Letsencrypt alternate means of authentication

OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17 Pro

Hi all, hope your seasonal celebrations went well.

This issue has been a little low on my to-do list but the time has come to get on with it.

Letsencrypt is runnung great on my server, thanks for your stirling efforts. However, I have a couple of clients who use us for ther domain and email etc. whilst their actual website is hosted elsewhere, for example, Shopify.

I would like to impliment a certificate for their email but because the “A” record points to another server not under our control the ACME challenge to our server is not accessed by Letsencrypt and the challenge fails. Not surprising.

I have tried a number of suggestions that I found on the web including putting a TXT record in bind (something like “_acme-challenge.mail.domain.co.uk”) but none of them worked.

So, please can anyone advise what the method is to achieve this.

To avoid any confusion in case my description is not clear, I want to set up a cert for email but not for the website. DNS is running on this server and the slave on a separate server both under our control.

Many thanks for reading.

You are allowed to request and receive a SSL certificate for a domain only after you prove that you have control (implying ownership) of the domain. In your case, @Dim_Git , you are unable to use the simplest, most robust method of proving that you have control, since the web hosting for that domain is being done elsewhere, on Shopify.

That leaves you only one remaining option offered by Virtualmin: DNS based validation, which will work only if the DNS of the domain is being managed by Virtualmin’s DNS.

If not, you will have to use an external service to manually request and then manualy install the Let’s Encrypt certificate in Virtualmin. For example:


Many thanks for that Calport, I appreciate your reply.

The DNS is being managed by Virtualmin but how can I do that? I can’t see any options available to request a certificate using that method. Perhaps I’m just not seeing it.

Does that mean I could set DNS “A” record to resolve to this server for the duration of applying the certificate and then once the certificate is obtained set the “A” record back to Shopify? And if so, will it automatically renew in future?

Sorry to be so thick!


Afaik, the DNS validation method will be used as fallback if the default method fails when Virtualmin requests SSL certificates. You do not need to configure any settings in Virtualmin to use the DNS validation method.

Since the DNS of your domain is being managed by Virtualmin, all you need to do is trigger a request for a SSL certificate (via Virtualmin → Server Configuration → SSL Certificate) and then Virtualmin will first attempt the default validation, which will fail since the website is being hosted by Shopify, and thereafter the DNS based validation which should succeed and you will get your certificates. The only caveat is that the virtual server in Virtualmin should be configured to not request certificates for those domains that it is not serving.

Yes and no.

1 Like

Hi Calport,

My apologies for not having replied earlier, life and it’s major issues have distracted me but I really do appreciate you having taken time to reply.

I have tried many permutations of settings in the request cert page and I have arrived at the following :

Requesting a cert for mail.domain.com ONLY does obtain a certificate without any apparent failures until testing on one of the numerous online cert checking tools like this

DNS resolves mail.domain.com to 111.222.333.444

Certificate does not match name mail.domain.com

The IP number in the first line is correct
The domain given in the second line is the name of the hosting server.

I am wondering if this is an issue caused by older versions of Postfix being limited to one SSL certificate for a given IP address even though all the VS sites that have DNS set up to host their site on the server locally (as opposed to eg Shopify) work flawlessly.

Again, apologies for rude exceedingly late reply.


This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.