Cloudflare and Let’s encrypt


Alma Linux 8.5
Virtualmin 7

Hi. I’m afraid I’m here to ask for her lol again. I’ve read through the questions on here about using Virtualmin and having my DNS at Cloudflare. If you think I would be better off raising this with Cloudflare again please just tell me but I’ve already raised it with them and they directed me back here when I asked them. I can get the domain to work with the domain to go to the default holding page if I use flexible rather than full strict or full. I have tried all those options and only domain works and gives m

I cannot add Let’s Encrypt SsLs to my domain and subdomain. I get the error messages that are shown below for my domain:

And the following message for my subdomain:

I think from reading on here that one of the first problems here is that once going through Cloudflare means that the IP address pointing to my server changes to one of Cloudflare IPs which Lets Encrypt doesn’t like so fails to go through. Is that correct? What fix is there for that. There is also the problem that Cloudflare told me was that their IP addresses will not stay with the one they are using just now.

Name server mis match is another problem as on Lets Encryt it is showing the domain name servers as the Cloudflare ones. I added these to the Virtualmin DNS but that didn’t work. Could this be because there is then a perpetual loop? Do you know how I fix that?

In the second pic, it says namservers for my could not be found. Yet I have the name sets using the Cloudflare NS too.

The next problem is that

I pressed send before finishing hence this second question.


The next problem is that on the Let’s encryt failed showing a 403 error so website request fail.

I also have problem that both IPv4 and IPv6 cannot be pinged by the let’s encrypt attempt.

I know these posts are ridiculously long so sorry for that but I thought that for someone possibly need all the info so they might be able to respond.



That is exactly what you’re supposed to do. It will never work using Full or Full Strict.

Flexible is what it’s supposed to be on. I’ve used it for years that way and never had an issue. Don’t let the terms “full” and “full strict” make you think that unless it’s set there it’s not really working.

Ok thanks for that. That helps.

1 Like

If Cloudflare is your authoritative DNS server, obviously nothing you do in Virtualmin DNS matters.

Are you requesting wildcard certs? I’m trying to figure out why DNS would be involved in Let’s Encrypt at all. A web request can validate a certificate for a single domain. (Wildcards should be considered a last resort, as they have security implications and are more complicated to validate and manage.)

Oh, also, I think Virtualmin Pro 7.0 has support for Cloudflare-hosted DNS, but it doesn’t sound like that’s what you’re doing.

Hi and thanks for responding at the weekend. I really didn’t expect that. I have taken a break from it for the rest of the day as it was making me so frustrated.

I haven’t been trying for wildcards as I agree with you that they should be a last resort.

What I’m going to do is come back to it tomorrow delete the domain and sub domain and start from scratch again with proper notes of what I’m doing and in what order so that I can be more sure about the effect of each change. I’ll take it more slowly too. I have time to get this right.

I’ll follow this up tomorrow with what worked and what didn’t so that if I need some help I can share and do the same with works in case it is helpful for someone else.


Then this error is a bug in Virtualmin. I’ve asked Jamie to take a look. We shouldn’t be failing based on validating something that isn’t even relevant to the action being taken. (Ugly messy Let’s Encrypt errors made people panic so much they wouldn’t even read them, so I guess this was intended to prevent that, but this makes the problem insurmountable, not just scary looking.)

what a fail man…

Sorry. Didn’t mean to cause you a problem!

When I start again in the morning I’ll be sure to keep pics of any error messages and what I’ve done to cause them and hopefully that will be helpful to you. As I said I am in no rush.



lol, we caused our own problems, in this case. If you didn’t hit it somebody would hit it.

You may be contributing to the problem, though, since you are not hosting DNS in Virtualmin, but Virtualmin believes you are. If you do not want to manage DNS in Virtualmin (either locally with BIND or in a cloud DNS provider…I know Route 53 and Google Cloud DNS are supported, I think Cloudflare is, too), you should disable the DNS feature in Features and Plugins (and for all domains currently using it).

Virtualmin assumes it can trust you to tell it what your situation looks like. You’ve misled it about who is responsible for DNS, so it is validating things that it should not be validating. So…the error still shouldn’t happen, but it is also indicative of a problem in your specific configuration that I’m pretty sure you can fix.

basically - what a fail…man not fail of OP of anyone here, using software…

I’ve just checked in a code change that will stop Virtualmin from validating domain features that don’t matter when requesting a Let’s Encrypt cert.

Also, on the cert request for, you can turn off validation entirely if it’s generating false negatives like this.


Thanks. I’ll find the option that pertains to the use of Cloudflare and the others you mentioned and start from that point and I can then make a decision about which DNS service I use.

Sorry I didn’t see this post until I had sent my first response. I’ll try this and see how it goes. Is there any downside to not using validation?

DNS validation can’t do anything useful if Virtualmin isn’t managing DNS.

I am starting from scratch with a clean install of Alma Linix, Virtualmin and everything updated.

My domain and subdomain both have an A record pointing to my server.

Domain and subdomain both access the site, and both show that the html folder is empty as they have not yet been added to Virtualmin. Both are proxied through Cloudflare and the setting on SSL/TLS is flexible.

I try sub-domain:10000. This ends up timing out which is now no longer a surprise as I found out Cloudflare doesn’t open the port 10000. I have access to the login page by a link provided to me by my VPS provider.

A screenshot of a computer Description automatically generated with medium confidence

Adding DNS management to the server turned off


I now add my domain to Virtualmin. SSL for domain on creating server fails with error message: connectivity check failed.

Add subdomain: No errors.

Domain and subdomain now successfully load Virtualmin default page. Both have a padlock in the address bar due to using Flexible on Cloudflare

Adding an SSL cert. Currently both domain and subdomain are sharing a self-signed cert and thus be able to work on Full on Cloudflare. Full is successful. As expected Full (strict) fails on both. Back to flexible now where as expected both show virtualmin default page.

I now try to create a Lets enceypt cert for both. I accepted the default domains of and and added and using the check connectivity was given the following errors:

I will stop here to ask for further support and I hope this information, despite being long winded, is helpful.

I don’t know why that post didn’t include the pictures so here they are:

Pic 1

Pic 2

How do I get access to the code change and are there any implications to not having validation?


Good news! I managed to get Let’s encrypt to work today. My mistake was trying to get a cert for both ( + www) and the sub domain, at the same time. I thought I could request for a sub domain in the same request as domain. That’s what was causing the error messages. I did the request for domain and after that completed I requested for sub domain. Both were successful. They both now work with Cloudflare full(strict). I’m aware that it was suggested that I shouldn’t use full or full(strict) and just use flexible. Does anyone have clear thoughts on why I should choose one option over the others?