This morning I have a message from Let's Encrypt that the renewal for one of my web sites failed. This web site has been successfully updating for the last year.
The interesting (or strange) part of this is that "Webmin" reported errors, but from one of my web sites that was NOT being updated, and still has a month to go before it should renew. I've stopped and started Apache (with no issue), checked DNS records in GoDaddy, but they have been unchanged for ages).
I'm really stumped on this and the cert runs out in a few days.
Here's are the two messages I received.
Error message from Let's Encrypt (Has successfully renewed 4 times in the past with no issues)
An error occurred requesting a new certificate for captnslounge.com, www.captnslounge.com, captnslounge.info, www.captnslounge.info from Let's Encrypt : Web-based validation failed : Failed to request certificate :
<
pre>www.captnslounge.info challenge did not pass: Invalid response from http://www.captnslounge.info/.well-known/acme-challenge/bdzdt48iruYpYiF8... "\n\n\n \n \n <meta htt"DNS-based validation failed : Failed to request certificate :
www.captnslounge.info challenge did not pass: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.captnslounge.infoFirst part of mail from webmin - and the cert for this web site has 1 month to go and is not trying to renew. This was a new site (nigel-aves-photography.us) started one month ago. (My ip address is 8.44.146.52)
reason: acme_tiny.py:198:get_crt:ValueError: nigel-aves-photography.us challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://nigel-aves-photography.us/.well-known/acme-challenge/1dvGU3n8rA5tLDL54wrZ8wJ7y4LVU96dNM4XBxYgpug', u'hostname': u'nigel-aves-photography.us', u'addressUsed': u'184.168.131.241', u'port': u'80', u'addressesResolved': [u'184.168.131.241']}, {u'url': u'http://nigel-aves-photography.us/OKaNZ/.well-known/acme-challenge
Any thoughts?
Nigel Aves.
After a lot of hair pulling this one is resolved.
So, I had no idea that Virtualmin was writing the challenge into the local DNS records, BUT, that is not where my active DNS records are, they are on GoDaddy.
I run BIND so that I have a "local" copy of what Virtualmin thinks the DNS records should be, in many cases I have transferred over to GoDaddy.
But for Let's Encrypt a better message would have been helpful, it probably should have been mentioned on the Let's Encrypt page that the whole "challenge" procedure had changed, and what to do if your DNS is hosted outside your server.