Why Not Delay SSL Cert Acquisition when Creating a New Virtual Server?

I love how easy it is to create new sites on Virtualmin, but there’s one very minor annoyance: SSL always fails validation on initial setup because the site does not, in fact, exist yet.

Wouldn’t it make sense to wait until everything else is done and Apache is serving the site before requesting the SSL cert?


It only doesn’t exist if DNS isn’t working. By the time Virtualmin makes the LE request, everything it can set up, is set up.

That said, I don’t really like this new default behavior either (it used to not do it automatically, I also don’t like the new default domain, for the same reason), because it makes an assumption that simply isn’t true for most of our users. We assume our users either are managing DNS with Virtualmin (either locally or via one of the cloud DNS providers we support), or that users have correctly setup DNS for the domains they’re creating. But, both of those is wildly optimistic. Most users host their DNS at their registrar, and most users don’t know what records to create until Virtualmin tells them on the Suggested DNS Records page. We’re optimizing for a workflow that is rare, which is bad UI.

There is an option when during (IIRC post install wizard) to untick an option to get the SSL so that it doesn’t fail.

My default is set to that because of the way I migrated my domains.

I must be the only guy around who thinks DNS is the easiest part of hosting. I always host my own DNS.

I’ve never had SSL validate when setting up a brand-new VS, however. It does a few seconds later when I do it manually in Server Configuration > SSL Certificate > Let's Encrypt, but never during initial setup of the VS.

It’s not a big deal, mind you. But it seems to me that perhaps a five-second delay after the site is being served by Apache before requesting the cert might make the manual step unnecessary.


1 Like

Hmm…that’s a different issue, actually. I assumed it wasn’t working because you didn’t have DNS (that’s the most common), but that sounds like a bug. Apache should already be serving your site by the time LE gets requested.

Do you have postinstall scripts that could be causing delays, or restarting Apache?

No, no post-install scripts, at least none that I added. It’s just a standard new Virtual Server setup with all features enabled except Git repos.

OK, what’s the full error from Let’s Encrypt?

Is that in a log somewhere? It kind of flies by, and I don’t have a new domain to set up. I think it’s “domain validation failed” or something along those lines.

Here we go (redacted domain):

Requesting a certificate for domain.tld, www.domain.tld, mail.domain.tld, admin.domain.tld, webmail.domain.tld, autoconfig.domain.tld, autodiscover.domain.tld from Let’s Encrypt …
… connectivity check failed

But immediately requesting it manually succeeds, every time, even if only a few seconds afterwards.

The SSL cert request comes right before Creating initial website index page ..

Maybe if the page were created before requesting the cert? I don’t know if Let’s Encrypt will issue a cert if the index page is 404, which would seem to be the case if it hasn’t been created yet.


LE doesn’t care about the index page.

I believe the “… connectivity check failed” message comes from Virtualmin, not Let’s Encrypt. I think we make a request of our connectivity checker app, which then makes a request of your web server. If we’re expecting an index page, that’d be silly. But, that might be an explanation for what’s going wrong in your case.

We could test that theory if you wanted to put a default page back into your skeleton (I guess you’ve disabled the Virtualmin provided default page).

No, it’s still there. All I’ve done is change the hosting plan and added an email address. The Web side is exactly as it was at creation save for the manually-acquired SSL cert.


EDIT: I also enabled DMARC.

OK, so that rules that out. Why did you think the index page would be a 404, though? If there’s a default page, it would be a 200.

I’m stumped why the connectivity check would fail there. Do you have a firewall that would prevent Virtualmin from making requests of our servers? (I think that’d break updates, so I can’t imagine that’d be the case. I wonder if we log those requests somewhere…I don’t think we store the results, but maybe the access log has an entry with clues…)

I see the request, but we don’t store the result. So, that didn’t help.

But, I have confirmed our server is able to make a web request of your server. So, connectivity check shouldn’t fail. I dunno what to make of it.

Well, it wouldn’t be an actual 404 with headers, but it wouldn’t be a 200, which is what I’d think LE would want.

But, if the connectivity check is coming from Virtualmin and there’s no index page, then what exactly is it querying from Apache, and why does it succeed five seconds later?

It’s just a minor thing, something less than an annoyance even. It would be nice if it weren’t there, though.


Just my 2 cents, but I’m an id10t (not THE ID10T) so don’t be offended or angry.

This is how we have our Virtualmin server setup for self hosted DNS with our registrar being GoDaddy:

One time setting at our registrar, GoDaddy:
Setup Hostnames for my Virtualmin server’s primary domain. At GoDaddy you configure Hostnames via DNS then Hostnames. We have 2 DNS (Virtualmin) servers in different datacenters in different cities.

Now for any newly registered domains we only set their DNS Nameservers to our two previously mentioned registered Hostnames.

We can usually add the domain to Virtualmin in less than a minute after setting the DNS Nameservers at GoDaddy and not get any Let’s Encrypt errors.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.