Well,
i told virtualmin to renew the cert for a specififc domain every 8 weeks. Since yesterday letsencrypt tries to renew a certificate and gives the following error:
An error occurred requesting a new certificate for xyz.com from Let's Encrypt : <pre>Updating letsencrypt and virtual environment dependencies..../tmp/.webmin/226795_32507_7_collectinfo.pl/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/tmp/.webmin/226795_32507_7_collectinfo.pl/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Checking the link on the platformwarning issue i read this:
Certificate verification in Python 2
Older versions of Python 2 are built with an ssl module that lacks SNI support and can lag behind security updates. For these reasons it’s recommended to use pyOpenSSL.
If you install urllib3 with the secure extra, all required packages for certificate verification on Python 2 will be installed:
pip install urllib3[secure]
Which led me to do this, see below.
..
Requesting root privileges to run with virtualenv: /tmp/.webmin/226795_32507_7_collectinfo.pl/.local/share/letsencrypt/bin/letsencrypt certonly --manual -d xyz.com --preferred-challenges=dns --manual-auth-hook /etc/webmin/webmin/letsencrypt-dns.pl --manual-cleanup-hook /etc/webmin/webmin/letsencrypt-cleanup.pl --duplicate --manual-public-ip-logging-ok --config /tmp/.webmin/517618_32507_10_collectinfo.pl --rsa-key-size 2048 Too many flags setting configurators/installers/authenticators 'webroot' -> 'manual'
</pre>
Following the various links i found out that i should run this:
pip install urllib3[secure]
I tried this, but i only got the error message, that my urllib has version 1.7.1 and not the secure option, so i upgraded urllib3 to 1.21.1, and re-ran that command.
This worked this time, but the error is still there. According to Ubuntudocumentation, one shouldn't upgrade python itself.
So i couldn't do much more on that side.
Webmin / Virtualmin keeps trying every 5 minutes to create a cert, which isn't how it should work. So i thought, i should just end this by changing the setting to manual renewal, but when i open that page in Virtualmin, it won't let me save at all. By the way, just a Save button would be great at this point, just to switch forth and back, without creating a new cert or renewing an existing cert. Either button won't work, even after updating Webmin / Virtualmin.
I thought, this 5min interval for retry would end with the update, but no avail. I also did a
service webmin stop
service webmin start
Btw: No restart option available ? So, how can i fix this ?
Best j_m
Comments
Submitted by just_me on Wed, 05/17/2017 - 04:50 Comment #1
Submitted by JamieCameron on Wed, 05/17/2017 - 23:50 Comment #2
As a quick fix, you can turn off automatic renewal with
virtuamin modify-web --domain yourdomain.com --no-letsencrypt-renew
For your original problem - how did you install the Let's Encrypt client?