Let's Encrypt failure

I haven't had issues obtaining Let's Encrypt certificates before, but now I apparently do:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.example.com...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 235, in <module>
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 231, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.dns_hook, args.cleanup_hook, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 184, in get_crt
    domain, challenge_status))
ValueError: www.example.com challenge did not pass: {u'status': u'invalid', u'keyAuthorization': u'vkijxCxdMLfaOUXgw0WtwI93j7NP1Y67SoUwEIrssYY.YRZJxXvGiNMgKEYOAf2lwSk5POtn7_S_jQEpsfKaPzU', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/ZEjOsqo7qekxxBj3jGO0ZpZ8OJlwiE6VT_pYUZNUfzY/1526485853', u'token': u'vkijxCxdMLfaOUXgw0WtwI93j7NP1Y67SoUwEIrssYY', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.example.com'}, u'type': u'dns-01'}

I realise that the apprent error is clear -- I need a TXT record for _acme-challenge.www.example.com -- but this wasn't an issue before. Didn't the process used to use something in the file system -- i.e., .well-known/acme-challenge?

Is this a change in the way LE works, or a bug?




Did I not give enough information?

Virtualmin will try to use web-based validation first for Let's Encrypt, and then fall back to DNS.

You don't need to create the TXT record manually - it should be done automatically.

OK, this domain was transferred in. I might not have updated the DNS (which is hosted on a different server) yet, so the file-/web-based validation wouldn't have worked because the site on the old server was still live, hence the attempt to validate via DNS, which didn't work either because (as I say) it's hosted elsewhere and didn't have the default Virtualmin TXT record.

Good to know for the future. I don't think I had tried to create an LE certificate on a transferred-in domain immediately after setting it up before, so I won't make that mistake again.


Yeah, either the webserver or DNS zone has to be hosted on the Virtualmin system.