SSL sertificate isnt made on new domain creation

Help! (Home for newbies)
1

Made a new domain that i just registered and checked SSL something something tickbox
Got this error.

Requesting a certificate for virusstop.org, www.virusstop.org, mail.virusstop.org, admin.virusstop.org, webmail.virusstop.org from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.virusstop.org
http-01 challenge for mail.virusstop.org
http-01 challenge for virusstop.org
http-01 challenge for webmail.virusstop.org
http-01 challenge for www.virusstop.org
Using the webroot path /home/virusstop/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain admin.virusstop.org
Challenge failed for domain mail.virusstop.org
Challenge failed for domain webmail.virusstop.org
http-01 challenge for admin.virusstop.org
http-01 challenge for mail.virusstop.org
http-01 challenge for webmail.virusstop.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: admin.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for admin.virusstop.org

    • check that a DNS record exists for this domain

    Domain: mail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for mail.virusstop.org -
    check that a DNS record exists for this domain

    Domain: webmail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for
    webmail.virusstop.org - check that a DNS record exists for this
    domain
    DNS-based validation failed :
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for admin.virusstop.org
    dns-01 challenge for mail.virusstop.org
    dns-01 challenge for webmail.virusstop.org
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Waiting for verification…
    Challenge failed for domain admin.virusstop.org
    Challenge failed for domain mail.virusstop.org
    Challenge failed for domain webmail.virusstop.org
    dns-01 challenge for admin.virusstop.org
    dns-01 challenge for mail.virusstop.org
    dns-01 challenge for webmail.virusstop.org
    Cleaning up challenges
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Some challenges have failed.
    IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: admin.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.admin.virusstop.org - check that a DNS record
    exists for this domain

    Domain: mail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.mail.virusstop.org - check that a DNS record exists
    for this domain

    Domain: webmail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.webmail.virusstop.org - check that a DNS record
    exists for this domain

2

Now trying to make SSL manually i get error- that LetsEncrypt is down

Requesting a certificate for virusstop.org, www.virusstop.org, mail.virusstop.org, admin.virusstop.org, webmail.virusstop.org from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
The server experienced an internal error :: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.
Please see the logfiles in /var/log/letsencrypt for more details.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
An unexpected error occurred:
The server experienced an internal error :: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.
Please see the logfiles in /var/log/letsencrypt for more details.

3

If you’ve just registered the domain, it hasn’t propagate yet or haven’t set up NS records…

1 Like
4

Some of your subdomains doesn’t exist on the nameservers.
Either change to handle DNS yourself, add the missing ones in DOs panel (admin, mail and webmail) or remove them from the Let’s Encrypt request.

5

Previously never had this problem. Why it doesnt check what subdomain are there?

Requesting a certificate for virusstop.org, www.virusstop.org, mail.virusstop.org, admin.virusstop.org, webmail.virusstop.org from Let’s Encrypt …
… request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.virusstop.org
http-01 challenge for mail.virusstop.org
http-01 challenge for webmail.virusstop.org
Using the webroot path /home/virusstop/public_html for all unmatched domains.
Waiting for verification…
Challenge failed for domain admin.virusstop.org
Challenge failed for domain mail.virusstop.org
Challenge failed for domain webmail.virusstop.org
http-01 challenge for admin.virusstop.org
http-01 challenge for mail.virusstop.org
http-01 challenge for webmail.virusstop.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: admin.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for admin.virusstop.org

    • check that a DNS record exists for this domain

    Domain: mail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for mail.virusstop.org -
    check that a DNS record exists for this domain

    Domain: webmail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for
    webmail.virusstop.org - check that a DNS record exists for this
    domain
    DNS-based validation failed :
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for admin.virusstop.org
    dns-01 challenge for mail.virusstop.org
    dns-01 challenge for webmail.virusstop.org
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
    Waiting for verification…
    Challenge failed for domain admin.virusstop.org
    Challenge failed for domain mail.virusstop.org
    Challenge failed for domain webmail.virusstop.org
    dns-01 challenge for admin.virusstop.org
    dns-01 challenge for mail.virusstop.org
    dns-01 challenge for webmail.virusstop.org
    Cleaning up challenges
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
    Some challenges have failed.
    IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: admin.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.admin.virusstop.org - check that a DNS record
    exists for this domain

    Domain: mail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.mail.virusstop.org - check that a DNS record exists
    for this domain

    Domain: webmail.virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.webmail.virusstop.org - check that a DNS record
    exists for this domain

6

Now tried no www since it defaultly usually redirects to main domain
and added to have wildcard
omg this should be default and it doesnt work
Requesting a certificate for virusstop.org, *.virusstop.org from Let’s Encrypt …
… request failed : Web-based validation failed : Wildcard hostname *.virusstop.org can only be validated in DNS mode DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for virusstop.org
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain virusstop.org
dns-01 challenge for virusstop.org
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: virusstop.org
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.virusstop.org - check that a DNS record exists for
    this domain

7

I did lets encrypt 2nd option to selected domains only
virusstop.org
www.virusstop.org
I did wordpress with folder and site settings moved to main site url.
Maybe thats why certificate again didnt work.
Did again and now with site moved it works with domain and www.
Works on main site
Oh oh, problem.
Not working in logged in /subfolder admin panel
Jetpack cookies not working- cant connect to jetpack settings, recommendations.
https://virusstop.org/subfolder/wp-admin/admin.php?page=jetpack#/recommendations

Next thing-
How to make better not to use www. so maybe certificate without www. and www. maybe is not fully redirected? Is it ok just to have cname that redirects and dont need www. certificate?

8

Please open new topics for new questions.

9

But what about problem?
I wrote that all was fine, but i found new problem. Its not solved.
Now still again it shows that theres no certificate. But in settings shows theres is.

image
image815×277 27.6 KB

10

I did new custom only www. and usual domain sertificate wihout wildcard. Didnt work- still website doesnt have sertificte even if virtualmin showing that it got sertificate

11

If you try to request a Let’s Encrypt certificate and get a failure during the ACME request process more than a certain number of times (five), the API will refuse further requests for a certain period of time. “There is a Failed Validation limit of 5 failures per account, per hostname, per hour.” Rate Limits - Let's Encrypt

Your DNS is set to DigitalOcean but the default Let’s Encrypt request also includes the subdomains you can see in the request log (admin, mail, webmail and www). You either need to remove those from your LE certificate request by providing just the custom domain of “virusstop.org” , or you need to create DNS entries for all those subdomains and set up subdomains on the Virtualmin account for that domain so the verification file can be created by Virtualmin during the request challenge/verification process.

I noticed the other week that the DNS verification method also seemed broken when I tried to request a certificate with a wildcard entry, where the same server was also hosting DNS. However your issue is simpler - your third-party DNS doesn’t have records matching the subdomains you are requesting the certificate for.

The simplest thing to do is run your server as the authoritative nameserver, which Virtualmin will do by default if you left the option enabled for the site, then adjust your nameserver records accordingly on DigitalOcean. It’s not ideal as you will only have one DNS server, but you can go on to investigate failover / secondary DNS hosting to add resilience (I use services from afraid.org, various other commercial services also offer this service).

If DigitalOcean offer sufficient access to amend DNS records, I would set up an A record for both virusstop.org and (for example) ns1.virusstop.org and ns2.virusstop.org pointing to your static IP on the DigitalOcean DNS settings. These are what’s referred to as “glue” records, which allow things to figure out how to actually reach your self-hosted DNS server.

How To Create Vanity or Branded Nameservers with DigitalOcean Cloud Servers | DigitalOcean & Step 3 — Create Glue Records | DigitalOcean have further reading on this.

Then, alter your nameservers to “ns1.virusstop.org” and “ns2.virusstop.org”. From there, your BIND server will serve further requests (and will be able to create subdomains automatically as needed). domain name system - What is a glue record? - Server Fault & What Are Glue Records and How Do I Use Them with Gandi Domains | Domain Names - Advanced Users | Gandi Documentation have more info.

It’s generally recommended to have two DNS servers which are not on the same machine, hence my comment about secondary DNS being important (where all changes are automatically replicated to the secondary server). You can get going with one DNS server, but any interruptions to that leave you effectively unreachable.

1 Like