefined phenomlab referenced this topic on 2 Oct 2023, 21:38
Log in to reply

1/13

2 Oct 2021, 00:27

10 unread
Did this solution help you?
Did you find the suggested solution useful? Why not buy me a coffee? It's a nice gesture, and a great way to show your appreciation 💗

Related Topics
  • Pandaundefined

    Is no cpanel on host normal?

    Solved Hosting
    13 24 May 2024, 18:18
    24 May 2024, 18:18
    3 Votes
    8 Posts
    595 Views
    undefined
    @Panda if just seems bizarre practice to me. They clearly state that cPanel comes with the package, yet don’t seem to offer it unless you complain it’s missing!
  • DownPWundefined

    Nginx core developer quits project in security dispute, starts “freenginx” fork

    Hosting
    13 16 Feb 2024, 22:15
    16 Feb 2024, 22:15
    3 Votes
    6 Posts
    648 Views
    undefined
    @DownPW said in Nginx core developer quits project in security dispute, starts “freenginx” fork: Maybe virtualmin implement it in the future… I don’t think they will - my guess is that they will stick with the current branch of NGINX. I’ve not personally tested it, but the GIT page seems to be very active. This is equally impressive [image: 1714914575066-8ac0d197-68fa-4bd8-bfa3-87237bf8f1f4-image.png] I think the most impressive on here is the native support of HTTP 3
  • Pandaundefined

    Come back PhP, all is forgiven!

    Hosting
    13 18 Jul 2023, 13:07
    18 Jul 2023, 13:07
    4 Votes
    3 Posts
    280 Views
    DownPWundefined
    @phenomlab said in Come back PhP, all is forgiven!: I used IONOS for a while, and realised that Hetzner provide a much better deal for those experienced with Linux. I know @cagatay, @DownPW and myself all use Hetzner, and I think @Madchatthew (whom I haven’t seen for a while ) was also considering taking their services. There’s an affiliate link below if you’d like to go down that route Yep hetzner is very very cool and I haven’t seen before a panel magentment as complete as him : backup, snapshot, add cpu core, ram is easy. @phenomlab said in Come back PhP, all is forgiven!: Obtaining a VPS comes with the double-edged sword of being completely on your own with no support, although by using Virtualmin, you’ll find life so much simpler (something I know @DownPW can attest to, as I managed to convert him ) Yep Virtualmin is very cool And it makes life much easier for server management, domain, nginx and so on even if it is always better to know how to do all this in CLI. I would say that the 2 are really complementary
  • Pandaundefined

    Is nginx necessary to use?

    Moved Solved Hosting
    13 18 Jul 2023, 11:28
    18 Jul 2023, 11:28
    1 Votes
    2 Posts
    398 Views
    undefined
    @Panda said in Cloudflare bot fight mode and Google search: Basic question again, is nginx necessary to use? No, but you’d need something at least to handle the inbound requests, so you could use Apache, NGINX, Caddy… (there are plenty of them, but I tend to prefer NGINX) @Panda said in Cloudflare bot fight mode and Google search: Do these two sites need to be attached to different ports, and the ports put in the DNS record? No. They will both use ports 80 (HTTP) and 443 (HTTPS) by default. @Panda said in Cloudflare bot fight mode and Google search: Its not currently working, but how would the domain name know which of the two sites to resolve to without more info? Currently it only says the IP of the whole server. Yes, that’s correct. Domain routing is handled (for example) at the NGINX level, so whatever you have in DNS will be presented as the hostname, and NGINX will expect a match which once received, will then be forwarded onto the relevant destination. As an example, in your NGINX config, you could have (at a basic level used in reverse proxy mode - obviously, the IP addresses here are redacted and replaced with fakes). We assume you have created an A record in your DNS called “proxy” which resolves to 192.206.28.1, so fully qualified, will be proxy.sudonix.org in this case. The web browser requests this site, which is in turn received by NGINX and matches the below config server { server_name proxy.sudonix.org; listen 192.206.28.1; root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy; index index.php index.htm index.html; access_log /var/log/virtualmin/proxy.sudonix.org_access_log; error_log /var/log/virtualmin/proxy.sudonix.org_error_log; location / { proxy_set_header Access-Control-Allow-Origin *; proxy_set_header Host $host; proxy_pass http://localhost:2000; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Api-Key $http_x_api_key; } location /images { index index.php index.htm index.html; root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy; } fastcgi_split_path_info "^(.+\.php)(/.+)$"; listen 192.206.28.1:443 ssl http2; ssl_certificate /home/sudonix.org/domains/proxy.sudonix.org/ssl.combined; ssl_certificate_key /home/sudonix.org/ssl.key; } The important part here is server_name proxy.sudonix.org; as this is used to “map” the request to the actual domain name, which you can see in the root section as root /home/sudonix.org/domains/proxy.sudonix.org/ogproxy; As the DNS record you specified matches this hostname, NGINX then knows what to do with the request when it receives it.
  • undefined

    VPS Provider

    Solved Hosting
    13 15 Feb 2023, 22:31
    15 Feb 2023, 22:31
    6 Votes
    7 Posts
    395 Views
    undefined
    @phenomlab thank you very much. I will use that link when I set up my new server. Thanks again!
  • JACundefined

    Domain name factors

    Hosting
    13 10 Jan 2022, 10:39
    10 Jan 2022, 10:39
    1 Votes
    16 Posts
    938 Views
    JACundefined
    @phenomlab said in Domain name factors: @jac Yes, but don’t forget that Matomo (and most browsers) alike will allow you to “opt out” or not be tracked, so you can’t really rely on these 100%. Absolutely, very true pal.
  • JACundefined

    Site down

    Solved Hosting
    13 24 Nov 2021, 06:49
    24 Nov 2021, 06:49
    1 Votes
    9 Posts
    569 Views
    undefined
    @jac thinking about it, this is probably related to the feature in Nord VPN. https://nordvpn.com/features/vpn-kill-switch/
  • undefined

    Hetzner - great for hosting. Terrible for support

    Hosting
    13 31 Aug 2021, 23:01
    31 Aug 2021, 23:01
    3 Votes
    4 Posts
    610 Views
    undefined
    @cagatay same here. Was previously an IONOS user, but moved to Hetzner to realise both savings and performance increase and have never looked back.