Unable to create Let's Encrypt certificate for webmail and admin "subdomains"

Hey guys!

I'm using CloudFlare with FULL (Strict) option enabled. My goal is to have a valid certificate provided by Let's Encrypt in my server and let CloudFlare handle everything else.

What I understood is that Virtualmin Let's Encrypt script doesn't support DNS based validation. OK, that I get. But how autodiscover, autoconfig and mail records can get a valid SSL certificate but "admin" and "webmail" records can't?

When I enable CloudFlare proxy in "webmail" record I get 526 Error (Invalid SSL). If I disable CloudFlare proxy I can get into the page but I get a invalid certificate message in chrome (Although I can ignore this error and proceed to the redirected page).

I tried to manually supply admin.domain.tld and webmail.domain.tld in "Domain names listed here" via "Server Configuration > SSL Certificate > Let's Encrypt" but I receive a error saying the script was unable to create the "webmail.domain.tld/.well-known" file. It's weird because I don't create autodiscover, autoconfig and mail subdomains, but Let's Encrypt script can get valid ssl certificate for those dns records (although they are not properly a subdomain, pretty much what "admin" and "webmail" records are).

PS: All dns records in my virtualmin were imported to CloudFlare. So everything is the same in both directions. I've tried to disable CloudFlare proxy as well to try getting the let's encrypt certificate, but that wasn't enough.

Virtualmin version: 
Webmin version: 


Ilia's picture
Submitted by Ilia on Tue, 10/13/2020 - 14:39

As long as DNS records and Apache records present, and a domain with its subdomains listed for a request can be opened via regular browser - web based validation must go without any problems. If it still fails, try to use *:80 and *:443 for VirtuaHost directive instead of an IP address, as it may vary depending on network configuration.

Hey Ilia, sorry for the delayed response.

I can access via my browser: http://admin.domain.tld/ http://webmail.domain.tld/

They both redirect to the correct place. If I try to directly access the same addresses in https mode, I get a message from CloudFlare saying the domain doesn't have a valid certificate. If I disable CloudFlare Proxy (greyed out in admin/webmail records), my browser (chrome) reports: NET::ERR_CERT_COMMON_NAME_INVALID

So for both "subdomains" admin and webmail the Let's Encrypt certificate is not being requested to admin.domain.tld or webmail.domain.tld. When I access those "subdomains", Virtualmin is giving the generic domain.tld certificate for those subdomains (which is not correct).

The DNS Records and Apache records are present, but I can't request a certificate in Let's Encrypt menu (Virtualmin > Server Configuration > SSL Certificate > Let's Encrypt) for admin and webmail.

This is what I receive when I try to request a certificate there (by typing webmail.domain.tld in " Domain names listed here":

ValueError: Challenge did not pass for webmail.domain.tld: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord