Best practices for setting up server's subdomain ( and Virtual Server for base domain (

(I apologize for some odd domain formatting, as a new user I’m only allowed to include 2 URLs in my post, so I had to make some modifications. Correction, all domain references are now modified as someone is reporting the non-working, example domains that I’m using as spam, lol. Thanks for the warm welcome to the forum whoever you are! :slight_smile:)

Hello all!

I’m new to Virtualmin and I’m in the process of trying to setup a fresh server with it, but I’ve run into some issues with getting the server’s subdomain and base domain both setup and running, so I wanted to see if there are some best practices for setting this up. I’ve tried quite a few searches on the subject but so far I haven’t had any luck.

For example, I want to have server-DOT-example-DOT-com as the FQDN for my new server, and I’ve been able to get that setup just fine and generate an LE cert for it, but I also want to have example-DOT-com setup as a Virtual Server, but as soon as I do that the server-DOT-example-DOT-com setup seems to break. The server-DOT-example-DOT-com setup seems to get overwritten with the example-DOT-com setup, and then I lose access to my Virtualmin UI because the server’s FQDN is now messed up and pointed at the hosting for example-DOT-com (I can still access the UI via the IP address though).

So I guess my questions are, should I even be doing this? Do best practices tell me that if I use server-DOT-example-DOT-com as the FQDN for my server, that I shouldn’t use example-DOT-com for anything? And if it’s perfectly fine to have both of these setup at the same time, how would someone go about doing it without things breaking?

The best practice for new users to virtualmin to my opinion is CentOs 7 with a full installation and a real domain name, but it is possible to do it with a local.
If using domain, point your cname to your vps ip adress and it will work.

I confirm I can use as my FQDN hostname and as a separate virtual server.

@makleinx, sorry, I probably should’ve been more clear. I am indeed trying this with a real domain, I just used example-DOT-com so I didn’t expose the actual domain.

Do you have any further information that explains the CNAME setup? The issue I’m having is more with the actual Virtualmin setup for the subdomain and domain, and I’m having a hard time figuring out why using a CNAME record over an A record would resolve this.

@calport, do you by chance have any information about how you set this up?

It wouldn’t. CNAME is just an alias. No difference in terms of what appears in the host header from the browser.

Virtualmin/Webmin will answer no matter what name you give it, as long as it resolves to the right IP. So, make sure DNS for both names resolves to the IP of your server. The only difference between the two names, in terms of how Webmin responds, would be if the virtual server has an SSL certificate, in which case it’d use that cert to secure the connection. Otherwise, it’ll use the Webmin default cert (self-signed cert created automatically during installation, or whatever cert from a virtual server you told it to use at the default).

Also, please keep in mind that these are all just names. A name that is a “subdomain” of something else is still just a name. If it resolves correctly to the right IP, Webmin will answer. It does not care about names (again, except for the SSL cert to use).

Also, I feel like you’re maybe making this too complicated? There isn’t really anything to it. Give your server a fully qualified domain name that resolves, and is not one that you’ll be using as a virtual server in Virtualmin. That’s literally all there is to it. It can be anything, but if you have a lot of servers, naming it something somewhat meaningful and systematic is helpful. i.e. I use, etc.

Sorry i switched them Your A alias of your domain should point to the ipadress of your vps server, just add a new virtual server with the domain name and delete the old one. add cname to your domain for the subdomain you want and then add a subserver in virtualmin. if you want the domain configured on your server you have to add ns domain adress of your real domain…dont ask me that, maybe under dns records in virtualmin.

I’m not sure how I’m making this more complicated. As I mentioned in my first post I’m literally trying to do exactly what you’re recommending and it’s breaking my setup, which is why I’m on the forum asking for help.

Sorry, I’m not meaning to dissuade you from asking for help, I just can’t figure out how you’d get the behavior you’re seeing. It’s how we’ve always recommended folks set things up and how I’ve done it forever.

Oh…I might know what’s going on…did you, perhaps, use a name like There are a few default domains that get setup in Virtualmin when you create a new virtual server, and admin is one of them. I don’t recall all of them, but you can look in the newly create DNS zone to see them all (they’ll be aliases of the domain itself).

Do you happen to have an updated location with the documentation on this? The only related information I could find was on the Webmin wiki about how to setup an SSL cert for your server’s FQDN, but it was last updated a few years ago and it had some inconsistencies.

@Joe, so after doing some more investigating, it seems as though the issue is with the SSL certs. There doesn’t seem to be a way to setup one LE SSL cert for my server’s FQDN (server-DOT-example-DOT-com), and one LE SSL cert for the base domain virtual server (example-DOT-com). When I try to use multiple certs they just conflict and one of them tries to function for both the subdomain/server and base domain/virtual server.

For anyone else that runs into this issue, what I did to fix this was when I generated the SSL cert for my virtual server (example-DOT-com), I included my server’s FQDN in the cert request (server-DOT-example-DOT-com), and then that newly requested cert was used for both my server at server-DOT-example-DOT-com, as well as my virtual server at example-DOT-com.

I’m not sure if this is the “right” way to solve this issue, but at least it’s up-and-running while I try to solve the issue on a more permanent basis.

The way you solved it is fine. But, you could also solve it by using Webmin’s Let’s Encrypt support to issue a cert for the FQDN…but, normally I never use that name to reach the server. I use one of my virtual servers as my “main” domain on the server, and use it for mail (which historically couldn’t use SNI), Webmin, Usermin, etc. There’s no reason to need a cert for a name you never use, and it’s automatic for the virtual servers that have certs.

I would prefer it the way you suggest, so I tried it that way first (and a few times since), but it just wouldn’t work, that’s why I ended up trying the reverse method, which worked on the first try.

So is there no way to have one LE cert for server-DOT-example-DOT-com via Webmin, and one LE cert for example-DOT-com via Virtualmin? This is ideally how I would like it setup, so the certs/FQDNs are completely separate, but no matter what I try that just doesn’t want to work, only one of the certs seems to remain in-place.

What errors do you get? In what way doesn’t it work?

At one point it gave an error stating that it couldn’t generate an SSL cert with the server-DOT-example-DOT-com FQDN because there was no virtual server associated with the domain, and other times it failed to retrieve the SSL cert because Webmin was in SSL mode so port 80 wasn’t working for the verification, so I disabled SSL in /etc/webmin/miniserv.conf, restarted, and then after logging into Webmin via http instead of https I got an error that I couldn’t login because I didn’t have cookies enabled, which I did. I eventually gave up and did the SSL certs the reverse way and it worked on the first try.

If there’s no way to issue separate LE certs for server-DOT-example-DOT-com via Webmin and example-DOT-com via Virtualmin (is this possible?), I may just have to rethink my plan of using the same domain for the server’s FQDN as well as a virtual server.

I confirm I can use as my FQDN hostname and as a separate virtual server.

if you want to have a quick look at how I have set up mine, we could do a screen share session.

1 Like

That sounds buggy. Webmin can validate via DNS, if the zone is locally hosted, or it can validate via a webserver (Apache or nginx)…I didn’t think it tried to validate via Webmin’s web server. I think I need to see the exact and full error to know what’s going on and what code path you’re hitting.

Don’t do that. If your system FQDN matches that of one of your virtual servers, you’ll have a confusing and difficult to resolve situation with mail delivery, among other things.

Why not just connect to Webmin on the name of the virtual server and forget about the server name? i.e. If I had a server named and a virtual server on that server named, I would just use to connect to Webmin. Why use the other name at all?

But, this is why I think you’re making it too complicated. I never even issue a cert for Webmin on the FQDN on any system that has Virtualmin. It can (given the right set of circumstances and available services and DNS entries), but it doesn’t need to, because you have every single domain in Virtualmin that can be used to connect to Webmin, and they can easily get a cert. You’re doing all this work and fighting with it…but, for what? The FQDN is to make Postfix happy (among other services), it’s not needed to connect to Webmin.

1 Like

@calport, I appreciate the offer, but I’ve decided to change my setup a bit so this is no longer an issue.

I mean that I’m not going to use example-DOT-com for a virtual server anymore, just server-DOT-example-DOT-com for the server’s FQDN, and I’m not going to use example-DOT-com for anything at all. The issues I’m running into aren’t worth the time, so I’ve changed my plan and am going to use a completely different domain for the virtual server.

Hmmm, I guess that’s true, as long as I use the port I should be ok. Maybe this is the way to go. I don’t know why but it feels kind of dirty to me, lol, like it’s a workaround for something that shouldn’t be so difficult to get setup, but I guess this solution would at least get things up-and-running.

Thanks a lot for your help on this @Joe!

Does it help to know that Virtualmin had Let’s Encrypt support long before Webmin had, and this is how we’ve been recommending it be done literally for years? It’s literally how you’re supposed to do it. Once you’ve got Virtualmin domains, that’s how you’re supposed to connect to Webmin.

If you want no port in the URL, use admin.domain.tld, it will redirect you to port 10000 on domain.tld.