Issue with Let's Encrypt (suddenly no longer renewing).

3 posts / 0 new
Last post
#1 Sat, 11/10/2018 - 12:51

Issue with Let's Encrypt (suddenly no longer renewing).

This morning I have a message from Let's Encrypt that the renewal for one of my web sites failed. This web site has been successfully updating for the last year.

The interesting (or strange) part of this is that "Webmin" reported errors, but from one of my web sites that was NOT being updated, and still has a month to go before it should renew. I've stopped and started Apache (with no issue), checked DNS records in GoDaddy, but they have been unchanged for ages).

I'm really stumped on this and the cert runs out in a few days.

Here's are the two messages I received.

Error message from Let's Encrypt (Has successfully renewed 4 times in the past with no issues)

An error occurred requesting a new certificate for,,, from Let's Encrypt : Web-based validation failed : Failed to request certificate :


pre> challenge did not pass: Invalid response from "\n\n\n \n \n <meta htt"DNS-based validation failed : Failed to request certificate : challenge did not pass: DNS problem: NXDOMAIN looking up TXT for

First part of mail from webmin - and the cert for this web site has 1 month to go and is not trying to renew. This was a new site ( started one month ago. (My ip address is

reason: challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'', u'hostname': u'', u'addressUsed': u'', u'port': u'80', u'addressesResolved': [u'']}, {u'url': u'

Any thoughts?

Nigel Aves.

Wed, 11/14/2018 - 23:03

After a lot of hair pulling this one is resolved.

Wed, 11/14/2018 - 23:11

So, I had no idea that Virtualmin was writing the challenge into the local DNS records, BUT, that is not where my active DNS records are, they are on GoDaddy.

I run BIND so that I have a "local" copy of what Virtualmin thinks the DNS records should be, in many cases I have transferred over to GoDaddy.

But for Let's Encrypt a better message would have been helpful, it probably should have been mentioned on the Let's Encrypt page that the whole "challenge" procedure had changed, and what to do if your DNS is hosted outside your server.

Topic locked