"DNS-based validation failed : Only the offical Let's Encrypt client supports DNS-based validation" on cPanel imported domain

I imported a domain from a cPanel backup and I tried requesting a Let’s Encrypt SSL certification for just “lejendz com” and the www version, and I get the following error.

Request Certificate
Requesting a certificate for lejendz com, www from Let’s Encrypt …
… request failed : Web-based validation failed : Failed to request certificate :

Traceback (most recent call last):
File “/usr/share/webmin/webmin/acme_tiny.py”, line 198, in
File “/usr/share/webmin/webmin/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/webmin/webmin/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for lejendz com: {‘identifier’: {‘type’: ‘dns’, ‘value’: ‘lejendz com’}, ‘status’: ‘invalid’, ‘expires’: ‘2020-09-01T00:14:52Z’, ‘challenges’: [{‘type’: ‘http-01’, ‘status’: ‘invalid’, ‘error’: {‘type’: ‘urn:ietf:params:acme:error:dns’, ‘detail’: ‘DNS problem: query timed out looking up CAA for lejendz com’, ‘status’: 400}, ‘url’: ', ‘token’: ‘’, ‘validationRecord’: [{‘url’: ‘lejendz com/.well-known/acme-challenge/’, ‘hostname’: ‘lejendz com’, ‘port’: ‘80’, ‘addressesResolved’: [‘IPADDRESS’], ‘addressUsed’: ‘IPADDRESS’}]}]}

, DNS-based validation failed : Only the offical Let’s Encrypt client supports DNS-based validation

Looks to me like the dot is missing from “lejendz com”.


I removed it because new users are limited to “two links per post”

Ah, okay. My apologies.

I think it may just be a propagation issue.

Only a handful of DNS servers were able to find you when I just checked.


Thanks, how do I fix this though? I didn’t update my DNS, all I did was import the cPanel backup and kept the old DNS records.

If the new (Virtualmin) server is providing DNS service, you need to re-point the nameserver IP address entries to the new nameservers’ IP addresses. You would do this in your registrar’s control panel.

If you’re using third-party DNS, you’d have to make the changes there.

If you’re still using cPanel for DNS, and you have other sites using those nameservers, then you’ll have to create new namservers for the new server and assign their IP addresses in your registrar’s control panel. You’ll also have to re-point the nameservers for the one migrated domain to the new nameservers.

There are other possibilities depending on your specific situation (for example, if you have other domains on the losing server that you’ll be migrating).


If you have other domains on the losing server that you’ll be moving, setting the TTLs on the DNS for the moved domains to something ridiculously low (like 300) on the losing server, and pointing the already-moved domains to the new server’s IP with “A” entries in the old server’s DNS records, might solve your problem while DNS is propagating.

I say “might” because I’ve never tried it with LE DNS-based validation. I can’t think of a reason why it wouldn’t because it’s not at all uncommon for a domain’s DNS to be provided by a different server than the one upon which it resides, but I’ve never actually tried it with LE.



Aside from making sure that DNS is configured and working correctly, make sure to install certbot package -

apt-get install certbot
1 Like

That may have fixed it? Requesting a certificate worked this time, but it looks like more servers are seeing my DNS now too - so who knows. Either way, let’s just marked this solved for now I guess

Yes, unless a domain is resolvable, there is no way to request a new certificate as of verification failure.

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.