Issue of SSL Certificate fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: muzikquest.de AND muzikquest.co.uk

I ran this command: I used Virtualmin to request a certificate from Let's Encriptt for these domains. Both are hosted on a new VPS that I have just set up. The IP is 109.199.124.46
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for muzikquest.de and 6 more domains

"Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: mail.muzikquest.de
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.muzikquest.de - check that a DNS record exists for this domain

Domain: www.muzikquest.de
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.muzikquest.de - check that a DNS record exists for this domain

Domain: admin.muzikquest.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.admin.muzikquest.de

Domain: autoconfig.muzikquest.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.autoconfig.muzikquest.de

Domain: autodiscover.muzikquest.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.autodiscover.muzikquest.de

Domain: muzikquest.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.muzikquest.de

Domain: webmail.muzikquest.de
Type: unauthorized
Detail: No TXT record found at _acme-challenge.webmail.muzikquest.de

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

It produced this output: for muzikuest.de, the output for muzikquest.co.uk is almost identical:"

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 24.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin/ Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Have you written your own manual auth hook and if so, could you share it (with any secrets removed)?

I also can't find the TXT records required for the DNS-01 challenge.

I received an additional error message when I run:

certbot certonly -d muzikquest.de -d *.muzikquest.de

The error message was:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I'd start by updating that to the latest version.

this (2.9.0-1) is the latest version Ubuntu has in the installed repos

have a look at the recommended installation instructions at https://certbot.org/

It looks like two separate issues are getting mixed together here:

1. Your first Virtualmin run tried to include several hostnames (mail, www, admin, autoconfig, autodiscover), so Let’s Encrypt expected a valid _acme-challenge TXT record for each of those names. If those hostnames are not supposed to be on the certificate, remove them from the request instead of trying to satisfy all of them.
2. For *.muzikquest.de, HTTP-01 will never work. Wildcards require DNS-01, and with certbot that usually means either a DNS plugin for your provider or --manual --preferred-challenges dns plus creating the TXT record(s) it prints.

If your real goal is just the apex + wildcard, I’d retry with only:
certbot certonly --manual --preferred-challenges dns -d muzikquest.de -d '*.muzikquest.de'
and make sure the TXT record exists before continuing. Once that works, add any extra hostnames only if you actually need them.

Hy Taylor, thank you, that worked!

A post was split to a new topic: DNS Challenge failed incorrect TXT value