Letsencrypt alternate means of authentication

OS type and version: CentOS Linux 7.9.2009
Webmin version: 1.981
Virtualmin version: 6.17 Pro

Hi all, hope your seasonal celebrations went well.

This issue has been a little low on my to-do list but the time has come to get on with it.

Letsencrypt is runnung great on my server, thanks for your stirling efforts. However, I have a couple of clients who use us for ther domain and email etc. whilst their actual website is hosted elsewhere, for example, Shopify.

I would like to impliment a certificate for their email but because the “A” record points to another server not under our control the ACME challenge to our server is not accessed by Letsencrypt and the challenge fails. Not surprising.

I have tried a number of suggestions that I found on the web including putting a TXT record in bind (something like “_acme-challenge.mail.domain.co.uk”) but none of them worked.

So, please can anyone advise what the method is to achieve this.

To avoid any confusion in case my description is not clear, I want to set up a cert for email but not for the website. DNS is running on this server and the slave on a separate server both under our control.

Many thanks for reading.

You are allowed to request and receive a SSL certificate for a domain only after you prove that you have control (implying ownership) of the domain. In your case, @Dim_Git , you are unable to use the simplest, most robust method of proving that you have control, since the web hosting for that domain is being done elsewhere, on Shopify.

That leaves you only one remaining option offered by Virtualmin: DNS based validation, which will work only if the DNS of the domain is being managed by Virtualmin’s DNS.

If not, you will have to use an external service to manually request and then manualy install the Let’s Encrypt certificate in Virtualmin. For example:

https://www.sslforfree.com/

Many thanks for that Calport, I appreciate your reply.

The DNS is being managed by Virtualmin but how can I do that? I can’t see any options available to request a certificate using that method. Perhaps I’m just not seeing it.

Does that mean I could set DNS “A” record to resolve to this server for the duration of applying the certificate and then once the certificate is obtained set the “A” record back to Shopify? And if so, will it automatically renew in future?

Sorry to be so thick!

Thanks,
Tim

Afaik, the DNS validation method will be used as fallback if the default method fails when Virtualmin requests SSL certificates. You do not need to configure any settings in Virtualmin to use the DNS validation method.

Since the DNS of your domain is being managed by Virtualmin, all you need to do is trigger a request for a SSL certificate (via Virtualmin → Server Configuration → SSL Certificate) and then Virtualmin will first attempt the default validation, which will fail since the website is being hosted by Shopify, and thereafter the DNS based validation which should succeed and you will get your certificates. The only caveat is that the virtual server in Virtualmin should be configured to not request certificates for those domains that it is not serving.

Yes and no.

1 Like