Submitted by eldk on Wed, 12/05/2018 - 06:32
Hello,
On one server using virtualmin and lets encrypt since one year : - automatic update fails - manual update fails
Virtualmin : 6.05 gpl (automatic certificate update fails with previous version)
Webmin : 1.900
Domains that need certificate :
domain.tld
mail.domain.tld
What have changed :
automatic update renewal fails
manual update fails :
-- first time : "ssl.CertificateError: hostname 'mail.domain.tld' doesn't match either of 'domain.tld', 'www.domain.tld' "
-- now : " ssl.CertificateError: hostname 'www.domain.tld' doesn't match 'domain.tld' "
I'm trying to solve it as mail, server ... gives certificate security warnings to users.
Thanks,
Eric
Status:
Active
Comments
Submitted by eldk on Wed, 12/05/2018 - 06:47 Comment #1
All ubuntu packages are up to date.
Submitted by eldk on Wed, 12/05/2018 - 07:03 Comment #2
In "Domain names listed here", checked (was conf for automatic update) :
domain.tldwww.domain.tld
mail.domain.tld
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 250, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
resp = urlopen(wellknown_url)
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 435, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 467, in error
result = self._call_chain(*args)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 654, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1195, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.7/httplib.py", line 1057, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1097, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1053, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 859, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1278, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 601, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 838, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib/python2.7/ssl.py", line 276, in match_hostname
% (hostname, dnsnames[0]))
ssl.CertificateError: hostname 'mail.domain.tld' doesn't match 'domain.tld'
DNS-based validation failed : Failed to request certificate :
Gave up waiting for validation
Submitted by eldk on Wed, 12/05/2018 - 06:58 Comment #3
Submitted by eldk on Wed, 12/05/2018 - 07:05 Comment #4
After first renewal fails : update "Domain names listed here" to :
domain.tldwww.domain.tld
Traceback (most recent call last):
File "/usr/share/webmin/webmin/acme_tiny.py", line 250, in <module>
main(sys.argv[1:])
File "/usr/share/webmin/webmin/acme_tiny.py", line 246, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
File "/usr/share/webmin/webmin/acme_tiny.py", line 154, in get_crt
resp = urlopen(wellknown_url)
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 435, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 467, in error
result = self._call_chain(*args)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 654, in http_error_302
return self.parent.open(new, timeout=req.timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1195, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib/python2.7/httplib.py", line 1057, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.7/httplib.py", line 1097, in _send_request
self.endheaders(body)
File "/usr/lib/python2.7/httplib.py", line 1053, in endheaders
self._send_output(message_body)
File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
self.send(msg)
File "/usr/lib/python2.7/httplib.py", line 859, in send
self.connect()
File "/usr/lib/python2.7/httplib.py", line 1278, in connect
server_hostname=server_hostname)
File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
_context=self)
File "/usr/lib/python2.7/ssl.py", line 601, in __init__
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 838, in do_handshake
match_hostname(self.getpeercert(), self.server_hostname)
File "/usr/lib/python2.7/ssl.py", line 276, in match_hostname
% (hostname, dnsnames[0]))
ssl.CertificateError: hostname 'www.domain.tld' doesn't match 'domain.tld'
DNS-based validation failed : Failed to request certificate :
Gave up waiting for validation
Submitted by eldk on Wed, 12/05/2018 - 10:34 Comment #5
Web server : apache 2.4
without mail.domain.tld (only domain.tld and www.domain.tld in "Domain names listed here" ) : test OK
without mail.domain.tld (only domain.tld and www.domain.tld in "Domain names listed here" ) : test OK
It seems to always fails when mail.domain.tld is added in "Domain names listed here" with or without any redirection.
mail.domain.tld is the DNS name for mail server.
Submitted by eldk on Wed, 12/05/2018 - 10:20 Comment #6
test with :
certbot --apache -d domain.tld -d www.domain.tld -d mail.domain.tld= OK
A ServerAlias for mail.domain.tld was added in vhost config.
Submitted by eldk on Wed, 12/05/2018 - 10:36 Comment #7
Recheck with virtualmin LetsEncrypt renewal request for the 3 domains and original config for redirections : OK.
mail.domain.tld alias is now needed in virtualhost?
It was OK without it until last update
Thanks,
Eric
PS : See here if Ubuntu 16.04 updated package is needed. https://community.letsencrypt.org/t/how-to-install-certbot-at-ubuntu-16-...
PS2 : I have tryed to update certificates through Virtualmin with last certbot package installed. It was KO, before using certbot from command line
Submitted by eldk on Wed, 12/05/2018 - 11:58 Comment #8
Submitted by eldk on Wed, 12/05/2018 - 12:00 Comment #9
Submitted by andreychek on Thu, 12/06/2018 - 09:14 Comment #10
Howdy -- we're unfortunately not seeing this particular issue on our systems, though there are a variety of reasons a particular domain can fail.
Is it possible to share the actual domain in question? That would help with the troubleshooting.
Submitted by eldk on Fri, 12/07/2018 - 11:18 Comment #11
Hello,
Should I send the domain by private mail ?
Thanks,
Eric