CentOS Linux 7.7.1908
Apache 2.4.6
Virtualmin GPL
DNS is managed by Vmin/Bind
Default Let's Encrypt module
My first attempt at requesting a (wildcard) SSL cert for
*.mydomain.com (just this in the request - no other subdomains included)
errored with .. DNS-based validation failed.. and a demand that certbot be installed. I installed it and on the next attempt got
...
Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-dns.pl line 47.
...
Undefined subroutine &main::restart_zone called at /usr/libexec/webmin/webmin/letsencrypt-cleanup.pl line 38.
...
I corrected these two files with the github resolution at https://github.com/webmin/webmin/commit/771be1a754fafa02abb5d5670f3ba4a6...
rebooted the server and then get these errors:
request failed : Web-based validation failed : Wildcard hostname *.mydomain.com can only be validated in DNS mode DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain mydomain.com
dns-01 challenge for mydomain.com
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: mydomain.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.mydomain.com
I was able to create the cert without the wildcard entry.
I don't have an .htaccess file in public_html
I am not using ipv6 on this virtualserver.
The main domain has DNS & SSL enabled.
Below the main domain I have a subdomains and alias servers all have DNS enabled.
Any suggestions?
Probably obvious but there is no _acme-challenge TXT entry created in DNS records
And here is the letsencrypt.log if it's of any help:
2019-11-23 14:20:00,952:DEBUG:certbot.main:certbot version: 0.39.0
2019-11-23 14:20:00,952:DEBUG:certbot.main:Arguments: ['--manual', '-d', '*.mydomain.com', '--preferred-challenges=dns', '--manual-auth-hook', '/etc/webmin/webmin/letsencrypt-dns.pl', '--manual-cleanup-hook', '/etc/webmin/webmin/letsencrypt-cleanup.pl', '--duplicate', '--force-renewal', '--manual-public-ip-logging-ok', '--config', '/tmp/.webmin/894685_10770_2_letsencrypt.cgi', '--rsa-key-size', '2048', '--cert-name', '*.mydomain.com']
2019-11-23 14:20:00,952:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-23 14:20:00,968:DEBUG:certbot.log:Root logging level set at 20
2019-11-23 14:20:00,968:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-23 14:20:00,969:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x7f93d258b890>
Prep: True
2019-11-23 14:20:00,970:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x7f93d258b890> and installer None
2019-11-23 14:20:00,970:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-11-23 14:20:00,992:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/72375123', new_authzr_uri=None, terms_of_service=None), 91f5d54f15cb24d7c5b2c0016c4ed042, Meta(creation_host=u'ns1.mynameserver.com', creation_dt=datetime.datetime(2019, 11, 23, 10, 18, 39, tzinfo=<UTC>)))>
2019-11-23 14:20:00,998:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-11-23 14:20:01,003:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-11-23 14:20:01,644:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2019-11-23 14:20:01,645:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
content-type: application/json
{
"2igNuAgelHk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-11-23 14:20:01,646:INFO:certbot.main:Obtaining a new certificate
2019-11-23 14:20:01,836:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem
2019-11-23 14:20:01,839:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem
2019-11-23 14:20:01,840:DEBUG:acme.client:Requesting fresh nonce
2019-11-23 14:20:01,840:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-11-23 14:20:02,001:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-11-23 14:20:02,002:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Sat, 23 Nov 2019 14:20:01 GMT
x-frame-options: DENY
replay-nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8
2019-11-23 14:20:02,002:DEBUG:acme.client:Storing nonce: 0001R9eVJmc8MJ3AGfSxegbItnSm_3OcrwN_GV9GtSUz7r8
2019-11-23 14:20:02,003:DEBUG:acme.client:JWS payload:
{
"identifiers": [
{
"type": "dns",
"value": "*.mydomain.com"
}
]
}
2019-11-23 14:20:02,005:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJub25jZSI6ICIwMDAxUjllVkptYzhNSjNBR2ZTeGVnYkl0blNtXzNPY3J3Tl9HVjlHdFNVejdyOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzcyMzc1MTIzIiwgImFsZyI6ICJSUzI1NiJ9",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICIqLnN0ZXZpYWRvbWFpbi5jb20iCiAgICB9CiAgXQp9",
"signature": "ulIdSJ-fJqAaN9BUhMCVYYliGd3x5AMAm853kn0NOTeGT4YFrVlDILoyrCPfQs1rnCOjP1-bnfAHLydddhNWalYrgt5hmj_48jis6cx4KDF02PRhgNap2XYXagywMcdzuMnBIZhwsk57na33xf9omuK6hnZ2RBndx-Pa0jyiqb38mmmRwZIah837995vb4_d_KwGVkgxjvIzMIrRLKhRTs3W9dCr5aZKsxlXmaL7JEu8CQdYysCIEvMTnii5w0RG-XgdMdGo40Vv88ctg8ED38OuVG5Msu054WSkPm-K2j3iEXPIim0cekz9PfIjp6xCUnAJKllwQU3f-vemmwIKBw"
}
2019-11-23 14:20:02,392:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 348
2019-11-23 14:20:02,392:DEBUG:acme.client:Received response:
HTTP 201
content-length: 348
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/72375123/1581229425
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g
{
"status": "pending",
"expires": "2019-11-30T14:20:02.231114763Z",
"identifiers": [
{
"type": "dns",
"value": "*.mydomain.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/72375123/1581229425"
}
2019-11-23 14:20:02,393:DEBUG:acme.client:Storing nonce: 0002N6m0uTFYzhQuSGsEWR7Y5YLOn4IKQxpVPqrtS9KCJ4g
2019-11-23 14:20:02,393:DEBUG:acme.client:JWS payload:
2019-11-23 14:20:02,394:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
"protected": "eyJub25jZSI6ICIwMDAyTjZtMHVURll6aFF1U0dzRVdSN1k1WUxPbjRJS1F4cFZQcXJ0UzlLQ0o0ZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ",
"payload": "",
"signature": "f9GYPHfVfpJxipBxeVmmy_PgHVS7xpFK48W3HURY8Fswo4y1gp8vZCYbIJ23BT5F88xQj3X2FVQxYaxV1dL74iXuIb_lWfWVyqgVbEc05990XPobNWJorLpIxhrRGW3CG_xXnq0aarlc31y7Iok1y1P-5PeAsmyLvwjxPy1bTauYmjQ_jA8dCMGNO27AtKUIY7lXuIMRRorD_Xft6j2WMgx7qmyM1Vs1MdXZasVtvBatvblWNtDeALIauJ0MOnOl3gmyyIkwfal7nLtqhrCTCXhB7-oFnm53L4CLdkSSR7d8OcHHCxRQ0mrfqwri9lIamCdODDsntAkq4IOYAuxJtw"
}
2019-11-23 14:20:02,717:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz-v3/1370765971 HTTP/1.1" 200 388
2019-11-23 14:20:02,718:DEBUG:acme.client:Received response:
HTTP 200
content-length: 388
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:02 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs
{
"identifier": {
"type": "dns",
"value": "mydomain.com"
},
"status": "pending",
"expires": "2019-11-30T14:20:02Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
"token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
}
],
"wildcard": true
}
2019-11-23 14:20:02,718:DEBUG:acme.client:Storing nonce: 0002gPFihLTnsJ2-Yprgpn1Fwfl6wGliWloRF-FICbzl6Rs
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:Performing the following challenges:
2019-11-23 14:20:02,719:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:02,723:INFO:certbot.hooks:Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
2019-11-23 14:20:15,986:INFO:certbot.auth_handler:Waiting for verification...
2019-11-23 14:20:15,987:DEBUG:acme.client:JWS payload:
{
"type": "dns-01",
"resource": "challenge"
}
2019-11-23 14:20:15,990:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g:
{
"protected": "eyJub25jZSI6ICIwMDAyZ1BGaWhMVG5zSjItWXByZ3BuMUZ3Zmw2d0dsaVdsb1JGLUZJQ2J6bDZScyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTM3MDc2NTk3MS85Y1JDNWciLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzIzNzUxMjMiLCAiYWxnIjogIlJTMjU2In0",
"payload": "ewogICJ0eXBlIjogImRucy0wMSIsIAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiCn0",
"signature": "nHR-QZZX4D9Q1WZ03uePLScm75IKISTrL48dqHYeInZo1GsXnDDipArGug7imBqWHyjS8l-u-TIhRy5KSqJgmiksB2836uO5AwEfUrbTuCugNHenlfjXzKOm4sQYCuWy1n3YPHLQSj8MtG9qt8gh5rlgsYQel8yLsxrQS0tXYHn4dSDFRGUerjvEWmhFrXN2U45yqeLUWQmxeRHcs-wN_ZDB5XN1vMVE555k0qVa3SRfMaiBd0gtHvKp6GbJO6f0C_RoOPFksZnSHWnjQISfKE5f2VNG1_2bSCP36o7Ts1bD0u_isGGYrkdAVkhQuQ2TVSVUDYBLjUvq4QRIIBlDug"
}
2019-11-23 14:20:16,285:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/chall-v3/1370765971/9cRC5g HTTP/1.1" 200 184
2019-11-23 14:20:16,287:DEBUG:acme.client:Received response:
HTTP 200
content-length: 184
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
"token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
}
2019-11-23 14:20:16,288:DEBUG:acme.client:Storing nonce: 0001F-Bh63pyygwrdV_MAzLAc6885CTGPPRRHb5IoUGrE64
2019-11-23 14:20:17,290:DEBUG:acme.client:JWS payload:
2019-11-23 14:20:17,294:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370765971:
{
"protected": "eyJub25jZSI6ICIwMDAxRi1CaDYzcHl5Z3dyZFZfTUF6TEFjNjg4NUNUR1BQUlJIYjVJb1VHckU2NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTM3MDc2NTk3MSIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC83MjM3NTEyMyIsICJhbGciOiAiUlMyNTYifQ",
"payload": "",
"signature": "bHLdMGuUS2uz3SX3UXHXl02fOEmuGMDW4JswGUuRXm9lk3SPWI3JDQ5pitBRQg8jMP6P9fwzuPla-BNOjUvr8uNYKDLZR8codTOzJ0xmi44hP1_NLr3YgSRA9-AhCFlSZxpu4mMdhZkaNDCOjtVAgYmR9XZmg2SH7KG9Ih90FYDEIjxS6oj3ydrbvddGfn-C46_Br28F3_860M_l5ZpZAaBefJ-MPAAKCCSmynRY68ta-EOX7u9zw8rGm12KffZwioaj5dPqVLZpzNH1MCqoNbB0bM19ufWhe1nU8nUSN603JZQetfOR5h7ETVnUQnXOhyB1ZTNrRDYUyY1KgaYbTg"
}
2019-11-23 14:20:17,471:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz-v3/1370765971 HTTP/1.1" 200 581
2019-11-23 14:20:17,472:DEBUG:acme.client:Received response:
HTTP 200
content-length: 581
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 72375123
date: Sat, 23 Nov 2019 14:20:17 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og
{
"identifier": {
"type": "dns",
"value": "mydomain.com"
},
"status": "invalid",
"expires": "2019-11-30T14:20:02Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1370765971/9cRC5g",
"token": "TdqDZ4dH7KWGRGgQfj7sT-ixzD-fJkRGFtBK8g_Rhic"
}
],
"wildcard": true
}
2019-11-23 14:20:17,473:DEBUG:acme.client:Storing nonce: 00010hOfdpBmwKBNB3rVFcSAf9IJuKNd0zCvoQ6beohL3og
2019-11-23 14:20:17,473:WARNING:certbot.auth_handler:Challenge failed for domain mydomain.com
2019-11-23 14:20:17,473:INFO:certbot.auth_handler:dns-01 challenge for mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: mydomain.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com
2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2019-11-23 14:20:17,474:DEBUG:certbot.error_handler:Calling registered functions
2019-11-23 14:20:17,474:INFO:certbot.auth_handler:Cleaning up challenges
2019-11-23 14:20:17,475:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2019-11-23 14:20:20,749:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/letsencrypt", line 9, in <module>
load_entry_point('certbot==0.39.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1378, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 405, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 384, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Yup you didn't post some versions virtualmin / webmin / certbot script I can't help but start https://blog.nodebb.org/generating-your-first-wildcard-ssl-certificate-v...
dns part of provider or yours in virtualmin i guess
Don't know if virtualmin i s ready handle that part for now while they are busy with updating LETSencrypt parts you can see in forum
Thanks for the link, I'll take a look.
I will post the versions I missed:
Webmin version v1.932
Virtualmin version v6.08
certbot v0.39.0
Running my own DNS server
That link was a big help.
I was able to manually create a wildcard certificate using certbot, this showed that I needed to wait a while between manually adding the _acme-challenge TXT record in DNS Records and asking Let's Encrypt being able to verify it. I'm not sure if that was due to my server or a peculiarity of wildcard creation.
I suspect that as the Virtualmin Lets Encrypt module tries to gain verification almost immediately, that was why I was getting the DNS "NXDOMAIN looking up TXT for _acme-challenge..." error.
Although I've successfully created a wildcard cert I just have to figure out how to use it and then remember to manually renew in a couple of months - hopefully I'll be able to use the built-in module by then.
IIRC - LetsEncrypt can either validate against DNS records or by checking a file in a specified location. I suspect Virtualmin goes down the 2nd road (in the case of offsite DNS).
@dibs is this also for wildcard?
sofar i know that dns part is important there.
@jfro - wildcard certs from LE can only be done with DNS validation - or so their documentation says & there are no plans otherwise.
YUp in case of wildcard! that means at lot of control panels with external /offsite dns automatic is not possible or only with extra api/scripts to that external dns services.
Naming this while some don't know i guess ? as possible here https://www.virtualmin.com/node/65809
Sofar i did some reading.
You mentioned 2nd road therefore my reaction. ;)
Also the/some wait time somewhere in forum should be set right for resolving / do it with internal dns and scripts right after create such virtualservers. ( with slave..... )and so on.
Personally I don't have issues doing or having single (Virtual Server) LE SSL certs. The only "issue" is Postfix as it currently isn't SNI friendly. But from what I have read - SNI for Postfix is on the near horizon so maybe in 1st half of 2020 that might be a reality - so single certs might be 100% fine then.