VirtualMin: Failed DNS Validation when request CERT attempted from Let's Encrypt Servers

70 posts / 0 new
Last post
#1 Tue, 11/05/2019 - 14:36

VirtualMin: Failed DNS Validation when request CERT attempted from Let's Encrypt Servers

I'am trying to read mail via GMail.

To do that i have via VirtualMin to request a Let's Encrypt Cert.

But iam receiving this error when DNS Validation is attempted by Elet's Encrypt Servers

A TXT record entry with specific value is applied automatically to my DNS Zone every time i make an attempt to request a certificate via VirtualMin

Since it is able to add this DNS entry by itself sucessfully WHY does it report back? challenge did not pass: Incorrect TXT record “IQ_bFSECzFcqYKWJSLWyV37-psVy57_cmF_bq-H63Sc” found at

What exactly is this error message saying? that it cannot reuqest back the TXT record entry that told VirtualMin to put there in the first place?

Wed, 11/06/2019 - 03:53

kind of doublepost , see other reply from me dns is not good for

Also what is your hostname / mainserver has this for example only then no good if so. ( you do not use maindomain name as hostname normally) should be "vm or vps-or...whatever you want.".yourservermaindomain.

Wed, 11/06/2019 - 03:59

the Hostname i have set is just "" Should i ask the compnay to set a PTR record for is it possible that the lack of PTR created problems.

Please post here your DNS reply you mentioned becuase i kind of lost track in the other thread.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 04:02

To my mind - hostname should not be "" - that's the domain name. Hostname should be something like "server1" or anything like that, i.e. a single name - no dot and no suffix.

Wed, 11/06/2019 - 04:06 (Reply to #4)

VirtualMin installaton had the hostname been "" upon running the install script. I dont think that is a problem though but i want to hear form others too.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 04:08 (Reply to #5)

Nikos - you are saying "you don't think it's a problem" but you do seem to be having a few problems. Hostname NOT EQUAL domain name. I suggest you fix this. Jfro is saying the same thing.

Wed, 11/06/2019 - 04:12 (Reply to #6)

Apologize, should i set the hostname to perhaps "" and then create an A record for it? if i just set it to "nikos" system is not accepting it because its not being resolved.

update: i changed the hostname to "" and creates an A entry in DNS.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 04:20

I suggest using an external dns system while you seems to use / have only one ip ( and others same block) nameservers you have to do it right minimum 2 ip and also in different ip blocks .

If you manual or automatic then fille in your records there , you onlye have to take care of bind /dns for maindomain/ mail and dkim part if using.

Reverse ptr you ask your host to set it right or in an panel if they have.

Respons from me is 123 short and quick, so read first more about that stuff on the web!

you need ofcourse for hostname also le cert , best is to have them all in one ( how i do it, but some do separate them) for that domain.

I did write before with your dovecot LE problems can't help you with wirten out manuals, while having other config, as you can see here i was so right. ;)

Please don't go for quick changes everytime something is not 100% ok, but take more time to read about such topics and howtos on the web, i advise while only then you could know more to do it right otherwise it seems you are folow advise / texts on the web and here without knowing the reason, and as serveradmin you have to know real what you do!

I do lot on CLI and not in Virtualmin GUI , so i can't help with lot of stuff as howto's, only pointing out some are good or not as end result!

Wed, 11/06/2019 - 04:24

I'm not sure I explained myself properly.

Hostname - this is a singular name. Like "nikos" or "nikos1" or any single word. That's what you set in Webmin - Networking - Network Configuration - Hostname & DNS Client. It might be possible to set it in Virtualmin - but I couldn't see it.

Domain name is usually a 2 part name - in your case:

DNS Entries - these are made up of A records, CNAMES, TXT records and MX records (mostly). I suggest you read up on these and perhaps read up on your Registrar's website on how the entries should be made. Assuming you aren't running BIND yourself.



Wed, 11/06/2019 - 04:32 (Reply to #9)

Again as we ( Dibs and me)both have advise for you more then one time do more readings about all those topics you're asking here yourself!

As lot goes wrong doing false / wrong .... ;)


As almost none Control panel is for newbee out of the box, doing stuff all good as it has to be, even if so you better have some knowledge what you do as SERVERADMINS!

Wed, 11/06/2019 - 04:34 (Reply to #10)

my Companys panel at "change hostnames" it does not let me use just "nikos" as value fr Hostname, but "" creating an A record for it.

"That's what you set in Webmin - Networking - Network Configuration - Hostname & DNS Client. It might be possible to set it in Virtualmin - but I couldn't see it"

Will there be any trouble if i put there just "nikos", perhaps breaking things, iam afraid to do it....

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 04:40 (Reply to #11)

Here you go with knowledge.


my Companys panel at "change hostnames" is the one from your hoster right?

That is total different then GUI Virtualmin!

That part (the one from your hoster) is doing it as you can do in CLI.

Knowing really what you do and what those GUI, company's panel and CLI do is a PLUS!

Not knowing ( good enough) and react as .... much to quick doing changes everytime someone write here , or you read somewhere is so dangerous!

Keep in mind DIBS Me and all are mean it well with you, but Users asking for Support should do also some work, sofar possible to get more and better knowledge about some basics that serveradmin has to know.

VIRTUALMIN / WEBMIN is very bad control panel for the kind of "copy paste" serveradmins .

Dont know how to say it in good Englisch without being rude where copypaste-only=dumb, not meaning to be that rude!

I'm not a experienced LINUX server admin but have over 30 years experience in IT , then you know most mistakes made because lack of knowledge. even me.. ;)

Wed, 11/06/2019 - 04:52 (Reply to #12)

Please re-read comment #9. Then maybe re-read it x2 again. ;)

Wed, 11/06/2019 - 05:11

@Nikos - my advice to you is this (and feel free to ignore it): get yourself another VPS (DigitalOcean & Linode are cheap enough). Install something like Ubuntu 16.04LTS and follow their tutorials (there's lots of them) on hardening it, setting up IPTables, SSH, etc. Just a basic box. Learn the basics. Anything goes wrong - start again: the images deploy easy enough.


  • basic networking,
  • DNS entries,
  • the difference between hostname, DNS and a FQDN
  • basic Linux permissions
  • how to do basic stuff from CLI, like create files, copy files, set permissions & delete files

Once you have a basic box - install Virtualmin and assuming you have done the above, in 99% of the cases things will run with 0 issues.

Unfortunately the big downside of all the above is YOU need to invest that time in yourself, your skills & knowledge.

I would go so far as to say the choice is binary - either invest or pay someone else to do it. There is a 3rd choice - don't do it.


Wed, 11/06/2019 - 06:49

I asked an admin of my company to take a loot at my DNS and it says

your server has a PTR record, this subdomain can't have a PTR record:

I see that your domain has MX record and this shows that your domain "" is pointed to your subdomain "":

What should i ask them to do? PTR should be pointed to or

and HOW to alter "" to NOT point to subdomain "": ?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 07:01

Please have a little pasience with me, i must sort this out.

  1. From within VirtualMin=>Network Configuration=>Hostname, shall i set it to "nikos" or to "" ?
  2. WHY anf HOW to alter "" to NOT point to subdomain "": ?
  3. Which hostname has to have PTR record configured? "" or ""

Please help me FIX this mess with DNS Records because i don't want to break things as i host other 3 websites. Thank you very much.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 07:28

i droped "Nikos" lets try "secure"

If i make the hostname change via virtualmin it says hostname: secure(10.x.x.x some local ip). If i instead change the hostanme from my company's panel it doesnt allow me to use "secure" as hostname, but it needs an A record for that which i added to DNS records and wants the hostname to be as ""

is this ok for 1st step to troubleshoot this?

Which method of altering hostname should i pick Virtualmin's or Time4VPS panel?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 07:49

Here is a pic for you guys to see my current DND Record Configuration:

Can you please check if it is ok? Ask my any output you want to see and i'll post back to you. Thank you and please have a little patience with me to help me resolve this.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 07:58

I only see and understand you didn't.

and some

You can use the

Or payed ticket support if you don't have time enough...

While only picking one example if using ipv6 do it all and right also ptr record for ipv6 should be ok and so more............

Wed, 11/06/2019 - 08:05

Ι have read all yout posts but i still need step-by-step guidance. I cannot afford paying for support.

But iam willing to try commands via SSH or VirtualMin and post back the results. Please as a perosnal favour, do help me understand whats wrong with my DNS configuration.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 09:18

I don't have step by step for you.

Please a lot is on the web for free info about the parts DIBS did write.

Important in my eyes!

IF you have using possible external dns at your hoster i advise using that, then most of the time you have 2 or more nameservers ns1 and ns2 from them on different ip blocks!

Wed, 11/06/2019 - 09:31

2 things

  1. How do i add certificate to my subdomain "". Its this subdomain that is giving me the error when i try to request cert form LE. Why does it fail? 2.. Which entry do i have to delete from DNS configuation for to STOP pointing to

I have added a pic for you to see. Please i need the configuration of to be correct in order for the SSL Cert to pass. Is this correct?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 10:05 (Reply to #22)

remove mail.domain and use domain as mail server, or skip encryption on email.. why bother with that if you can't fix/understand/read? in anycase, unless you're ready to do some heavy reading, better tell your admin or some pro, to setup virtualmin for you...

Wed, 11/06/2019 - 10:09 (Reply to #23)

You mean that i should delete the entry for: "mail A". Are you sure that line is NOT important to be there so the system knows what is the MX for the domain?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 09:55

Important in my eyes!

IF you have using possible external dns at your hoster i advise using that, then most of the time you have 2 or more nameservers ns1 and ns2 from them on different ip blocks!

Wed, 11/06/2019 - 09:57

Can you PLEASE HELP ME install SSL Cert to ""? Thats all i ask. Please tell me exactly what to do because its failing.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 10:10 (Reply to #26)

No while to much is wrong.

Please contact your hoster.

Aks or inform if they have in same package a dns service you can use , and take a start from there! ( using their nameservers and so on) That is realy gona help you, not going any further with only one ip adress or in same block for 2 own nameservers makes no sense.

Please folow up advice from me AND DIBS , i gues we both don't / can't help if having not the right base ....

So aks hoster if they can deliver or how you can use their DNS services!

Wed, 11/06/2019 - 10:13

ok i will do that and report back

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 10:38

@Nikos - I really do sympathise with you and your situation. The problem\issue with Virtualmin (and other panels) and Linux really is that it requires prerequisite knowledge. When this is missing - it gets really difficult to resolve issues as a person will try almost anything and everything when there are problems.

  1. What operating system (& version) are you running on this VPS? (Ubuntu, CentOS, etc.?)
  2. What are you wanting to do with this VPS? Host websites and their mail? Or just websites or just email?
  3. Are you running DNS (i.e. BIND) yourself or using the domain registrar's DNS control panels?

The answer to question 3 - looks like you are running it yourself as & (both having the same IP) appear to be the nameservers set at which looks like where you registered your domain. If this is the case - WHY have you done this? You only have 1 IP and it isn't wise to have both nameservers on 1 IP. Who or what told you to set it this way?


Wed, 11/06/2019 - 10:55

Hello Dibs and THANK YOU for understanding my frustrating situation.

  1. CentOS 7.6 Along with latest VirtualMin
  2. Host websites and their mail.
  3. I'am running it myself. All servers running from the same machine. I did this myself when i registered and bought the domain on papaki which asked me the nameservers for my domain and i provided them.t

2 questions please so to understand if things is set up properly for my domain, i need to know that, please bare with me.

My domain is along with VirtualMin

  1. What should i set the Hostname to be i.e. "" or just "" Does it matter?

  2. Where should the PTR record point? Currently it points to "", but is this correct, or needs to be pointingto domain itself or perhaps the mail exchange which is ""

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 11:09 (Reply to #30)

Before going any further - login to your papaki portal for your domains and check if you can add A (and other) records there? I am 99.99% you can - but best to check. It may ask you to use their nameservers to do that. You should be able to check - without saving. i.e. cancel out at the end.

Wed, 11/06/2019 - 11:14

I bought the domain, BUT the only thing i can do is set the nameservers ( & in their CP.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 11:52


According to papaki support pages;

you can use there DNS servers and maintain entries for A, CNAME, MX and other records (manually) there.

Here's my advice and (as it's free you may well ignore it, that usually happens with free advice):

At this point your server will only be accessible via external IP address - and that's fine for now.

According to Wikipedia

A device with the hostname myhost in the parent domain has the fully qualified domain name The FQDN uniquely distinguishes the device from any other hosts called myhost in other domains.

So decide on a hostname - server1 is fine. So is nikos. Even athens1 is fine. The domain name is which gives a FQDN of

Now go to Papaki and in the FreeDNS control panel create an A record for pointing it to the external IP. Then create a CNAME for www and point that to the A record. Once this has propagated you will be able to access the server by name - there will be nothing there. Most want a host -you can use the @ symbol and it should be fine. Then create a CNAME for www - that should be enough to get the basics going.

Then install Virtualmin GPL and DO NOT select or install BIND.

During the install - the hostname would be athens1 (or nikos1 or whatever you selected), the domain would be if asked and the FQDN would - understand the basic differences between these things, i.e.

hostname + domain name = FQDN athens1 + =

Hopefully the above is crystal clear.

You would want Virtualmin to install

  • Apache
  • php
  • mySQL
  • Postfix
  • Dovecot

Basically most things apart from BIND.

At this point you should have a basic working and secure installation of Virtualmin.

Now you should be able to create a new VirtualServer for each of your other 3 domains enabling website & mail if required. Leave SSL alone for now. Do one domain 1st (say Copy the website from your 1st server onto your 2nd one.

Go to Papaki's control panel - and using their FreeDNS create and A record for that domain. Most want a host -you can use the @ symbol and it should be fine. Then create a CNAME for www - that should be enough to get the basics going.

Test the website and if all is well, then go back to Papaki and add an MX record for it - you will also need to add an SPF record in the 1st instance - where you are saying that the 2nd VPS's IP address is allowed to send email for it. Test your email - outbound and inbound. Create a test user on this domain.

Once that is working - enable the SSL for it and using Virtualmin's LE page - request a cert for

and if you've done everything you should have - it should provide the certificate without having to do anything further.

Then repeat for the other 2 domains - i.e., create virtual server, enable just http, create A & CNAME records, test it, enable mail, create MX record (test inbound & outbound), copy the website across, enable SSL, request the cert & test again.

Then once all domains are on the new server - kill the old one.

Wed, 11/06/2019 - 12:30

Indeed i have found the Free DNS Service of Currenly one of my clients uploads pictures to its WooCommerce and i don't want to distract himas he has a lot of work to do. I dont want him to complain again about his site not loading up/

If i disable BIND then i will have to enter records A, CNAME, MX for each domain right? That would bring down the sites and i dont want that because i will here complains.

Can i maintain BIND for my clients only and for starters ONLY change DNS from BIND to papaki FreeDNS ( &

if i do these alternations ONLY for will the other websites maintain intact?

What happens if BIND is active and FreeDNS of papaki service is also active? what would that do to

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 12:42 (Reply to #34)

If you change to use Papaki's DNS servers but leave the clients on BIND (i.e. your DNS) then you would need to add A records (or CNAMEs) for & on Papaki - which technically would require propagation. That may or may not result in downtime for your clients.

Looking at your other posts - your server does seem to have a few issues. A new VPS would probably be the best way forward. It may involve downtime, but you could discuss that with your client and look to switch over overnight as opposed to daytime there. Minimising the downtime.

Or purchase another domain like and use that for the new VPS. You could use A records and have one point to the existing FQDN and another to the say - and move domains slowly, leaving the Woocommerce one till last.

But the moment you want to resolve the issues with the existing VPS and still maintain uptime - as you appear to a novice - that's going to get tricky.

Apologies if it's not the answer you would like.


Wed, 11/06/2019 - 12:52

I will make all chnages to the current VPS

I have enabled freedns on papaki. a add A records for

Problem is that I don't know what to enter for CNAME and MX please. it has 2 input fields on both and i dont know what to enter, i will post the pics.

please QUICKLY DO TELL ME WHAT VALUES TO PUT THERE as seen in the pictures so for to propagate correctly!!!!

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 13:54 (Reply to #36)

CNAMES are the subdomain.

  • www is a subdomain
  • mail is a subdomain (technically - but that might be best done with an A record)
  • ftp is a subdomain

so in the case of

A Record
Host                           Value
@                              IP ADDRESS              IP ADDRESS

Host                           Value

Host                            Value
@                        10
Wed, 11/06/2019 - 14:02 (Reply to #37)

Umm, thnaks for answering but still its not clear to me. What is '@'.

CNAME and MX have 2 input fields each and i'm still not sure what to enter there.

Please look at the photos and tell me what i need to enter to each field? I only understood how to place A records, which is easy, just the name of the subdomain and then to the other field the ip address

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 14:12 (Reply to #38)

@ is a synonym for the root domain. Nikos - at the risk of saying it plainly, just put the damn thing in.

CNAME - in the code snippet I posted up there was a a "table" of 2 columns, what bit of the example did you not understand?

CNAME's require a host\subdomain and a value - the 1st part is www and the second part is

Wed, 11/06/2019 - 14:29 (Reply to #39)

I still don't follow.

MX asks: input mail domain, input mail exchanger

CNAME asks: input domain name, input canonical name(destination)

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 14:40 (Reply to #40)

Did you read the following link -

that I posted earlier? It explains A, CNAME & MX records and refers to their system.

EDIT: if nothing else, log a support ticket with papaki and ask them about DNS records or an online chat if they have one. As them what needs to input on the screen if you want to add a CNAME for www pointing to - I recently came across a domain registrar which I hadn't used and their system wasn't intuitive - so I asked their support who explained in a few mins.

Wed, 11/06/2019 - 14:46 (Reply to #41)

i managed to put those entries. Before you said somethign that if i was to leave BIND active for my other websites i have to:

can you explain it please?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 14:54 (Reply to #42)

You would need BIND to not resolve for - how you would do that, I don't know, as I don't run BIND. You might not be able to do that as domain is running the name servers.

To stop things breaking further - you should add 2 more A records or CNAME's for & - I'd go with A records for the moment - just in case CNAME's are not the preferred way for nameservers.

Wed, 11/06/2019 - 15:01 (Reply to #43)

Call me an idiot but i fear iam gonna break things.

Unless you accept me giving you access to to make the alternations yourself correctly as it should, i'am switching back to BIND.

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 13:02

May i please give you access on, for you to make the changes correct?

I'am afraid i will do something stupid if i enable papakis dns servers, mostly about the other sites NOT loading properly.

For starters i WILL ONLY MAKE CHNAGE TO DNS OF SUPERHOST.GR NOTHING ELSE. but you said somethign about load or might not load, iam confused.

Could you please make the alternations correctly?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 14:55

Do you have access to the DNS control panels for the other domains?

Wed, 11/06/2019 - 15:08 (Reply to #46)

ALL 4 domains are in the same DNS control panel because i host all of them to

Shall i give you access to make the changes to all 4 domains so i can finally disable BIND?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 14:58

If i disable BIND then i will have to enter records A, CNAME, MX for each domain right? That would bring down the sites and i dont want that because i will here complains.

If you add in all the relevant A, CNAME, TXT (spf) & MX records for the other domains correctly - nothing would come down. 1 minute they would be resolving using the name servers and the next minute via the registrars DNS servers once propagation hits the DNS that they are using.

Try it on one of the domains (other than and see how it goes.

Wed, 11/06/2019 - 15:12

Nikos - I'm personally not sure what you are afraid of. Pick one of the domains - one that is least important and change it over from the nameservers to use A, CNAME, TXT, MX records and see how you get on.

Worst case scenario is you can go back to the nameserver entries.

Why shit yourself over doing something that can be reversed?

Don't take this personally - if you can't do sysadmin stuff or learn to do it, you either need to move to a managed service somewhere or stop doing it.

Wed, 11/06/2019 - 15:17

Could you fix it for me please? i would not know what A is required or CNAME instead. Shall i give you access to make the needed changes?

Intel Inside, Idiot Outside!

Wed, 11/06/2019 - 15:26

Nikos - not really related to your issue but I used to be on shared hosting up until middle of 2016. It allowed me to host my domain\mail. The provider was getting out of the business of shared hosting. So I googled and having a few bad experiences prior to that with shared hosting - I didn't want to go back to it. So goggled and found out about VPS's.

Then read up and found Virtualmin - read up on the docs and searched the forums. I settled on Linode and read their docs on setting up a LAMP stack etc. And securing the VPS. I followed the docs I had found and installed Virtualmin and put 2 domains on it.

Didn't really do much over the next 3 years. Then this year I was told one of the domains wasn't able to send emails to hotmail. That made me check if the server IP was on any blacklists. It was on backscaterrer. In the space of a few weeks, I learnt about Apache (to a greater depth), upgraded to the latest version of PHP, created additional jails for Fail2Ban (from the CLI) and locked Postfix down (again from the CLI) to a far greater degree. I did also look in Virtualmin to see where thos additional config changes I had made via CLI were turning up. I found them. All this via CLI - i prefer it that way.

My point in saying this - I'm not an experienced SysAdmin, but I come from a very tech heavy background (Cisco, Windows, MS Exchange etc) so perhaps for me picking up things is easier - but there's no substitute for putting the hours in. Learning, putting a plan together (with some idea of how to reverse what I have done), testing and then doing it for real.


Topic locked