Letsencrypt broken after upgrade to 5.06

Updated webmin-virtual-server package this morning to 5.06. After that letsencrypt stopped working. (seen on several servers, also on Debian 8)

Requesting a certificate for * from Let's Encrypt .. .. request failed : Domain has no website, and DNS-based validation is not possible.

Comments

I have same problem here. On 5.06 Let's Encrypt does not work. I have tried with another server in 5.05, it's work. Next I have upgraded to 5.06 and now I can not Request Certificate.

Fresh install using 5.06 deb from the Webmin site. OS is Ubuntu 14.04.

Webmin version 1.831.

Source code of file ./usr/share/webmin/virtual-server/feature-ssl.pl includes this:

if ($d->{'web'} && 0) {
         ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
                $dnames, $phd, $d->{'emailto'}, $size, "web", $staging);
        }
if (!$ok && &get_webmin_version() >= 1.832 && $d->{'dns'}) {
        ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
                $dnames, undef, $d->{'emailto'}, $size, "dns", $staging);
        }
elsif (!$ok) {
        $ok = 0;
        $cert = "Domain has no website, ".
                "and DNS-based validation is not possible";
        }

Webmin 1.831 is the latest version available at their repository. apt-get update && apt-get upgrade won't update to 1.832.

Broken here too. Same error. CentOS7

Requesting a certificate for * from Let's Encrypt .. .. request failed : Domain has no website, and DNS-based validation is not possible

The same problem, 2 of my websites certificates expire tomorrow. Any temporary quick fix?

PANIC!!!

I experienced the same problem.

My temporary fix, was to install letsencrypt on the server, use Webroot authentication and move the certificates manually.
Basically:

sudo apt-get install letsencrypt
sudo letsencrypt certonly --webroot --keep-until-expiring --agree-tos --rsa-key-size 2048 --email example@example.com -w /home/{USER}/public_html -d example.com

sudo mv /home/{USER}/ssl.cert /home/{USER}/ssl.cert-old
sudo mv /home/{USER}/ssl.key /home/{USER}/ssl.key-old
sudo cp /etc/letsencrypt/live/{example.com}/fullchain.pem /home/{USER}/ssl.cert
sudo cp /etc/letsencrypt/live/{example.com}/privkey.pem /home/{USER}/ssl.key

Hope is fixed soon though...

I experienced the same problem.

My temporary fix, was to install letsencrypt on the server, use Webroot authentication and move the certificates manually.
Basically:

sudo apt-get install letsencryptsudo letsencrypt certonly --webroot --keep-until-expiring --agree-tos --rsa-key-size 2048 --email example@example.com -w /home/{USER}/public_html -d example.com
sudo mv /home/{USER}/ssl.cert /home/{USER}/ssl.cert-old
sudo mv /home/{USER}/ssl.key /home/{USER}/ssl.key-old
sudo cp /etc/letsencrypt/live/{example.com}/fullchain.pem /home/{USER}/ssl.cert
sudo cp /etc/letsencrypt/live/{example.com}/privkey.pem /home/{USER}/ssl.key

Hope is fixed soon though...

Possible temporary solution, working for me on Ubuntu 16.04:

Go into the Source code of file ./usr/share/webmin/virtual-server/feature-ssl.pl

As mentioned by 'regodon' the code starting at line 2138 contains this function / subroutine (sorry I'm not familiar with Perl phraseology):

# request_domain_letsencrypt_cert(&domain, &dnames, [staging], [size])
# Attempts to request a Let's Encrypt cert for a domain, trying both web and
# DNS modes if possible
sub request_domain_letsencrypt_cert
{
my ($d, $dnames, $staging, $size) = @_;
$size ||= $config{'key_size'};
&foreign_require("webmin");
my $phd = &public_html_dir($d);
my ($ok, $cert, $key, $chain);
if ($d->{'web'} && 0) {
<------> ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
<------><------>$dnames, $phd, $d->{'emailto'}, $size, "web", $staging);
<------>}
if (!$ok && &get_webmin_version() >= 1.832 && $d->{'dns'}) {
<------>($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
<------><------>$dnames, undef, $d->{'emailto'}, $size, "dns", $staging);
<------>}
elsif (!$ok) {
<------>$ok = 0;
<------>$cert = "Domain has no website, ".
<------><------>"and DNS-based validation is not possible";
<------>}
return ($ok, $cert, $key, $chain);
}

You'll notice on line 2148 this 'if' statement:

if ($d->{'web'} && 0) {

As I mentioned I'm no Perl programmer, but assuming the && is a logical AND, then ANDing anything with 0 will always result in a 0 or false return value, causing this if statement block not to run.

Change the 0 to a 1 like so:

if ($d->{'web'} && 1) {

Save the file and then restart Webmin. I did so from the terminal with the command:

sudo service webmin restart

(I was scratching my head for while at this, but I asusme the Perl functions must be cached in memory. Might be related to me having it load Virtualmin / Webmin into memory on server start. As a result the webmin restart might not be required for everyone)

Same here on Debian 7 and 8.

I reinstalled Ubuntu and Let's Encrypt stopped working...

tpnsolutions's picture
Submitted by tpnsolutions on Fri, 02/17/2017 - 17:01

Jamie/Joe,

This does seem to be a confirmed bug at the core of the functionality.

After it failed inside the Virtualmin web GUI, I attempted to issue the command via the command line API using: virtualmin generate-letsencrypt-cert --domain mydomain.com --renew 2 and got the the error Requesting SSL certificate for mydomain.com www.mydomain.com .. failed : Domain has no website, and DNS-based validation is not possible as stated by others.

Test was completed using the latest version of Virtualmin 5.06 and CentOS 7.

-Peter

Maybe anybody has file "virtualmin.5.05.sh" ? I tried to find it, but failed.

Damn, this was due to test code left in place as part of work to get DNS-based validation working.

Editing line 2148 and changing it from :

if ($d->{'web'} && 0) {

to :

if ($d->{'web'}) {

and then running /etc/webmin/restart will fix the issue.

tpnsolutions's picture
Submitted by tpnsolutions on Fri, 02/17/2017 - 19:37

Jamie,

I made the adjustment noted to /usr/libexec/webmin/virtual-server/feature-ssl.pl and it successfully resolved the bug after restarting webmin.

Cheers!

Just an FYI, we're going to be making a new release here shortly with the Let's Encrypt bugfix in it... sorry about that!

I change it("if ($d->{'web'} && 0) {"). Reboot webmin. @Requesting a certificate for softowik.by, www.softowik.by from Let's Encrypt .. .. request was successful! Configuring webserver to use new certificate and key .. .. done

Applying web server configuration .. .. done@

But... have no results. (Answer is OK. In browser "ERR_SSL_PROTOCOL_ERROR")

Can U help me?

P.S.: Domain is http://softowik.by/

Please, tell me, how can I install lower version of virtualmin. I need it!

For Ubuntu / Debian you can downgrade virtualmin to older version:
sudo apt-get install webmin-virtual-server=5.05.gpl 

and hold this virtualmin 5.05 version
sudo apt-mark hold webmin-virtual-server 

Once it's corrected version, you can unlock the package for upgrade:
sudo apt-mark unhold webmin-virtual-server 

Thanks! Maybe anybody can help me? I did all like there: https://virtualmin.com/node/46850. But have "ERR_SSL_PROTOCOL_ERROR". So interesting, why I have no message about bad sertificate, just error. Before reinstalling of Ubuntu all was great. Please, help me.

It was because of IP (127.0.0.1), I change it to external. It works now! Thanks! For developers: THANKS A LOT, GREAT JOB! WE DO INTERNET BETTER TOGETHER!!!

in CentOS6.8

on virtualmin5.06

I fixed the file in「/usr/libexec/webmin/virtual-server/feature-ssl.pl」

from:

if ($d->{'web'} && 0) {

to :

if ($d->{'web'}) {

And restart webmin.

But I get 「Requesting a certificate for * from Let's Encrypt .. .. request failed : Domain has no website, and DNS-based validation is not possible.」, when I did「Let's encrypt」

What should I do next ?

Upgrade NOW. New webmin-virtual-server (5.06.gpl-2) solves this issue.

the error still exist on version 5.06:

.. request failed : Domain has no website, and DNS-based validation is not possible

Mostafa's picture
Submitted by Mostafa on Mon, 02/20/2017 - 06:53

indeed the issue still exists, tested on centos 7

same issue still exists on the version 5.06-2

Sorry about that, and thanks for the heads up!

For those of you still seeing that issue in 5.0.6-2 -- If you look at the file "/usr/libexec/webmin/virtual-server/feature-ssl.pl", what are you seeing on line 2148?

In my case same issue still exists. At the file "/usr/libexec/webmin/virtual-server/feature-ssl.pl", on line 2147 I've this: if ($d->{'web'}) {. And on line 2148 I've this: ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(

Operating system: Ubuntu Linux 14.04.3

Webmin version: 1.831

Virtualmin version: 5.06 (5.06.gpl-2 update installed)

Theme version: Authentic Theme 18.32

Kernel and CPU: Linux 3.13.0-109-generic on x86_64

There were some other updates pending including a reboot for a kernel update, just to be sure I've updated everything and rebooted, still the same:

Let's Encrypt .. .. request failed : Domain has no website, and DNS-based validation is not possible

Line 2148 of /usr/share/webmin/virtual-server/feature-ssl.pl:

if ($d->{'web'}) {

Jamie, some users indicated it's been resolved with the 5.06-2 update.

Others are saying they still see the issue in 5.06-2, even after rebooting.

Is there anything you need to further troubleshoot that issue?

Maybe the problem is that the version of webmin is 1.831 and not 1.832? (see row 2152)

Debian 8

sudo apt-show-versions webmin-virtual-server

webmin-virtual-server:all/virtualmin-universal 5.06.gpl-2 uptodate

File /usr/share/webmin/virtual-server/feature-ssl.pl from line 2138:

# request_domain_letsencrypt_cert(&domain, &dnames, [staging], [size])
# Attempts to request a Let's Encrypt cert for a domain, trying both web and
# DNS modes if possible
sub request_domain_letsencrypt_cert
{
my ($d, $dnames, $staging, $size) = @_;
$size ||= $config{'key_size'};
&foreign_require("webmin");
my $phd = &public_html_dir($d);
my ($ok, $cert, $key, $chain);
if ($d->{'web'}) {
         ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
                $dnames, $phd, $d->{'emailto'}, $size, "web", $staging);
        }
if (!$ok && &get_webmin_version() >= 1.832 && $d->{'dns'}) {
        ($ok, $cert, $key, $chain) = &webmin::request_letsencrypt_cert(
                $dnames, undef, $d->{'emailto'}, $size, "dns", $staging);
        }
elsif (!$ok) {
        $ok = 0;
        $cert = "Domain has no website, ".
                "and DNS-based validation is not possible";
        }
return ($ok, $cert, $key, $chain);
}

$done_feature_script{'ssl'} = 1;

1;

confirmed! changing row 2152 from

1.832 to 1.831

fixed my problem

changing row 2152 from

1.832 to 1.831

fixed my problem, Me too! CentOS6.8

To fix the issue, rollback webmin-virtual-server then reboot webmin. Version 5.05 will override 5.06.

NOTE: This will remove your apache or nginx packages. Make note of what version is currently installed by running dpkg -l. Then reinstall the necessary packages after you rollback webmin-virtual-server.

apt-get install webmin-virtual-server=5.05.glp

/etc/webmin/restart

I'm running Nginx so I had to reinstall the following two packages:

apt-get install webmin-virtualmin-nginx=2.0
apt-get install webmin-virtualmin-nginx-ssl=1.4

/etc/webmin/restart

For those who upgraded to 5.06-2 and are still having problems, what is the exact error message that you're getting?

@JamieCameron

boss this is a exact error message even we have website:

.. request failed : Domain has no website, and DNS-based validation is not possible

changing row 2152 from 1.832 to 1.831 don't fix the problem. But when i try to renew a certificate, I receive a mail with this error message:

An error occurred requesting a new certificate for mysub.domain.com, www.mysub.domain.com from Let's Encrypt :

Upgrading certbot-auto 0.10.1 to 0.11.1... Couldn't download https://raw.githubusercontent.com/certbot/certbot/v0.11.1/letsencrypt-auto-source/letsencrypt-auto.

@mans have you restarted webmin service?

@JamieCameron what's the last version of webmin in the repository?

@JamieCameron: With version 5.06.gpl-2 the error message is:

Requesting a certificate for server02.gnilebein.de from Let's Encrypt ..
.. request failed : Domain has no website, and DNS-based validation is not possible

My System: Ubuntu 16.04, nginx 1.10.3

...so I think that many virtualmin 1.831 didn't get updated to 1.832 (mine included).

@gnilebein what version of virtualmin do you have on your system?

just waiting Webmin 1.832 official available for update

Server: Ubuntu Linux 14.04.5, Authentic Theme 18.32, Linux 4.4.0-64-generic on x86_64, All installed packages are up to date,

Virtualmin version 5.06,

Webmin version 1.831 <------- This never changed to 1.832,

apt-show-versions webmin-virtual-server,

webmin-virtual-server:all/virtualmin-universal 5.06.gpl-2 uptodate,

Negative fix when changing /usr/share/webmin/virtual-server/feature-ssl.pl, line 2151 from 1.832 to 1.831 and restarting webmin and rebooting server. I changed line 2151 back to 1.832 and restarted/rebooted, still no change to the error of "request failed : Domain has no website, and DNS-based validation is not possible."

I'm sure you'll get this fixed soon, what about resupplying the 5.06.gpl-2 update with the fixes making it 5.06.gpl-3? <---not that I know anything at all about the problem or the fix :)

Wow, so I logged back in to Webmin, then went to my Virtualmin tab, then to the dropdown and selected the site I was trying to install the certificate. I went to Services, and turned removed the redirect website i.e,, from "/" to "https://xyz.org", then went to Manage SSL Certificates and tried it again - it worked. Settings in /usr/share/webmin/virtual-server/feature-ssl.pl, line 2151 (for me) remained to my previous change to 1.831.

Requesting a certificate for xyz.org, www.xyz.org from Let's Encrypt .. .. request was successful!

Configuring webserver to use new certificate and key .. .. done

Applying web server configuration .. .. done

Then I put the redirect back in.

That worked for me, and I have an "A" from Qualys SSL Test

@Kintaro: my webmin Version is 1.831.

If you have Webmin 1.831 and the latest 5.06-2 Virtualmin package, the problem should be fixed.

Be sure you have the 5.06-2 release though - you can check with rpm -q wbm-virtual-server or dpkg --list webmin-virtual-server

@JamieCameron: It does not seem so:

ii  webmin                                                1.831                           all                             web-based administration interface for Unix systems
ii  webmin-virtual-server                                 5.06.gpl-2                      all                             Webmin module for 'Virtualmin Virtual Servers (GPL)'

I tried this on two different servers with different domains. But it does not work :-(

I found out that you need to enable " DNS domain enabled?" on "Edit Virtual Server" to make it works. I don't have BIND Server active so I didn't enable that option on virtualhosts. In this way the issue disappear.

In the previous test I tried in a virtual host where I forgot to disable it, this is why was working changing row 2152 to 1.831 and maybe don't with some of you.

Now the question are:

1) Is it really mandatory to have "DNS domain enabled?" enabled? 2) @Jamie do you confirm that the row 2152 need to be changed from 1.832 to 1.831?

Editing line 2148 and changing it from :

if ($d->{'web'} && 0) {

to :

if ($d->{'web'}) {

This also resolved my issue on Cent 7.2. Thanks to everyone.

@JamieCameron: if you want you can connect to my server with your ssh key for debugging...

The 5.06-2 package should already have line 2148 changed to just if ($d->{'web'}) {

Enabling DNS is generally necessary, or else the Let's Encrypt service won't be able to resolve your domain.

Hi, I'm getting the error "Domain has no website, and DNS-based validation is not possible". I have latest webmin and virtualmin, updated from your repository: Webmin version 1.831 Virtualmin version 5.06

line 2152 is

if (!$ok && &get_webmin_version() >= 1.832 && $d->{'dns'}) {

why does it require webmin 1.832 for dns validation if latest webmin available is 1.831?

Even dns enabled i'm also getting error

i'm using certbot to make certificate & no dns problem

The DNS validation support is a new feature that is under development - the Virtualmin part is done and released, but the Webmin component isn't out yet.

For those who are still seeing this problem AND have upgraded to Virtualmin 5.06-2, what does line 2148 of /usr/{share,libexec}/webmin/virtual-server/feature-ssl.pl contain?

I got the expected code as well. Thought because DNS feature was disabled it was causing this, but enabling DNS for the domains does not help.

if ($d->{'web'}) {
Mostafa's picture
Submitted by Mostafa on Fri, 02/24/2017 - 09:20

line 2148 of /usr/libexec/webmin/virtual-server/feature-ssl.pl contains:

if ($d->{'web'}) {

Im using Centos 7 and the following virtualmin / webmin packages are installed on my server:

wbm-virtual-server-5.06.gpl-2.noarch
webmin-1.831-1.noarch

Ok, I missed that this was Nginx-specific.

The work-around is to edit /usr/libexec/webmin/virtual-server/feature-ssl.pl and change line 2148 to :

if (&domain_has_website($d)) {

Then run /etc/webmin/restart

Great :-) Now it is working :-)

Mostafa's picture
Submitted by Mostafa on Mon, 02/27/2017 - 02:33

this is working now! hope we see a virtualmin update containing this and all other php-fpm fixes soon

How about the not auto renewing bug - has this been resolved? Nothing in the changelog...

Thanks

@mikt I think it's better to talk about it on its specific issue page.

Mostafa's picture
Submitted by Mostafa on Mon, 02/27/2017 - 12:05

@Lucian @ThomGO are you using virtualmin-nginx on your server?

Hello, After i made the above changes to my ubuntu 14.04, the encrpt certificate was issued only when i removed the redirect from the virtual server.. basically i have redirect from http to https: can we also not include this in the next log to already consider a redirect situation? or else automatic renewal for my where i have redirect would fail? or am i doing this incorrectly.. thanks

Operating system Debian Linux 8 Webmin version 1.831 Virtualmin version 5.06

Server version: Apache/2.4.10 (Debian)

The redirect problem is out of Virtualmin's control - the Let's Encrypt service that checks your webserver can't handle it.

Same problem here ... centos 6.8; Apache; Virtualmin 5.06

Mostafa's picture
Submitted by Mostafa on Tue, 02/28/2017 - 14:27

to all folks that still are getting this error:

comment #36 fixes this bug for those who are running httpd (or httpd + reverse nginx)

and

comment #64 fixes this bug for those who are running nginx

although #64 fixes renewal from virtualmin interface, certificates are still not renewed automatically in nginx setup

Need some help over here too, I've got Virtualmin running with apache, everything is updated to the latest thing the panel let's me update (Webmin 1.831 & Virtualmin version: 5.06).

Yesterday I set up two new virtual domains with Let's Encrypt no problem, then this morning I saw it had some updates that I could do and I did, today I went to create a third virtual domain and the error "request failed : Domain has no website, and DNS-based validation is not possible" seems to be striking again. Anyone got some clues?

Thanks

There is a separate bug that can cause that message to appear even if the Let's Encrypt request failed for another reason (like the domain not being resolvable). We're going to release a 5.07 version soon with a fix for this.

unborn's picture
Submitted by unborn on Sat, 03/04/2017 - 07:53 Pro Licensee

@ JacopoBassan

well this can happen if your bind (dns) is not setup correctly, or your hostname is not setup correctly or if you use external dns management (possibly your domain provider) - could you be more specific how do you manage your dns-es? Also just for check - can you issue two commands?

hostname and hostname -f ...does those two giving you same output?

PBIS-Inc's picture
Submitted by PBIS-Inc on Sun, 03/05/2017 - 15:13 Pro Licensee

Centos 7, Apache, fully updated. Letsencrypt originally installed using GIT. Renewed successfully in December, now failing. Changing row 2152 from 1.832 to 1.831 did not help me (reset webmin, and restarted server). Still receive the "Domain has no website" error. Result the same from hostname and hostname -f. Also confirmed acme-challenge content is accessible. What else can I do?

Update - Resolved: the problem was outdated letsencrypt. I installed Certbot, restarted webmin, and then successfully renewed my cert from VirtualMin.

@unborn

both hostname / hostname-f give the same output, my DNSes are managed on namecheap (I have just the domain name and dns there).

I have three virtual servers on virtualmin on my vps, all these have the domain and dns over at namecheap, I installed the letsencrypt cert without problems on the first two, then the last gives me the "Domain has no website" error.

just did fresh install ubuntu 14.04 + latest virtual min, then tried letsencrypt throught virtualmin panel and gives me request failed : Domain has no website, and DNS-based validation is not possible

Still not fixed?

how to fix it with apache

there is no lines mentiones above in that file, i did search and not found

unborn's picture
Submitted by unborn on Wed, 03/08/2017 - 10:01 Pro Licensee

@ JacopoBassan - I manage my dnses on my own right on server.. however you should be fine to use external ones if set up correctly. I am going to say something that may sounds dummy, but seen it in past. can you just delete .well-known folder from your /public_html and then try re-request again?

Perhaps it will help. Friend of mine had this issue on ubuntu with external dns management (i think it was 123reg) then he eventually started using bind on his server and since then he had no issues, so I did not quiet follow that issue any more.. but that was the way how he always got it working.

@unborn tried, not worked :( thanks anyway. Also, trying to manually get the domain instead of the automatic "www.domain.tld domain.tld" I got this error:

Requesting a certificate from Let's Encrypt .. .. request was successful! Configuring webserver to use new certificate and key .. Failed to request certificate : Failed to lock file /etc/apache2/mods-available/ssl.conf after 5 minutes. Last error was :

Could be this that fails the other way without properly saying it? What can I do?

That message is due to some process holding a lock on /etc/apache2/mods-available/ssl.conf

The fix is to find out that process has the PID stored in /etc/apache2/mods-available/ssl.conf.lock and kill it.

Thanks Jamie, now that error is gone, but there's another one...

Failed to request certificate : Failed to query Postfix config command to get the current value of parameter smtpd_tls_CAfile:

Thanks Jamie, now that error is gone, but there's another one...

Failed to request certificate : Failed to query Postfix config command to get the current value of parameter smtpd_tls_CAfile:

unborn's picture
Submitted by unborn on Thu, 03/09/2017 - 03:02 Pro Licensee

@ JacopoBassan

What happen when you disable ssl option for that website? you could try to disable and then re enable ssl for that domain and then try to re-request. Have you try that?

@unborn

When I disable the ssl option nothing changes on the website, disable and re-enable and trying to request fails with the automatic domain list, but if I manually enter those it says it's done and successfull but the website doesn't load anymore becasue "too many redirects".

I'm using virtualmin-universal uptodate 5.06.gpl-2 Debian 7 Nginx / Virtualmin-Nginx line 2148 changed to: if (&domain_has_website($d)) {

restarted webmin, and I still get error: .. request failed : Domain has no website, and DNS-based validation is not possible

unborn's picture
Submitted by unborn on Fri, 03/10/2017 - 04:32 Pro Licensee

@JacopoBassan

Ah too many redirects? maybe thats why it is failing to renew.. lets en. when renewing is accessing .well-known on your site and that could be your case.

I would perhaps check what it is redirecting it that many times.. good bet would be temporary rename .htaccess to temp.htaccess and try to load the site in https. Perhaps you will get some error related to your web app but you should be able to see it the redirects continue or not, if not and you would be able to load the site, then I would defo check .htaccess out if there is something to cause that. Also may you check your web app settings if there is any settings like force https. if that is specified in app and then forced somewhere else as well, server will or may do too many redirects. This also means whenever lets enc. try to access that folder it will fail to do so so renewal of cert would fail. Let me know.

Edit: this ticket have now too many replies and its mixed up with apache and nginx.. perhaps if you would like to troubleshoot it on irc chat, on freenode #virtualmin room then just jump in

@unborn

Okay finally got it working! Deleting for the 10th time the virtual server and re-creating it worked. ¯_(ツ)_/¯

Thanks to everyone!

unborn's picture
Submitted by unborn on Fri, 03/10/2017 - 15:13 Pro Licensee

@JacopoBassan

somehow my comment is held for moderation.. I replied earlier, however I am glad you made that working for you!