I am trying to use lets encrypt to get ssl for my domain. I have used it before and set the txt record for the acme challange on a different server.
But this time im setting up using webmin/virtualmin and I am having an issue.
When i click lets encrypt and wait for it to get the ssl cert, it fails as the acme challange fails.
But at no point was I even given the string of characters I need to enter into the txt record to prove I own the domain so of course it fails. What am i missing here?
You don’t give it a string. Virtualmin does everything automatically. The whole process is automatic, but only if one of the following is true:
Let’s Encrypt servers can make a web request to retrieve a file from the .well-known directory on the name(s) you’ve trying to request a certificate for on your server. This means DNS has to be correctly configured for all names you are requesting a cert for, and you don’t have proxy or redirect rules or htaccess rules preventing retrieving files from .well-known.
Or, Virtualmin is managing DNS and can create records that Let’s Encrypt can retrieve to prove you own the domain. This is only attempted if Virtualmin believes it is managing DNS (and you shouldn’t let Virtualmin believe it is managing DNS if it is not).
It’s always one of maybe three misconfigurations. Search the forum for what those are and how to troubleshoot it. It’s been discussed many times.
Ok, So the files are appearing in public_html/.well-known/acme-challenge/
but this is what i get:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for … and *…
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: mydomain.uk
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.nagatek.uk - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to “certbot --help manual” and the Certbot User Guide.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
That’s the DNS validation step. Which means web validation failed. So you’re either requesting a cert that includes names that don’t exist in DNS or files can’t be served from .well-known. Web validation is simpler to get right than DNS validation, so I would recommend you ignore the DNS validation error and look at the earlier errors related to web validation.
The only kind of cert that must use DNS validation is a wildcard cert. I advise against wildcard certs in most cases.
Then Virtualmin must be managing DNS for your zone. Since it isn’t, Virtualmin can’t get a wildcard cert for you.
The fact that it let you try means you have led Virtualmin to believe it is managing DNS, but it clearly isn’t. So, you should fix that (disable DNS in Features and Plugins). You’ll need to request wildcard certs manually using certbot if Virtualmin isn’t managing your DNS, as it requires a multistep process that isn’t reasonable to put into a web form.