Lets Encrypt certificate with a Virtualmin subserver results in Security error/Deceptive site ahead

OS type and version MacOS Venture 13.0.1/Android 13
Webmin version 2.011
Virtualmin version 7.5
Related packages n/a

I have Virtualmin installed and working fine on a VPS serving up a few wordpress sites, but am having issues setting up a subserver and using a Let’s Encrypt cert. I can request the cert just fine, using the Virtualmin interface. When I request the cert I get the expected success response that looks like this:

Requesting a certificate for sub.mydomain.com, www.sub.mydomain.com, mydomain.com, www.mydomain.com from Let's Encrypt ..
.. request was successful!

Configuring webserver to use new certificate and key ..
.. done

Applying Nginx configuration ..
.. done

Re-loading Webmin ..
.. done

Re-starting Usermin ..
.. done

Restarting mail server ..
.. done

However, my issue is that most browsers display a “Security error/Deceptive site ahead” warning. Why does this happen and how can I resolve it?

Additional notes:

  • the subserver is using a subdomain (i.e. sub.mydomain.com)
  • the subserver is setup as it’s on virtual server in Virtualmin, that is, it’s not a “subdomain” as Virtualmin defines it - i want this because I want each subserver to have it’s own home/public_html directory
  • the DNS A records are set for both the subdomain and www (i.e. sub.mydomain.com, www.sub.mydomain.com)
  • I have also tried including the main domain in the cert request - it “succeeds” on getting the cert, but same problem exists
  • I have setup non-sub-domain sites using the Let’s Encrypt tool and they seem to work just fine.


When doing a sub.domain.ltd only do the certificate for that level. Leave out the top level and see what happens.
You will have to manually enter them in the box before submitting.

This shows only in the Chrome browser.

Google displays this when it finds a page on your website which is impersonating another brand and attempting to fool visitors into divulging sensitive information.

You should check your logs for traffic to URLs and scripts that should not exist on your server.

1 Like

I’m not sure what you mean by “leave out the top level”? I have to include the top level domain (.com). I did try using this:

But still get the same warning

Actually it shows in firefox and safari as well. I think that’s a good idea to check logs, and I’ll check them but should i expect such scripts on a vanilla install of Virtualmin and creating a new basic virtual server?

If you created a sub-server under a Top-level-server in Virtualmin than technically you only need to create an SSL Certificate for the sub-server under Virtualmin > subserver.mydomain.com > Server Configuration > SSL Certificate:
In Let’s Encrypt you will see “Domains associated with this server” subserver.mydomain.com

As to what @calport is trying to tell you, make sure you are not using a trademark brandname in your subserver.mydomain.com such as microsoft.mydomain.com will trigger browsers to give users the warning page before entering your website.

Yes, I was under the impression that this warning is generated by Google only. One lives and learns.

1 Like

Doesn’t this mean you site has been hacked? All google search on that term says the site has been hacked.

I mean it could mean you’ve been hacked, but not in this case…

Actually, I just realized I did NOT create a sub-server. Rather I created a stand alone virtual server, and used a subdomain for a server that I already have (i.e. i already own mydomain.com and I created sub.mydomain.com). I don’t think I want or need to create a sub-server for each new virtual server - really I just need the subdomain. I’m using this for staging/test versions of new websites for my clients. So I can have website1.mydomain.com, website2.mydomain.com, etc. Ultimately they’ll have their own virtual server - and stand alone domain. Sorry for the confusion!

Ah, makes sense re branding! I’m not using any sort of well known domain as my subdomain, although the subdomain is registered as a .com domain. I don’t know how this would have any affect though as I’m only using the first part of the registered domain.

I am veering off-topic so I will be brief:

  1. Your search engine rankings could be impacted @ferd-z if you have random subdomains under the domain of your primary brand.

  2. If you must use subdomains for staging customer websites, then do this: create virtual server for your client domain even if it not yet registered or configured to work with your server and then create an alias for that virtual server and use your subdomain as an alias.

Use the alias for staging the website and when the customer has pointed his domain to your server, delete the alias.

https://sheherwali.indiax.com was the staging domain (alias)
https://sheherwali.co.in is the customer domain

If you wish to discuss this further, please start a new topic.

I seen some search that you go into google search console (if you have set it up in there) and request it be removed.
see here

Yes! I think this has resolved my issue. I just submitted a request and it seems to not be showing. I noticed that Firefox was also displaying the issue, but I read that Firefox subscribes to the Google API and displays this same warning.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.