tlg/prompts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tlg:1fcec1a954ebc57cda5267c1d90d8dac6b508f0f
Branches Tags
tlg:main
..
compare: tlg:46c6c124d1ee266443e55a8553a0bf4868b38754
Branches Tags
tlg:main

2 Commits
1fcec1a954 ... 46c6c124d1

Author SHA1 Message Date
tlg
46c6c124d1 Cleaned up Linux-Servers.md 2026-03-15 13:42:47 +01:00
tlg
f616337e38 New: Linux-Servers.md 2026-03-14 12:56:40 +01:00
1 changed files with 423 additions and 0 deletions
Expand all files Collapse all files

423
Linux-Servers.md Normal file
View File

@@ -0,0 +1,423 @@
# Troubleshoot datacenter server https error
## Setup
The datacenter server is maintained with Virtualmin.
The domain causing the problem is "kipurchat.creature-go.com".
The SSL certificate provider is Let's Encrypt.
## Problem
When trying to open "kipurchat.creature-go.com" the web browser shows this
error (first section and certificates cut out):
```
net::ERR_CERT_DATE_INVALID
Subject: kipurchat.creature-go.com
Issuer: R13
Expires on: 28.01.2026
Current date: 14.03.2026
Certificate Transparency:
SCT Google 'Argon2026h1' log (Embedded in certificate, Verified)
SCT Let's Encrypt 'Oak2026h1' (Embedded in certificate, Verified)
```
## First own troubleshooting
The Virtualmin webpage SSL Certificate
In domain kipurchat.creature-go.com
shows that renewal of the certificate failed:
"
SSL certificate providers like Let's Encrypt can be used to automatically request a valid cert for use by Virtualmin.
This page can be used to request a new certificate, which will overwrite any other you currently have configured for this domain. However, SSL certificate providers require that your ownership of the certificate domain be validated by checking that this system hosts the website for the domain. This is done by placing a small temporary file under the website's document directory /home/admincg/domains/kipurchat.creature-go.com/public_html.
Request certificate for
Domains associated with this server
kipurchat.creature-go.com
Domain names listed here
Also request wildcard certificate?
SSL certificate provider
Let's Encrypt
Automatically renew certificate
Yes
No
Send email on renewal
Yes
Only on failure
No
Hostname verification
Attempt to request all hostnames, and fail if any cannot be validated
Skip unresolvable hostnames, but fail if any remaining cannot be validated
Exclude hostnames that cannot be validated from the certifcate
Certificate hash type
RSA
Time since last renewal
0.00 months
Last failed renewal
03/14/2026 11:39 AM
Renewal failed due to
Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
"
## Your tasks
Please help me by running these tasks:
### Understand the root cause
Why did the certificate renewal fail?
### Repair the SSL certificate setup
Change the SSL certificate setup so that future renewals will work.
### Repair SSL connection
If not already done by completing the task before, repair the SSL connection so that "kipurchat.creature-go.com" can be used again.
## Updates
Okay, updates were done long ago because this is just an experimental server.
Good idea to run updates first.
I am running Terminal commands as root and I prefer "apt" instead of "apt-get".
Snap is not acceptable and will not be installed on the server.
Both Debian linux and Virtualmin are outdated. Which one to update first?
Please provide the Terminal commands again taking into account these preferences.
## What I did to update and certificate renewal attempt
I did to these steps to update:
### Update Debian packages
In a terminal I did run
```
apt update
apt upgrade
```
I do not want to upgrade the full distribution because it is Debian 12
which is really good enough. Any distro upgrade is a risk so when unnecessary
I won't do it. Therefore, I did not run the other Terminal commands you proposed.
I did see that webmin was upgraded during apt upgrade, too.
After rebooting the server, a previously warning in Virtualmin that the
Virtualmin version is outdated was not showing up anymore.
Therefore, I skipped Phase 2: Update Virtualmin.
### Certificate repair attempt
First I tried the renewal via the Virtualmin page but it failed:
"
Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
An unexpected error occurred:
AttributeError: can't set attribute
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
"
Then I tried in a terminal, I did run this without success (likely because not waiting a moment after the previous attempt):
```
root@sv005 ~ # certbot renew --force-renewal --cert-name kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kipurchat.creature-go.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for kipurchat.creature-go.com
Failed to renew certificate kipurchat.creature-go.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Your account is temporarily prevented from requesting certificates for kipurchat.creature-go.com and possibly others. Please visit: https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc3NDcwMTE1OCwiaWF0IjoxNzczNDkxNTU4LCJpZGVudGlmaWVycyI6ImtpcHVyY2hhdC5jcmVhdHVyZS1nby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMjc5MDc3MTg2IiwidmVyc2lvbiI6InYxIn0.0bSnk4-HuXVnUWJb-ck7aVJCPo9UaZf1xCMsQ9791ZU
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@sv005 ~ #
```
So looks like we still have the "AttributeError: can't set attribute" problem.
## Certbot version
My certbot version is too old, I have bookworm-backports enabled but the apt install did not work:
```
root@sv005 ~ # certbot --version
certbot 2.1.0
root@sv005 ~ # grep -r "backports" /etc/apt/sources.list /etc/apt/sources.list.d/
/etc/apt/sources.list:# deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
/etc/apt/sources.list:# deb-src http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware
root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme
Reading package lists... Done
E: The value 'bookworm-backports' is invalid for APT::Default-Release as such a release is not available in the sources
```
What should I do now?
Enabled backports but certbot version cannot be updated:
```
root@sv005 ~ # apt install -t bookworm-backports certbot python3-certbot python3-acme
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
certbot is already the newest version (2.1.0-4).
certbot set to manually installed.
python3-certbot is already the newest version (2.1.0-4).
python3-certbot set to manually installed.
python3-acme is already the newest version (2.1.0-1).
python3-acme set to manually installed.
The following packages were automatically installed and are no longer required:
libclamav11 linux-image-6.1.0-35-amd64
Use 'apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 54 not upgraded.
```
Enough - I will update to Trixie.
While performing "apt full-upgrade" the connection was lost.
After a while I rebooted the server and tried to run
"apt full-upgrade" again. I had to fix an issue but now there are errors:
```
root@sv005 ~ # apt full-upgrade
E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem.
root@sv005 ~ # dpkg --configure -a
Setting up libc-l10n (2.41-12+deb13u2) ...
dpkg: dependency problems prevent configuration of locales:
locales depends on libc-bin (>> 2.41); however:
Version of libc-bin on system is 2.36-9+deb12u13.
dpkg: error processing package locales (--configure):
dependency problems - leaving unconfigured
Setting up libc6:amd64 (2.41-12+deb13u2) ...
Checking for services that may need to be restarted...
Checking init scripts...
Restarting services possibly affected by the upgrade:
webmin: restarting...done.
saslauthd: restarting...done.
postfix: restarting...done.
ssh: restarting...done.
cron: restarting...done.
atd: restarting...done.
Services restarted successfully.
Setting up libc-dev-bin (2.41-12+deb13u2) ...
Setting up libc-devtools (2.41-12+deb13u2) ...
Processing triggers for man-db (2.11.2-2) ...
dpkg: dependency problems prevent processing triggers for libc-bin:
libc-bin depends on libc6 (<< 2.37); however:
Version of libc6:amd64 on system is 2.41-12+deb13u2.
dpkg: error processing package libc-bin (--configure):
dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
locales
libc-bin
root@sv005 ~ #
```
How to proceed?
1. did not trigger an error but asks me this:
```
root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type:
```
I unpaused on Let's Encrypt page and retried but got an error:
```
root@sv005 ~ # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: unauthorized
Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/51dsdhWws4UEpTuZGIyeFXbYU8J2DpeKFQuACHvcTzA: 503
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
```
On the Virtualmin page it failed, too. But certificate type still was RSA.
I changed to ECC and requested a new certificate but it failed:
"
Request Certificate
In domain kipurchat.creature-go.com
Requesting a certificate for kipurchat.creature-go.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: unauthorized
Detail: 65.108.193.31: Invalid response from https://kipurchat.creature-go.com/.well-known/acme-challenge/-c7GdKxe8NtwulzVb8gYjF0WoMc9TVomdqJi_RA8ILU: 503
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for kipurchat.creature-go.com
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: kipurchat.creature-go.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.kipurchat.creature-go.com - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
"
The Step 1 test does not work:
```
root@sv005 ~ # mkdir -p /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/
root@sv005 ~ # echo "Success" > /home/admincg/domains/kipurchat.creature-go.com/public_html/.well-known/acme-challenge/test
root@sv005 ~ # ls
Maildir backups virtualmin-install.log virtualmin-install.log.1 work
root@sv005 ~ # cd work
root@sv005 ~/work # ls -alhrt
total 12K
drwxr-xr-x 3 root root 4.0K Oct 24 16:05 .
drwxr-xr-x 2 root root 4.0K Oct 24 19:21 wireguard-setup
drwx------ 11 root root 4.0K Jan 9 14:49 ..
root@sv005 ~/work # curl -IL http://kipurchat.creature-go.com/.well-known/acme-challenge/test
HTTP/1.1 301 Moved Permanently
Date: Sat, 14 Mar 2026 20:58:36 GMT
Server: Apache
Location: https://kipurchat.creature-go.com/.well-known/acme-challenge/test
Content-Type: text/html; charset=iso-8859-1
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
```
Okay, after modifying
/etc/apache2/sites-available/kipurchat.creature-go.com.conf
according your instructions and restarting Apache
the certbot repair was successful:
```
root@sv005 ~/work # certbot certonly --webroot -w /home/admincg/domains/kipurchat.creature-go.com/public_html -d kipurchat.creature-go.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
An RSA certificate named kipurchat.creature-go.com already exists. Do you want
to update its key type to ECDSA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for kipurchat.creature-go.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/kipurchat.creature-go.com/privkey.pem
This certificate expires on 2026-06-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
But the webpage at kipurchat.creature-go.com still shows the same error and
Virtualmin still shows a not-working SSL Certificate. How to fix this?
Step 1 fails, I get the Error "Failed to install certificate : Certificate file /etc/letsencrypt/live/kipurchat.creature-go.com/fullchain.pem must be under the virtual server's home directory".
Instead of running terminal commands and pointing Virtualmin to uncommon directories, wouldn't it be better to go the standard Virtualmin way: On tab "SSL Providers" Request Certificate ?
If this way would be better, which Certificate hash type should I select,
RSA or ECC?
Okay, after requesting a new certificate with ECC hash type the
kipurchat.creature-go.com has a valid certificate for https:// now.