VirtualMin: Failed DNS Validation when request CERT attempted from Let's Encrypt Servers

70 posts / 0 new
Last post
Wed, 11/06/2019 - 15:29

I've learnt from some wonderful people (IRL & the internet) but the ethos is on helping people to help themselves. DNS entries are very straight-forward (99% of the time) and you should read up the docs on papaki's website\support section. Do an online chat with them or log a support ticket if you don't fully understand how to do an A record or other records.

They'll explain it to you and assuming you've engaged - you'll understand.

Wed, 11/06/2019 - 15:35

I will follow your advice Dibs, i already opened a ticket in asked them to move me from server's BIND DNS System to papaki DNS serrvice.

After i do that and retry requesting a LE Cert, do you think it will work this time without that DNS error?!

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 16:01

Basically you need them to walk you thru how to add A, CNAME, TXT (spf) and MX records to all point to 1 IP (in your case) in their DNS control panel.

Once you understand how to do that for 1 domain - it's simply repeat for the others.

Then you can turn BIND off. That's the process for moving from BIND to them. Papaki won't move you from BIND to them any other way. If that makes sense?

Wed, 11/06/2019 - 16:05

LE Cert - I don't use BIND and host the DNS all externally and have zero issues requesting certs for any of the domains.

Having said that - you have already requested too many in the last 7 days, so might need to wait a few days before requesting more. Also with the V2 thing and V1 and Nov 2019 might mean something - I'm not sure exactly. You may need to check the other threads - it could mean you might not be able to request brand new certs using Virtualmin and can only do renewals - or the Nov 2019 reference may have been to LE's staging environment and there is no issue with requesting live certs.

You'll need to check this yourself.

Wed, 11/06/2019 - 16:07

Yes it does. And if i move to papaki dns but also leave BIND active then from which DNS service domain requests would be resolved from?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 16:56

Resolution will be by\from whatever papaki's DNS says - which will be giving the resolution as opposed to your local BIND. Your BIND DNS will become redundant.

It's an over simplification as papaki's DNS servers will replicate\propagate their info globally round the world to other DNS servers.

Wed, 11/06/2019 - 17:21 (Reply to #57)

YUP. Sofar i did write on the forum some about wen using DKIM and mail on the virtualmin Box in GUI DKIM you have to use sofar i know for main mailserver/host/domain the dns bind part.

Am i Wrong here DIBS?

if not you can use dns/bind even if duplicate / redundant for DKIM part dkim keys sending with mail.

That DKIM generated you have to copy to DNS services of your hoster.

Don't do that for now NIKOS, only after you have read enough about that , understanding such , and all other things are OK , otherwise you make things more complicated. So it is ok to forget about DKIM , and DMARC for the start , SPF you should take care in the dns services i supose.

For the moment as i see this , is more a tryout learning fase, that is ok, if production then hmm it is somewhat hard and bumpy, but goodluck with all.

( i guess generating DKIM with some online services and paste that one in configs and dns should do to) i'm to lazy for that , using the one dns for mailserver part only with virtualmin for having dkim right myself , bind don't use much memory/cpu so redundant....)

OYEA some advice DIBS give you please read papaki's , try to understand and take some time and cup of coffe / tee , don't bother them tomuch to early if you didn't spend enough time yourself to understand stuff with their helppages. ( if the info is on thier help pages they could be get nerved if you asking same stuff they have already writen out there....) ;)

Wed, 11/06/2019 - 18:36


On the key part - you are not wrong.

I think the (Public) key in the GUI would be redundant. I haven't implemented DKIM - so I am assuming the GUI holds (at least) the Public Key. You would need to add it on the DNS at the registrar. But that's the public key. The server (VPS) would still need to hold the private key. If the GUI holds the private key too - then that might still work.

It might be the case that the GUI doesn't like to hold just the Private Key and wants the Public Key too - in which case having it there and the registrar - shouldn't hurt to my mind. The local Public is redundant and has only been entered to keep Virtualmin happy as the developers may not have envisaged using DKIM with an external DNS. But that's a maybe. ;)

If anyone specifically requires DKIM then (not using it personally) then that's the time to look at the few ways that might exist for your distro and read up. My thought is that DKIM isn't for newbies - so reading is going to be required. As with all things - DKIM and other things - if you aren't being told you actually need it and if asked why you need it, you have no answer (and no one else speaks up) - I'd say there is a good chance you don't actually need it. ;)

Thu, 11/07/2019 - 02:41 (Reply to #59)

@Dibs you could do some tests with this link

And for DKIM maybe this part could .. depending on for what you need mail

Thu, 11/07/2019 - 02:09

Hello, so you are saying that its better for me to have things as it is now, using BIND. ok i'll stick to BIND.

i notices that and both point to and that is wrong. How am i supposed to fix this?

Intel Inside, Idiot Outside!

Thu, 11/07/2019 - 02:45 (Reply to #61)

No we aren't.

IF you have dns services at your hoster for the domains, SO YOUR OWN DNS / BIND is only redundant. But should not hurt.

For DKIM and such you may need it but do you want DKIM do you need DKIM?, that is what you have to find out yourself with all the info's on the WEB, depends on what you and others on the server want to do with mail...

Thu, 11/07/2019 - 03:29 (Reply to #62)


You beat me to it. LOL

The DNS - don't you mean the other way round? If he's got A and other records setup at his domain registrar then those details will propagate and his own DNS will be redundant?

Thu, 11/07/2019 - 03:35 (Reply to #63)

YUP i changed text,

Thu, 11/07/2019 - 03:16

Guys i uploaded for you my httpd.conf on pastebin in case you can see it and understand WHY and http://ip load

Intel Inside, Idiot Outside!

Thu, 11/07/2019 - 03:46

nikos, just wondering, without any intent to insult or anything.. : how do you expect to sustain your hosting business, if you're clueless about it? if i were "", i'd get a sysadmin aboard or a papaki support plan...(not really fond of papaki for different reasons..)

just 2c,

Thu, 11/07/2019 - 03:50 (Reply to #66)

I think that's a total of (at least) 6c. Your 2c, mine & Jfro's. LOL

Thu, 11/07/2019 - 03:55 (Reply to #67)

i think i'll hire one. Ehere csn i find one and how much will it cost?

Intel Inside, Idiot Outside!

Thu, 11/07/2019 - 04:28 (Reply to #68)

SOME TIME, invest TIME to do readings on howto's on the web.

Then you probably understand more and only then after that you can hire or do

Otherwise you have to hire everytime you need changes and then it blows budgets!

Thu, 11/07/2019 - 06:40

Very True.

Intel Inside, Idiot Outside!


Topic locked