Support certbot-dns-linode ?

UPDATE3_BEGIN

After all is said and done, this support request boiled down to a feature request:

Support certbot-dns-linode within Virtualmin's LetsEncrypt implementation.

Also, since some of us are forced to use certbot directly from time to time, provide a graceful way to integrate the files generated under /etc/letsencrypt/ into Virtualmin via the GUI, as per this comment made to a prior request for support:

Typically, even when you install your own SSL certificate, you should be doing it through the GUI to ensure all the appropriate settings and such are changed correctly.

UPDATE3_END

Former Subject Line: "Wildcard LetsEncrypt Certificate Fails with ERR_SSL_PROTOCOL_ERROR Possibly Due To [ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name"

I successfully requested a LetsEncrypt wildcard certificate for all my domains. However, I can't access https://mydomain.com because the browser reports ERR_SSL_PROTOCOL_ERROR.

UPDATE2_BEGIN

OK, the problem appears to be that Linode's DNS doesn't play nice with Virtualmin.

Once I hacked virtualmin into running again, hopefully without damaging my system -- the only way I could get a successful certificate was to invoke certbot manually as per the Linode directions for certbot-dns-linode:

certbot certonly --dns-linode --dns-linode-credentials .linode_api/certbot -d *.mydomain1.com -d *.mydomain2.com ...etc... -d mydomain1.com -d mydomain2.com ...etc...

Of course, now I face the challenge of ensuring that this certificate -- and the associated files -- located in /etc/letsencrypt/archive/somedomain.com/ is going to work with Virtualmin (be referenced properly in all the VirtualHost configurations, renew on schedule, etc.

UPDATE2_END

UPDATE1_BEGIN

I think I've narrowed down the problem to LetsEncrypt's failure to find TXT entries for the non-wildcard domains when attempting to do both wildcard and non-wildcard domains.

I'm getting a bunch of these errors:

This may have to do with a weakness in the certbot-dns-linode authenticator plugin.

Using the certificate that contained only wildcards (which LetsEncrypt successfully issues) I was able to get one domain's subdomains to match the wildcard, but only the one named in the Certificate->Signature Algorithm:->Subject->commonName = *.somedomain.com field. None of the X509v3 Subject Alternative Name->DNS:*.anyothername.com,... fields would match.

Unfortunately, I can no longer access even Virtualmin as it is returning the same ERR_SSL_PROTOCOL_ERROR. Setting ssl=0 in miniserv.conf and restarting doesn't help.

UPDATE1_END

This happens on all my VirtualHosts.

I suspect that this is due to my explicit IP in the VirtualHost directive in all my 443 hosts:

rather than:

However, changing it to *:443 (and *:80) for one of my domains doesn't fix it for that domain.

Is this likely and if so, what is the best way of changing all of my domains to use the *:443 spec?

Another possibility is that the only domains permitted are _sub_domains as listed in:

ie: they all begin with *. and none of them are, say, DNS:mydomain.com.

Could that be the problem? If so, I did try to request a LetsEncrypt certificate with both the *.mydomain.com and mydomain.com domains listed but I got an error on that LetsEncrypt request so I thought it must mean one can't mix them.

Moreover, during systemctl reload apache2 I get the warning:

[ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name