Error with SSL certificate renew

OS type and version Ubuntu Linux 20.04.4
Webmin version 1.994
Virtualmin version 7.1-1
Related packages Lets Encrypt

A few days ago I got this warning:

SSL Certificate Warning

The following virtual servers' SSL certificates have expired : 

So I go to Server Configuration>SSL Certificate>Let’s Encrypt and request certificate but I’m getting the same error like here: I just try the fix found in that thread but the error is still there.

This fix: don’t work too.

I can’t renew the certificate yet, I’m attaching the logs files, can someone help with this?

e3.log (3.3 KB)
e2.log (3.3 KB)
e1.log (3.4 MB)

I didn’t do any changes in the domain or server config, in the same VPS (from Contabo) I have others websites and I was able to renew the others certificates with no problems.



The issue is related to the subdomains:


These don’t appear to have an A record pointing to the domain where the “.well-known” folder is located.

Because they cannot find the acme-challenge file, the whole request is failing.

During SSL certificate generation, try selecting the second option and entering just:

If you require more assistance, please feel free to reach out for a paid consultation.

Thanks but I already try it, but just in case I did it again, the error now:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /home/rcorta/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Some challenges have failed.
 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
Running manual-auth-hook command: /etc/webmin/webmin/
Waiting for verification...
Challenge failed for domain
dns-01 challenge for
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/
Some challenges have failed.
 - The following errors were reported by the server:

   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for
   this domain

That domain is running with zero issues almost 2 years, I don’t know why that error is showed because I dont touch anything in the DNS records.


The acme-challenge file doesn’t appear to exist, so it cannot validate against it. Also you are using for your DNS so that won’t work either.

At this point, I can only speculate that something is misconfigured somewhere, however I’d need to take a look to be sure what’s going on.

I have the same setup for 2 years with no errors…

DNS challenge, is this new? Sound like you missing a TXT record in the DNS.


I too am having issues with certificate renewal
I have multiple servers with hundreds of domains.

I have noticed that the acme-challenge file is now being generated owned root:root with perms 660. This file cannot be served by the Apache server and so web based validation fails. The process then tries DNS based validation however this is not the issue.

I coerce the process to work by the following command at the command line
chmod 644 .well-known/acme-challenge/*

…this allows the file to be served by Apache and read by the LE servers and the process continues successfully. Check your Apache logs, you will see errors like:

[Tue Jun 07 11:20:31.197061 2022] [core:error] [pid 12884] (13)Permission denied: [client] AH00132: file permissions deny server access: /home/

…this has just started happening on my servers… not sure if it is recent Ubuntu updates or the recent Virtualmin update.

Odd, I don’t see files being own by root. It must be owned by virtual server user:group.

@treken no, I can´t see that kind of errors, check my first post with the logs thanks

@Ilia I just check it again, permissions are fine.

This is my DNS setup, all is created by default by Virtualmin

is it something wrong with it?


Your domain is being managed by from what I could see, so any DNS records in Virtualmin are ignored.

That’s not the problem, all my domains on the same VPS are using the contabo setup with no issues


I was merely pointing out that DNS records in Virtualmin are NOT being used since you host your DNS records with them.

You need to add any missing DNS records to

@tpnsolutions In the registrar I point the domain to the Contabo DNS , after that in Contabo Admin panel I need to create the DNS to point it to the VPS IP, all of this is in auto. After that I just create the package in the virtualmin.

is there another way to do that?

this is from my Contabo setup:


If you want to host your own DNS records, you need to create something like:

Set those up with your registrar (a glue record) then point your domain to your own nameservers.

Once you do so, Virtualmin can manage all aspects of DNS for you.

Otherwise you can use that page above (Virtualmin’s DNS records) as a reference for populating’s DNS server.

I was analyzing @tpnsolutions suggestion when I saw that the certificate was renewed without problems, the only change I made was to disable the htaccess script used on that website which contains the following:

<IfModule mod_rewrite.c>
     RewriteEngine On
     RewriteRule ^(.*)$ public/$1 [L]

could this be the reason for the previous errors?


Ah, yes that will cause problems.

I’ll provide you a fix for that which you can implement to deal with this

RewriteCond %{REQUEST_URI} !/.well-known/?.*

Add this before the RewriteRule

*** I’m on the road so there may be a typo in above snippet – will verify when I get back to the office ***

Ugh, forum removed some escaping in above snippet. If you are familiar with regex you should be able to correct.

1 Like

For sure! thanks @tpnsolutions