It’s new in 6.10 that Virtualmin even tries to get a cert for the admin alias. It’s not strictly necessary, but the lack of it leads to a weird situation where you have to start on http and then the redirect takes you to https. That’s a hard habit to break.
It may be that the feature is half-baked in some cases. I haven’t spent much time looking at it. This thread is way too long and convoluted for me to try to follow it, but from the initial question, i think you’re just seeing an oversight in this new feature…or maybe a bug in the feature trying to work for existing domains, I’m not sure. What needs to happen is the redirect has to be bypassed for the .well-known URL. The redirect shouldn’t be involved at all.
I’ll try to test this and raise any problems to Jamie’s attention ASAP. If it’s reproducible with simple steps, feel free to open a ticket in https://github.com/virtualmin/virtualmin-gpl/issues