Lets Encrypt web based but log shows dns based

System hostname my.domain.id Operating system AlmaLinux Linux 8.5
Webmin version 1.994 Usermin version 1.840
Virtualmin version 7.1 Pro Authentic theme version 19.93.1

Hi, I failed to get letsencrypt cert and getting this response when failing. My concern is that it might be a bug where virtualmin display wrong:

Requesting a certificate for domain.id, www.domain.id from Let’s Encrypt …
… request failed : Web-based validation failed :
Requesting a certificate for domain.id and www.domain.id

  Domain: domain.id
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for domain.id - the domain's nameservers may be malfunctioning

  Domain: www.domain.id
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for domain.id - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

This is the access log - - [19/Jul/2022:14:37:20 +0700] "GET /.well-known/acme-challenge/Jx8zaoLGcBuM4kbmYtES8LL62-fuLpRnN89sUyGb8HA HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" - - [19/Jul/2022:14:37:20 +0700] "GET /.well-known/acme-challenge/rW2wZ47GYXucLJ71voQ3Yt6H8IxVQHXhB1qYmFrOhMw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" - - [19/Jul/2022:14:37:22 +0700] "GET /.well-known/acme-challenge/Jx8zaoLGcBuM4kbmYtES8LL62-fuLpRnN89sUyGb8HA HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" - - [19/Jul/2022:14:37:23 +0700] "GET /.well-known/acme-challenge/Jx8zaoLGcBuM4kbmYtES8LL62-fuLpRnN89sUyGb8HA HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Then, how can I get lets encrypt cert for this virtual server with these errors?
Also, is it possible to ask for test server or dry-run cert request in virtual servers? This virtual server exhausted it’s attempt to request to letsencrypt. I know I can request for test cert in webmin > webmin configuration > SSL > Lets Encrypt, but not in virtual servers.

Have you used mxtools to make sure all correct for the domain.

it was a feedback from web based validation section. but it shows type: dns
The DNS based validation show same feedback that shows type: dns

is that a bug @Ilia ?

I just discovered to add CAA records on server template to help DNS based validations because of this problem, and explanation about CAA records here.

I now able to get Lets Encrypt cert after adding CAA on DNS records

I don’t see a bug here. We do add CAA records to DNS. Perhaps, DNS domain enabled feature is disabled or misconfigured for a domain …

1 Like

…check your fqdm of host name…and IP. That would fix your issue

I hope I can tell what I mean better. In this image, it is a nonexistent domain, but when I get the error thus posting here, it is a valid domain, tested using dnschecker and dnsmap.io for propagation test before requesting lets encrypt certificate.

After I checked again, it is true that CAA is created on default settings. I’m sorry for not double check it before raising it to you.

Issue was solved after creating CAA record for that domain.

1 Like

What is the full log file look like with that error on the screenshot? It must be saved to /var/log/letsencrypt/letsencrypt.log.x – you need to check on when it was requested exactly to get the right log.

it is in 2 log files. I hope this helps.

I see no dns record. Have you setup any dns at registry? mxtool report DNS Record not found

are you trying to examine asdfjekhek.id dns records? It is a not registered domain, only for showing the error message screenshot.

The reason I keep continuing discussion on this thread is because Lets Encrypt validating on web based validation, but virtualmin shows DNS pointed by arrow in screenshot I provided, instead of web.

Also for asking if it is possible to ask for test server or dry-run cert request in virtual servers.

ok, so asdfjekhek.id is not in the log

it is there, started from line 3. I quoted line 3 to 60:

2022-07-21 09:56:17,069:DEBUG:certbot._internal.main:Arguments: ['-a', 'webroot', '-d', 'asdfjefkhek.id', '-d', 'www.asdfjefkhek.id', '--webroot-path', '/home/asdfjefkhek/public_html', '--duplicate', '--force-renewal', '--non-interactive', '--agree-tos', '--config', '/tmp/.webmin/674940_2138998_2_letsencrypt.cgi', '--rsa-key-size', '2048', '--cert-name', 'asdfjefkhek.id']
2022-07-21 09:56:17,070:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-07-21 09:56:17,096:DEBUG:certbot._internal.log:Root logging level set at 30
2022-07-21 09:56:17,098:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-07-21 09:56:17,100:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f3f58245fd0>
Prep: True
2022-07-21 09:56:17,101:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f3f58245fd0> and installer None
2022-07-21 09:56:17,101:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-07-21 09:56:17,109:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/259596310', new_authzr_uri=None, terms_of_service=None), 80535b702c66b07a1273fb82694d390f, Meta(creation_dt=datetime.datetime(2021, 10, 29, 8, 6, 3, tzinfo=<UTC>), creation_host='to2.nectarwebsite.id', register_to_eff=None))>
2022-07-21 09:56:17,110:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-07-21 09:56:17,112:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-07-21 09:56:18,261:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-07-21 09:56:18,262:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 21 Jul 2022 02:56:18 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "yuF4y9zs6C8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
2022-07-21 09:56:18,262:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for asdfjefkhek.id and www.asdfjefkhek.id
2022-07-21 09:56:18,497:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/5274_key-certbot.pem
2022-07-21 09:56:18,585:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/5274_csr-certbot.pem
2022-07-21 09:56:18,586:DEBUG:acme.client:Requesting fresh nonce
2022-07-21 09:56:18,586:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-07-21 09:56:18,795:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-07-21 09:56:18,796:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 21 Jul 2022 02:56:18 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002qsleDBRXThJmJpB36sAFzdxBBTCkDHLQreqtQVjePh0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.