LetsEncrypt says "request failed : Web-based validation failed"


I started having email issues this morning and investigating, I find the LetsEncrypt validation is failing. Is this a known issue?

Requesting a certificate for andrews.com, www.andrews.com, mail.andrews.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for andrews.com and 2 more domains Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: andrews.com Type: unauthorized 
(edited to remove ips)
OS type and version Ubuntu Linux 22.04.2
Webmin version 2.105
Virtualmin version 7.10.0
Related packages SUGGESTED

The Unauthorised log entry intimates that letsencrypt doesn’t have access to the correct directory

Am I the only one on the forum that gets emails on cert renewal or failure? I’d say once you get this solved maybe look into that.

Is the andrews (dot) com real? It works for me. I show ‘the lock’ in the url bar.

Yes. Make sure .well-known is accessible for acme-challenge. Also, if you control your DNS, use the wildcard option.

Why do you need to do that … surely that is not the correct thing to do. It is a possible security risk

Yep, that’s real, but I have two servers, that’s on the web one, on my email server it’s expired and throwing that error.

How do I make sure .well-known… I wonder if it’s checking the web server for that… I don’t know, it’s worked okay in the past…


Make sure you are only asking for the correct certs on each server?
Requesting a certificate for andrews.com, www.andrews.com, mail.andrews.com from Let's Encrypt ..

DNSSEC if you are that paranoid about security.

Why are you hosting a separate email server? Waste of resources and money. Your email server should use the same certificate as your domain. Of course, it will throw an error since your other server manages your domain

It really isn’t helpful to question this kind of decision as we know nothing of the infrastructure and reasoning behind it. It is also off topic. Our goal is to help resolve the problem.

Remove mail.domain.tld from your web server. Add A record with your email server’s IP address. Request a certificate for mail.domain.tld on your email server. Make sure it is propagated around the world first. https://dnschecker.org/ @christophera

Hi all,

Thank you, I’ve never asked a question on this forum and gotten such a lively response!

Yes, I mistakenly had the multiple domains listed on the cert, that caused the problem.

I’ve corrected that and all is well!

Thanks again!


1 Like

Thank you for letting us all know the problem was resolved.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.