Letsencrypt and DNS validation (NON Wildcard)

SYSTEM INFORMATION
OS type and version Ubuntu Linux 20.04.6
Webmin version 2.021
Usermin version 1.861
Virtualmin version 7.7
Theme version 20.21
Package updates All installed packages are up to date

I wonder how to get the DNS-Validation for letsencrypt to work.
Virtualmin manage my Primary DNS, and I have two secondary DNS on an external provider.

Since now, only Web-Validation work for letsencrypt. But for some Domains it need additional manual settings in nginx.conf to make it work.

To solve this in an easier way, I would prefer, that Virtualmin would try to use the NS-Record _acme-challenge by default.

Currently if web-validation fails, I see in the logs, that virtualmin try to check for DNS-Entries, but I think Virtualmin never set this NS-Record at any time… so it always fail.

{
  "identifier": {
    "type": "dns",
    "value": "xyz.domain.com"
  },
  "status": "invalid",
  "expires": "2023-07-24T13:43:27Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.xyz.domain.com - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/241231644557/QPTIqA",
      "token": "jfbx2GHKTVKSdDESgvAGp123HUr_A1ogubM5ar7ksGo",
      "validated": "2023-07-17T13:43:39Z"
    }
  ]
}

So is there a way to make DNS-Validation work for Virtualmin in an easy way?

If Virtualmin is managing your DNS, DNS validation should Just Work. But, I assume your secondary servers are not connected to your Virtualmin server as slaves, so DNS validation cannot work. If you control the secondary servers, you need to set them up as documented: DNS Slave Auto-configuration – Virtualmin

If you do not control those other servers (i.e. you’re manually creating records rather than them being created automatically across all of your servers by Virtualmin), you cannot use DNS validation.

You’ll need to fix web validation. Web validation is easier to get right and does not require you to have full control over all of your DNS servers and have them all managed by Virtualmin.

Thanks for your answer @Joe.
I have my secondary NS at Hetzner. I’m able to create those secondary zones via WEB-UI ( and I currently do) but there is also a way to use their API to do this.

Would it be possible to use those with automated creation of NS-Entries in Virtualmin or isn’t there a change to get this to work?

It is not NS records that are missing. It is a TXT record that contains the secret Let’s Encrypt sent to validate you own your domain.

And, no, if Virtualmin is not managing your DNS, there is no way for DNS validation to work. It cannot be automated.

You either need to fix web validation (which is nearly always easy) or use the command line certbot client to get your certs (certbot has a workflow that allows for non-automated cert creation and renewal…Virtualmin insists it be automatable). I am not recommending you do the latter. I think you should fix web validation and forget about DNS validation.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.