TLS issue, domain not verified?


After restoring a backup, I’m getting this error message on gmail using the ‘send as’ (our domain name) option:

“TLS Negotiation failed, the certificate doesn’t match the host., code: 0”

The email/site were working fine when the backup was taken.

I ran a test on and I’m getting this error (error in bold):

STARTTLS command works on this server
[000.339] Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 1 (sent by MX):
Cert VALIDATION ERROR(S): unable to get local issuer certificate
This may help: What Is An Intermediate Certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED ( =
Not Valid Before: Dec 14 15:35:50 2020 GMT
Not Valid After: Mar 14 15:35:50 2021 GMT
subject= /
issuer= /C=US/O=Let’s Encrypt/CN=R3

I used virtualmin to get a new LetsEncrypt cert, but still get the same error. I’m not sure what it means and what I need to do about it.




Okay - as a potential solution, I edited the virtual server, removed the checkmark from ‘apache ssl website enabled’, saved, then went back and checked it again, so that it would rebuild the ssl setup.

When I tried to enabled it, I got a “Adding new SSL virtual website …
… certificate file is not valid : Line 31 does not look like PEM format”

I deleted the current ssl files under that domain, tried again. This time it enabled the ssl for the domain ok. Then I redid the letsecrypt cert… hoping that would fix things… but nope, still the same error…

ugh! help!


Thanks for the heads up.

Recently, Let’s Encrypt started to sign newly issued certificates with R3 root certificate, while it used to go with X3.

Webmin 1.962 is still using an old X3 intermediate certificate, when certificate is requested using script. This however, was recently patched on our side and prepared for inclusion in the next release.

Meanwhile, the work around would be is to apply the patch and re-request certificate for a domain or install certbot package (if installed, then make sure that it’s updated) and again re-request certificate using Virtualmin to write new R3 certificate to .ca, .combined and .everything SSL files.

1 Like


Thank you!

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.