Wildcard Let's Encrypt - getting there

Help! (Home for newbies)
1

CentOS Linux 7.7.1908
Apache 2.4.6
Virtualmin GPL
DNS is managed by Vmin/Bind
Default Let’s Encrypt module

My first attempt at requesting a (wildcard) SSL cert for
*.mydomain.com (just this in the request - no other subdomains included)

errored with … DNS-based validation failed… and a demand that certbot be installed. I installed it and on the next attempt got


Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-dns.pl line 47.

Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-cleanup.pl line 38.


I corrected these two files with the github resolution at https://github.com/webmin/webmin/commit/771be1a754fafa02abb5d5670f3ba4a6

rebooted the server and then get these errors:
request failed : Web-based validation failed : Wildcard hostname *.mydomain.com can only be validated in DNS mode DNS-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification…
Challenge failed for domain mydomain.com
dns-01 challenge for mydomain.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mydomain.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.mydomain.com

I was able to create the cert without the wildcard entry.
I don’t have an .htaccess file in public_html
I am not using ipv6 on this virtualserver.
The main domain has DNS & SSL enabled.
Below the main domain I have a subdomains and alias servers all have DNS enabled.

Any suggestions?

2

Probably obvious but there is no _acme-challenge TXT entry created in DNS records

3

And here is the letsencrypt.log if it’s of any help:

2019-11-23 14:20:00,952:DEBUG:certbot.main:certbot version: 0.39.0
2019-11-23 14:20:00,952:DEBUG:certbot.main:Arguments: [’–manual’, ‘-d’, ‘.mydomain.com’, ‘–preferred-challenges=dns’, ‘–manual-auth-hook’, ‘/etc/webmin/webmin/letsencrypt-dns.pl’, ‘–manual-cleanup-hook’, ‘/etc/webmin/webmin/letsencrypt-cleanup.pl’, ‘–duplicate’, ‘–force-renewal’, ‘–manual-public-ip-logging-ok’, ‘–config’, ‘/tmp/.webmin/894685_10770_2_letsencrypt.cgi’, ‘–rsa-key-size’, ‘2048’, ‘–cert-name’, '.mydomain.com’]
2019-11-23 14:20:00,952:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-23 14:20:00,968:DEBUG:certbot.log:Root logging level set at 20
2019-11-23 14:20:00,968:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-23 14:20:00,969:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f93d258b890>
Prep: True
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f93d258b890> and installer None
2019-11-23 14:20:00,970:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-11-23 14:20:00,992:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/72375123’, new_authzr_uri=None, terms_of_service=None), 91f5d54f15cb24d7c5b2c0016c4ed042, Meta(creation_host=u’ns1.mynameserver.com’, creation_dt=datetime.datetime(2019, 11, 23, 10, 18, 39, tzinfo=)))>
2019-11-23 14:20:00,998:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-11-23 14:20:01,003:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-11-23 14:20:01,644:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2019-11-23 14:20:01,645:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
content-type: application/json

{
“2igNuAgelHk”: “https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2019-11-23 14:20:01,646:INFO:certbot.main:Obtaining a new certificate
2019-11-23 14:20:01,836:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
2019-11-23 14:20:01,839:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
2019-11-23 14:20:01,840:DEBUG:acme.client:Requesting fresh nonce
2019-11-23 14:20:01,840:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-11-23 14:20:02,001:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-nonce HTTP/1.1” 200 0
2019-11-23 14:20:02,002:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
replay-nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8

2019-11-23 14:20:02,002:DEBUG:acme.client:Storing nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8
2019-11-23 14:20:02,003:DEBUG:acme.client:JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “*.mydomain.com”
}
]
}
2019-11-23 14:20:02,005:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMDAxUjllVkptYzhNSjNBR2ZTeGVnYkl0blNtXzNPY3J3Tl9HVjlHdFNVejdyOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzcyMzc1MTIzIiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICIqLnN0ZXZpYWRvbWFpbi5jb20iCiAgICB9CiAgXQp9”,
“signature”: “ulIdSJ-fJqAaN9BUhMCVYYliGd3x5AMAm853kn0NOTeGT4YFrVlDILoyrCPfQs1rnCOjP1-bnfAHLydddhNWalYrgt5hmj_48jis6cx4KDF02PRhgNap2XYXagywMcdzuMnBIZhwsk57na33xf9omuK6hnZ2RBndx-Pa0jyiqb38mmmRwZIah837995vb4_d_KwGVkgxjvIzMIrRLKhRTs3W9dCr5aZKsxlXmaL7JEu8CQdYysCIEvMTnii5w0RG-XgdMdGo40Vv88ctg8ED38OuVG5Msu054WSkPm-K2j3iEXPIim0cekz9PfIjp6xCUnAJKllwQU3f-vemmwIKBw”
}
2019-11-23 14:20:02,392:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-order HTTP/1.1” 201 348
2019-11-23 14:20:02,392:DEBUG:acme.client:Received response:
HTTP 201
content-length: 348
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
location: https://acme-v02.api.letsencrypt.org/acme/order/72375123/1581229425
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g

{
“status”: “pending”,
“expires”: “2019-11-30T14:20:02.231114763Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “*.mydomain.com”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/72375123/1581229425
}
2019-11-23 14:20:02,393:DEBUG:acme.client:Storing nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g
2019-11-23 14:20:02,393:DEBUG:acme.client:JWS payload:

2019-11-23 14:20:02,394:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
“protected”: “eyJub25jZSI6ICIwMDAyTjZtMHVURll6aFF1U0dzRVdSN1k1WUxPbjRJS1F4cFZQcXJ0UzlLQ0o0ZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “f9GYPHfVfpJxipBxeVmmy_PgHVS7xpFK48W3HURY8Fswo4y1gp8vZCYbIJ23BT5F88xQj3X2FVQxYaxV1dL74iXuIb_lWfWVyqgVbEc05990XPobNWJorLpIxhrRGW3CG_xXnq0aarlc31y7Iok1y1P-5PeAsmyLvwjxPy1bTauYmjQ_jA8dCMGNO27AtKUIY7lXuIMRRorD_Xft6j2WMgx7qmyM1Vs1MdXZasVtvBatvblWNtDeALIauJ0MOnOl3gmyyIkwfal7nLtqhrCTCXhB7-oFnm53L4CLdkSSR7d8OcHHCxRQ0mrfqwri9lIamCdODDsntAkq4IOYAuxJtw”
}
2019-11-23 14:20:02,717:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/authz-v3/1370765971 HTTP/1.1” 200 388
2019-11-23 14:20:02,718:DEBUG:acme.client:Received response:
HTTP 200
content-length: 388
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs

{
“identifier”: {
“type”: “dns”,
“value”: “mydomain.com
},
“status”: “pending”,
“expires”: “2019-11-30T14:20:02Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g”,
“token”: “TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic”
}
],
“wildcard”: true
}
2019-11-23 14:20:02,718:DEBUG:acme.client:Storing nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:Performing the following challenges:
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:02,723:INFO:certbot.hooks:Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
2019-11-23 14:20:15,986:INFO:certbot.auth_handler:Waiting for verification…
2019-11-23 14:20:15,987:DEBUG:acme.client:JWS payload:
{
“type”: “dns-01”,
“resource”: “challenge”
}
2019-11-23 14:20:15,990:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g:
{
“protected”: “eyJub25jZSI6ICIwMDAyZ1BGaWhMVG5zSjItWXByZ3BuMUZ3Zmw2d0dsaVdsb1JGLUZJQ2J6bDZScyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTM3MDc2NTk3MS85Y1JDNWciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzIzNzUxMjMiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “ewogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0”,
“signature”: “nHR-QZZX4D9Q1WZ03uePLScm75IKISTrL48dqHYeInZo1GsXnDDipArGug7imBqWHyjS8l-u-TIhRy5KSqJgmiksB2836uO5AwEfUrbTuCugNHenlfjXzKOm4sQYCuWy1n3YPHLQSj8MtG9qt8gh5rlgsYQel8yLsxrQS0tXYHn4dSDFRGUerjvEWmhFrXN2U45yqeLUWQmxeRHcs-wN_ZDB5XN1vMVE555k0qVa3SRfMaiBd0gtHvKp6GbJO6f0C_RoOPFksZnSHWnjQISfKE5f2VNG1_2bSCP36o7Ts1bD0u_isGGYrkdAVkhQuQ2TVSVUDYBLjUvq4QRIIBlDug”
}
2019-11-23 14:20:16,285:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/chall-v3/1370765971/9cRC5g HTTP/1.1” 200 184
2019-11-23 14:20:16,287:DEBUG:acme.client:Received response:
HTTP 200
content-length: 184
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64

{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g”,
“token”: “TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic”
}
2019-11-23 14:20:16,288:DEBUG:acme.client:Storing nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64
2019-11-23 14:20:17,290:DEBUG:acme.client:JWS payload:

2019-11-23 14:20:17,294:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
“protected”: “eyJub25jZSI6ICIwMDAxRi1CaDYzcHl5Z3dyZFZfTUF6TEFjNjg4NUNUR1BQUlJIYjVJb1VHckU2NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ”,
“payload”: “”,
“signature”: “bHLdMGuUS2uz3SX3UXHXl02fOEmuGMDW4JswGUuRXm9lk3SPWI3JDQ5pitBRQg8jMP6P9fwzuPla-BNOjUvr8uNYKDLZR8codTOzJ0xmi44hP1_NLr3YgSRA9-AhCFlSZxpu4mMdhZkaNDCOjtVAgYmR9XZmg2SH7KG9Ih90FYDEIjxS6oj3ydrbvddGfn-C46_Br28F3_860M_l5ZpZAaBefJ-MPAAKCCSmynRY68ta-EOX7u9zw8rGm12KffZwioaj5dPqVLZpzNH1MCqoNbB0bM19ufWhe1nU8nUSN603JZQetfOR5h7ETVnUQnXOhyB1ZTNrRDYUyY1KgaYbTg”
}
2019-11-23 14:20:17,471:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/authz-v3/1370765971 HTTP/1.1” 200 581
2019-11-23 14:20:17,472:DEBUG:acme.client:Received response:
HTTP 200
content-length: 581
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:17 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og

{
“identifier”: {
“type”: “dns”,
“value”: “mydomain.com
},
“status”: “invalid”,
“expires”: “2019-11-30T14:20:02Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:dns”,
“detail”: “DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g”,
“token”: “TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic”
}
],
“wildcard”: true
}
2019-11-23 14:20:17,473:DEBUG:acme.client:Storing nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og
2019-11-23 14:20:17,473:WARNING:certbot.auth_handler:Challenge failed for domain mydomain.com
2019-11-23 14:20:17,473:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mydomain.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Calling registered functions
2019-11-23 14:20:17,474:INFO:certbot.auth_handler:Cleaning up challenges
2019-11-23 14:20:17,475:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2019-11-23 14:20:20,749:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/letsencrypt”, line 9, in
load_entry_point(‘certbot==0.39.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1378, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 405, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 384, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/auth_handler.py”, line 154, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

4

Yup you didn’t post some versions virtualmin / webmin / certbot script
I can’t help but start https://blog.nodebb.org/generating-your-first-wildcard-ssl-certificate-via-lets-encrypt/

dns part of provider or yours in virtualmin i guess

Don’t know if virtualmin i s ready handle that part for now while they are busy with updating LETSencrypt parts you can see in forum

5

Thanks for the link, I’ll take a look.

I will post the versions I missed:

Webmin version v1.932
Virtualmin version v6.08
certbot v0.39.0
Running my own DNS server

6

That link was a big help.
I was able to manually create a wildcard certificate using certbot, this showed that I needed to wait a while between manually adding the _acme-challenge TXT record in DNS Records and asking Let’s Encrypt being able to verify it. I’m not sure if that was due to my server or a peculiarity of wildcard creation.

I suspect that as the Virtualmin Lets Encrypt module tries to gain verification almost immediately, that was why I was getting the DNS “NXDOMAIN looking up TXT for _acme-challenge…” error.

Although I’ve successfully created a wildcard cert I just have to figure out how to use it and then remember to manually renew in a couple of months - hopefully I’ll be able to use the built-in module by then.

7

IIRC - LetsEncrypt can either validate against DNS records or by checking a file in a specified location. I suspect Virtualmin goes down the 2nd road (in the case of offsite DNS).

8

@dibs is this also for wildcard?

sofar i know that dns part is important there.

9

@jfro - wildcard certs from LE can only be done with DNS validation - or so their documentation says & there are no plans otherwise.

10

YUp in case of wildcard! that means at lot of control panels with external /offsite dns automatic is not possible or only with extra api/scripts to that external dns services.

Naming this while some don’t know i guess ? as possible here https://www.virtualmin.com/node/65809

Sofar i did some reading.

You mentioned 2nd road therefore my reaction. :wink:

Also the/some wait time somewhere in forum should be set right for resolving / do it with internal dns and scripts right after create such virtualservers. ( with slave… )and so on.

11

Personally I don’t have issues doing or having single (Virtual Server) LE SSL certs. The only “issue” is Postfix as it currently isn’t SNI friendly. But from what I have read - SNI for Postfix is on the near horizon so maybe in 1st half of 2020 that might be a reality - so single certs might be 100% fine then.