Wildcard Let's Encrypt - getting there

11 posts / 0 new
Last post
#1 Sat, 11/23/2019 - 07:46
simon1066

Wildcard Let's Encrypt - getting there

CentOS Linux 7.7.1908
Apache 2.4.6
Virtualmin GPL
DNS is managed by Vmin/Bind
Default Let's Encrypt module

My first attempt at requesting a (wildcard) SSL cert for
*.mydomain.com (just this in the request - no other subdomains included)

errored with .. DNS-based validation failed.. and a demand that certbot be installed. I installed it and on the next attempt got

... 
Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-dns.pl line 47. 
... 
Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-cleanup.pl line 38. 
... 

I corrected these two files with the github resolution at https://github.com/webmin/webmin/commit/771be1a754fafa02abb5d5670f3ba4a6...

rebooted the server and then get these errors:
request failed : Web-based validation failed : Wildcard hostname *.mydomain.com can only be validated in DNS mode DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain mydomain.com
dns-01 challenge for mydomain.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mydomain.com
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.mydomain.com

I was able to create the cert without the wildcard entry.
I don't have an .htaccess file in public_html
I am not using ipv6 on this virtualserver.
The main domain has DNS & SSL enabled.
Below the main domain I have a subdomains and alias servers all have DNS enabled.

Any suggestions?

Sat, 11/23/2019 - 08:25
simon1066

Probably obvious but there is no _acme-challenge TXT entry created in DNS records

Sat, 11/23/2019 - 10:13
simon1066

And here is the letsencrypt.log if it's of any help:

2019-11-23 14:20:00,952:DEBUG:certbot.main:certbot version: 0.39.0
2019-11-23 14:20:00,952:DEBUG:certbot.main:Arguments: ['--manual', '-d', '*.mydomain.com', '--preferred-challenges=dns', '--manual-auth-hook', '/etc/webmin/webmin/letsencrypt-dns.pl', '--manual-cleanup-hook', '/etc/webmin/webmin/letsencrypt-cleanup.pl', '--duplicate', '--force-renewal', '--manual-public-ip-logging-ok', '--config', '/tmp/.webmin/894685_10770_2_letsencrypt.cgi', '--rsa-key-size', '2048', '--cert-name', '*.mydomain.com']
2019-11-23 14:20:00,952:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-23 14:20:00,968:DEBUG:certbot.log:Root logging level set at 20
2019-11-23 14:20:00,968:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-23 14:20:00,969:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f93d258b890>
Prep: True
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f93d258b890> and installer None
2019-11-23 14:20:00,970:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-11-23 14:20:00,992:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/72375123', new_authzr_uri=None, terms_of_service=None), 91f5d54f15cb24d7c5b2c0016c4ed042, Meta(creation_host=u'ns1.mynameserver.com', creation_dt=datetime.datetime(2019, 11, 23, 10, 18, 39, tzinfo=<UTC>)))>
2019-11-23 14:20:00,998:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-11-23 14:20:01,003:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-11-23 14:20:01,644:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2019-11-23 14:20:01,645:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
content-type: application/json

{
  "2igNuAgelHk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-11-23 14:20:01,646:INFO:certbot.main:Obtaining a new certificate
2019-11-23 14:20:01,836:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
2019-11-23 14:20:01,839:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
2019-11-23 14:20:01,840:DEBUG:acme.client:Requesting fresh nonce
2019-11-23 14:20:01,840:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-11-23 14:20:02,001:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-11-23 14:20:02,002:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
replay-nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8


2019-11-23 14:20:02,002:DEBUG:acme.client:Storing nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8
2019-11-23 14:20:02,003:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    }
  ]
}
2019-11-23 14:20:02,005:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICIwMDAxUjllVkptYzhNSjNBR2ZTeGVnYkl0blNtXzNPY3J3Tl9HVjlHdFNVejdyOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzcyMzc1MTIzIiwgImFsZyI6ICJSUzI1NiJ9",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICIqLnN0ZXZpYWRvbWFpbi5jb20iCiAgICB9CiAgXQp9",
  "signature": "ulIdSJ-fJqAaN9BUhMCVYYliGd3x5AMAm853kn0NOTeGT4YFrVlDILoyrCPfQs1rnCOjP1-bnfAHLydddhNWalYrgt5hmj_48jis6cx4KDF02PRhgNap2XYXagywMcdzuMnBIZhwsk57na33xf9omuK6hnZ2RBndx-Pa0jyiqb38mmmRwZIah837995vb4_d_KwGVkgxjvIzMIrRLKhRTs3W9dCr5aZKsxlXmaL7JEu8CQdYysCIEvMTnii5w0RG-XgdMdGo40Vv88ctg8ED38OuVG5Msu054WSkPm-K2j3iEXPIim0cekz9PfIjp6xCUnAJKllwQU3f-vemmwIKBw"
}
2019-11-23 14:20:02,392:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 348
2019-11-23 14:20:02,392:DEBUG:acme.client:Received response:
HTTP 201
content-length: 348
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/72375123/1581229425
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g

{
  "status": "pending",
  "expires": "2019-11-30T14:20:02.231114763Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "*.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/72375123/1581229425"
}
2019-11-23 14:20:02,393:DEBUG:acme.client:Storing nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g
2019-11-23 14:20:02,393:DEBUG:acme.client:JWS payload:

2019-11-23 14:20:02,394:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
  "protected": "eyJub25jZSI6ICIwMDAyTjZtMHVURll6aFF1U0dzRVdSN1k1WUxPbjRJS1F4cFZQcXJ0UzlLQ0o0ZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ",
  "payload": "",
  "signature": "f9GYPHfVfpJxipBxeVmmy_PgHVS7xpFK48W3HURY8Fswo4y1gp8vZCYbIJ23BT5F88xQj3X2FVQxYaxV1dL74iXuIb_lWfWVyqgVbEc05990XPobNWJorLpIxhrRGW3CG_xXnq0aarlc31y7Iok1y1P-5PeAsmyLvwjxPy1bTauYmjQ_jA8dCMGNO27AtKUIY7lXuIMRRorD_Xft6j2WMgx7qmyM1Vs1MdXZasVtvBatvblWNtDeALIauJ0MOnOl3gmyyIkwfal7nLtqhrCTCXhB7-oFnm53L4CLdkSSR7d8OcHHCxRQ0mrfqwri9lIamCdODDsntAkq4IOYAuxJtw"
}
2019-11-23 14:20:02,717:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz-v3/1370765971 HTTP/1.1" 200 388
2019-11-23 14:20:02,718:DEBUG:acme.client:Received response:
HTTP 200
content-length: 388
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "pending",
  "expires": "2019-11-30T14:20:02Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
      "token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
    }
  ],
  "wildcard": true
}
2019-11-23 14:20:02,718:DEBUG:acme.client:Storing nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:Performing the following challenges:
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:02,723:INFO:certbot.hooks:Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
2019-11-23 14:20:15,986:INFO:certbot.auth_handler:Waiting for verification...
2019-11-23 14:20:15,987:DEBUG:acme.client:JWS payload:
{
  "type": "dns-01",
  "resource": "challenge"
}
2019-11-23 14:20:15,990:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g:
{
  "protected": "eyJub25jZSI6ICIwMDAyZ1BGaWhMVG5zSjItWXByZ3BuMUZ3Zmw2d0dsaVdsb1JGLUZJQ2J6bDZScyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTM3MDc2NTk3MS85Y1JDNWciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzIzNzUxMjMiLCAiYWxnIjogIlJTMjU2In0",
  "payload": "ewogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0",
  "signature": "nHR-QZZX4D9Q1WZ03uePLScm75IKISTrL48dqHYeInZo1GsXnDDipArGug7imBqWHyjS8l-u-TIhRy5KSqJgmiksB2836uO5AwEfUrbTuCugNHenlfjXzKOm4sQYCuWy1n3YPHLQSj8MtG9qt8gh5rlgsYQel8yLsxrQS0tXYHn4dSDFRGUerjvEWmhFrXN2U45yqeLUWQmxeRHcs-wN_ZDB5XN1vMVE555k0qVa3SRfMaiBd0gtHvKp6GbJO6f0C_RoOPFksZnSHWnjQISfKE5f2VNG1_2bSCP36o7Ts1bD0u_isGGYrkdAVkhQuQ2TVSVUDYBLjUvq4QRIIBlDug"
}
2019-11-23 14:20:16,285:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/chall-v3/1370765971/9cRC5g HTTP/1.1" 200 184
2019-11-23 14:20:16,287:DEBUG:acme.client:Received response:
HTTP 200
content-length: 184
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
  "token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
}
2019-11-23 14:20:16,288:DEBUG:acme.client:Storing nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64
2019-11-23 14:20:17,290:DEBUG:acme.client:JWS payload:

2019-11-23 14:20:17,294:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
  "protected": "eyJub25jZSI6ICIwMDAxRi1CaDYzcHl5Z3dyZFZfTUF6TEFjNjg4NUNUR1BQUlJIYjVJb1VHckU2NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ",
  "payload": "",
  "signature": "bHLdMGuUS2uz3SX3UXHXl02fOEmuGMDW4JswGUuRXm9lk3SPWI3JDQ5pitBRQg8jMP6P9fwzuPla-BNOjUvr8uNYKDLZR8codTOzJ0xmi44hP1_NLr3YgSRA9-AhCFlSZxpu4mMdhZkaNDCOjtVAgYmR9XZmg2SH7KG9Ih90FYDEIjxS6oj3ydrbvddGfn-C46_Br28F3_860M_l5ZpZAaBefJ-MPAAKCCSmynRY68ta-EOX7u9zw8rGm12KffZwioaj5dPqVLZpzNH1MCqoNbB0bM19ufWhe1nU8nUSN603JZQetfOR5h7ETVnUQnXOhyB1ZTNrRDYUyY1KgaYbTg"
}
2019-11-23 14:20:17,471:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz-v3/1370765971 HTTP/1.1" 200 581
2019-11-23 14:20:17,472:DEBUG:acme.client:Received response:
HTTP 200
content-length: 581
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:17 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og

{
  "identifier": {
    "type": "dns",
    "value": "mydomain.com"
  },
  "status": "invalid",
  "expires": "2019-11-30T14:20:02Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
      "token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
    }
  ],
  "wildcard": true
}
2019-11-23 14:20:17,473:DEBUG:acme.client:Storing nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og
2019-11-23 14:20:17,473:WARNING:certbot.auth_handler:Challenge failed for domain mydomain.com
2019-11-23 14:20:17,473:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mydomain.com
Type:   dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Calling registered functions
2019-11-23 14:20:17,474:INFO:certbot.auth_handler:Cleaning up challenges
2019-11-23 14:20:17,475:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2019-11-23 14:20:20,749:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/letsencrypt", line 9, in <module>
    load_entry_point('certbot==0.39.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 405, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 384, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Sat, 11/23/2019 - 10:43
Jfro

Yup you didn't post some versions virtualmin / webmin / certbot script I can't help but start https://blog.nodebb.org/generating-your-first-wildcard-ssl-certificate-v...

dns part of provider or yours in virtualmin i guess

Don't know if virtualmin i s ready handle that part for now while they are busy with updating LETSencrypt parts you can see in forum

Sat, 11/23/2019 - 10:55 (Reply to #4)
simon1066

Thanks for the link, I'll take a look.

I will post the versions I missed:

Webmin version v1.932
Virtualmin version v6.08
certbot v0.39.0
Running my own DNS server

Sat, 11/23/2019 - 12:16 (Reply to #5)
simon1066

That link was a big help.
I was able to manually create a wildcard certificate using certbot, this showed that I needed to wait a while between manually adding the _acme-challenge TXT record in DNS Records and asking Let's Encrypt being able to verify it. I'm not sure if that was due to my server or a peculiarity of wildcard creation.

I suspect that as the Virtualmin Lets Encrypt module tries to gain verification almost immediately, that was why I was getting the DNS "NXDOMAIN looking up TXT for _acme-challenge..." error.

Although I've successfully created a wildcard cert I just have to figure out how to use it and then remember to manually renew in a couple of months - hopefully I'll be able to use the built-in module by then.

Sun, 11/24/2019 - 05:14 (Reply to #6)
Dibs

IIRC - LetsEncrypt can either validate against DNS records or by checking a file in a specified location. I suspect Virtualmin goes down the 2nd road (in the case of offsite DNS).

Sun, 11/24/2019 - 05:49 (Reply to #7)
Jfro

@dibs is this also for wildcard?

sofar i know that dns part is important there.

Sun, 11/24/2019 - 06:04 (Reply to #8)
Dibs

@jfro - wildcard certs from LE can only be done with DNS validation - or so their documentation says & there are no plans otherwise.

Sun, 11/24/2019 - 06:29
Jfro

YUp in case of wildcard! that means at lot of control panels with external /offsite dns automatic is not possible or only with extra api/scripts to that external dns services.

Naming this while some don't know i guess ? as possible here https://www.virtualmin.com/node/65809

Sofar i did some reading.

You mentioned 2nd road therefore my reaction. ;)

Also the/some wait time somewhere in forum should be set right for resolving / do it with internal dns and scripts right after create such virtualservers. ( with slave..... )and so on.

Sun, 11/24/2019 - 06:35 (Reply to #10)
Dibs

Personally I don't have issues doing or having single (Virtual Server) LE SSL certs. The only "issue" is Postfix as it currently isn't SNI friendly. But from what I have read - SNI for Postfix is on the near horizon so maybe in 1st half of 2020 that might be a reality - so single certs might be 100% fine then.

Topic locked