No TXT record found at _acme-challenge.my.domains, webmin, virtualmin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sturtz.ml
I ran this command:
I use Virtualmin
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for admin.sturtz.ml
dns-01 challenge for sturtz.ml
dns-01 challenge for webmail.sturtz.ml
dns-01 challenge for www.sturtz.ml
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Running manual-auth-hook command: /etc/webmin/webmin/letsencrypt-dns.pl
Waiting for verification...
Challenge failed for domain admin.sturtz.ml
Challenge failed for domain sturtz.ml
Challenge failed for domain webmail.sturtz.ml
Challenge failed for domain www.sturtz.ml
dns-01 challenge for admin.sturtz.ml
dns-01 challenge for sturtz.ml
dns-01 challenge for webmail.sturtz.ml
dns-01 challenge for www.sturtz.ml
Cleaning up challenges
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.sturtz.ml
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.admin.sturtz.ml

   Domain: sturtz.ml
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.sturtz.ml

   Domain: webmail.sturtz.ml
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.webmail.sturtz.ml

   Domain: www.sturtz.ml
   Type:   unauthorized
   Detail: No TXT record found at _acme-challenge.www.sturtz.ml

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache2
The operating system my web server runs on is (include version):
Ubunut 20.04
My hosting provider, if applicable, is:
I am hosing my self and I am using webmin, virtualmin
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
virtualmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.0

What exactly does that entail? What command did you run? Or did you click something in the configuration panel? I’m asking because the VirtualMin documentation is very sparse about this and I can’t seem to install Virtualmin on a virtualbox CentOS (something about a GPG key missing…)



Interesting. Because in that last screenshot, Virtualmin claims it uses the http-01 challenge (the “small temporary file under the website’s document directory”), but in fact it tries to use the dns-01 challenge:

Did you get the output from your first post somewhere from the Virtualmin error log or something? Also, I can’t find any reference to certbot in the Virtualmin-GPL source code… Did you by any chance run certbot from the command line in stead of through Virtualmin?

The resolution of your screenshot is too low (resized somehow), could you please upload the actual resolution so it’s readable?

Although I’m not sure if it would help… As I said, the documentation of Virtualmin about Let’s Encrypt is practically non-existent.

Do you just want me to copy and past the text? I had to zoom out for the image

is this better?


Yes, much better, thanks!

Ok good! Do you want me to track down the webmin, virtualmin, certbot logs?

Here is the lets encrypt log.

last 100 lines of /var/log/letsencrypt/letsencrypt.log

}
2020-09-10 11:57:48,057:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/7125164911 HTTP/1.1" 200 546
2020-09-10 11:57:48,057:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 10 Sep 2020 16:57:48 GMT
Content-Type: application/json
Content-Length: 546
Connection: keep-alive
Boulder-Requester: 96214182
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101ltZ0KRax997FPfG5aThFt3qe2KVApW9wPylk_XcHOTo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.sturtz.ml"
  },
  "status": "invalid",
  "expires": "2020-09-17T16:56:50Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "No TXT record found at _acme-challenge.www.sturtz.ml",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7125164911/CoLSug",
      "token": "D0X67GHENxNOqIq3py8GLrOlYHDm7Wa76zKGH8x68ss"
    }
  ]
}
2020-09-10 11:57:48,057:DEBUG:acme.client:Storing nonce: 0101ltZ0KRax997FPfG5aThFt3qe2KVApW9wPylk_XcHOTo
2020-09-10 11:57:48,058:WARNING:certbot.auth_handler:Challenge failed for domain admin.sturtz.ml
2020-09-10 11:57:48,058:WARNING:certbot.auth_handler:Challenge failed for domain sturtz.ml
2020-09-10 11:57:48,058:WARNING:certbot.auth_handler:Challenge failed for domain webmail.sturtz.ml
2020-09-10 11:57:48,058:WARNING:certbot.auth_handler:Challenge failed for domain www.sturtz.ml
2020-09-10 11:57:48,058:INFO:certbot.auth_handler:dns-01 challenge for admin.sturtz.ml
2020-09-10 11:57:48,058:INFO:certbot.auth_handler:dns-01 challenge for sturtz.ml
2020-09-10 11:57:48,058:INFO:certbot.auth_handler:dns-01 challenge for webmail.sturtz.ml
2020-09-10 11:57:48,058:INFO:certbot.auth_handler:dns-01 challenge for www.sturtz.ml
2020-09-10 11:57:48,059:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: admin.sturtz.ml
Type:   unauthorized
Detail: No TXT record found at _acme-challenge.admin.sturtz.ml

Domain: sturtz.ml
Type:   unauthorized
Detail: No TXT record found at _acme-challenge.sturtz.ml

Domain: webmail.sturtz.ml
Type:   unauthorized
Detail: No TXT record found at _acme-challenge.webmail.sturtz.ml

Domain: www.sturtz.ml
Type:   unauthorized
Detail: No TXT record found at _acme-challenge.www.sturtz.ml

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2020-09-10 11:57:48,059:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2020-09-10 11:57:48,059:DEBUG:certbot.error_handler:Calling registered functions
2020-09-10 11:57:48,059:INFO:certbot.auth_handler:Cleaning up challenges
2020-09-10 11:57:48,060:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2020-09-10 11:57:51,430:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2020-09-10 11:57:54,722:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2020-09-10 11:57:58,026:INFO:certbot.hooks:Running manual-cleanup-hook command: /etc/webmin/webmin/letsencrypt-cleanup.pl
2020-09-10 11:58:01,322:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

I hope this helps

Last 100 lines of /var/webmin/miniserv.error

Use of uninitialized value $minsize in numeric lt (<) at /usr/share/webmin/acl/acl-lib.pl line 1770.
Use of uninitialized value $miniserv{"pass_regexps"} in split at /usr/share/webmin/acl/acl-lib.pl line 1773.
[09/Sep/2020:14:22:01 -0500] Reloading configuration
Use of uninitialized value in string eq at /usr/share/webmin/bind8/index.cgi line 59.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Error: SQL CREATE USER &#39;username&#39;@&#39;localhost&#39; IDENTIFIED BY &#39;password&#39;; CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; GRANT ALL PRIVILEGES ON nextcloud.* TO &#39;username&#39;@&#39;localhost&#39;; FLUSH PRIVILEGES; failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#39;CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_ge&#39; at line 1
Error: SQL CREATE USER &#39;username&#39;@&#39;localhost&#39; IDENTIFIED BY &#39;password&#39;; GRANT ALL PRIVILEGES ON *.* TO &#39;username&#39;@&#39;localhost&#39;; FLUSH PRIVILEGES; failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#39;GRANT ALL PRIVILEGES ON *.* TO &#39;username&#39;@&#39;localhost&#39;; FLUSH PRIVILEGES&#39; at line 1
restarting miniserv
[09/Sep/2020:14:39:37 -0500] Restarting
[09/Sep/2020:14:39:41 -0500] miniserv.pl started
[09/Sep/2020:14:39:41 -0500] IPv6 support enabled
[09/Sep/2020:14:39:41 -0500] Using MD5 module Digest::MD5
[09/Sep/2020:14:39:41 -0500] Using SHA512 module Crypt::SHA
[09/Sep/2020:14:39:41 -0500] PAM authentication enabled
[09/Sep/2020:14:39:43 -0500] Reloading configuration
Error: 
chown: changing ownership of '/home/sturtz/public_html/nextcloud//data': Operation not permitted
chmod: changing permissions of '/home/sturtz/public_html/nextcloud//data': Operation not permitted
chmod: changing permissions of '/home/sturtz/public_html/nextcloud//data/lost+found': Operation not permitted
chmod: cannot read directory '/home/sturtz/public_html/nextcloud//data/lost+found': Permission denied
Error: 
Error: You are not allowed to manage databases
Error: No IPv6 addresses entered
[09/Sep/2020:19:16:22 -0500] miniserv.pl started
[09/Sep/2020:19:16:22 -0500] IPv6 support enabled
[09/Sep/2020:19:16:22 -0500] Using MD5 module Digest::MD5
[09/Sep/2020:19:16:22 -0500] Using SHA512 module Crypt::SHA
[09/Sep/2020:19:16:22 -0500] PAM authentication enabled
Use of uninitialized value in string eq at /usr/share/webmin/bind8/index.cgi line 59.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in string eq at /usr/share/webmin/bind8/index.cgi line 59.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in string eq at /usr/share/webmin/bind8/index.cgi line 59.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at ./bind8-lib.pl line 3171.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value in concatenation (.) or string at /usr/share/webmin/bind8/edit_recs.cgi line 175.
Use of uninitialized value $minsize in numeric lt (<) at /usr/share/webmin/acl/acl-lib.pl line 1770.
Use of uninitialized value $miniserv{"pass_regexps"} in split at /usr/share/webmin/acl/acl-lib.pl line 1773.
Error: A ProFTPD virtual server with the same IP address already exists
restarting miniserv
[09/Sep/2020:20:08:44 -0500] Restarting
[09/Sep/2020:20:08:47 -0500] miniserv.pl started
[09/Sep/2020:20:08:47 -0500] IPv6 support enabled
[09/Sep/2020:20:08:47 -0500] Using MD5 module Digest::MD5
[09/Sep/2020:20:08:47 -0500] Using SHA512 module Crypt::SHA
[09/Sep/2020:20:08:47 -0500] PAM authentication enabled
[09/Sep/2020:20:11:53 -0500] Reloading configuration
restarting miniserv
[10/Sep/2020:06:37:22 -0500] Restarting
[10/Sep/2020:06:37:25 -0500] miniserv.pl started
[10/Sep/2020:06:37:25 -0500] IPv6 support enabled
[10/Sep/2020:06:37:25 -0500] Using MD5 module Digest::MD5
[10/Sep/2020:06:37:25 -0500] Using SHA512 module Crypt::SHA
[10/Sep/2020:06:37:25 -0500] PAM authentication enabled
[10/Sep/2020:06:37:37 -0500] Reloading configuration
Use of uninitialized value $minsize in numeric lt (<) at /usr/share/webmin/acl/acl-lib.pl line 1770.
Use of uninitialized value $miniserv{"pass_regexps"} in split at /usr/share/webmin/acl/acl-lib.pl line 1773.
[10/Sep/2020:06:38:54 -0500] Reloading configuration
Use of uninitialized value in numeric ne (!=) at /usr/share/webmin/bind8/bind8-lib.pl line 2406.
[10/Sep/2020:06:51:16 -0500] Reloading configuration
[10/Sep/2020:07:06:50 -0500] Reloading configuration
Error: You are not allowed to create per-directory options for the given path
Use of uninitialized value $username in string eq at /usr/share/webmin/virtualmin-htpasswd/virtual_feature.pl line 245.
Error: The domain name does not need to have www at the start
Error: The virtual interface IP address is already in use
Error: The virtual interface IP address is already in use
restarting miniserv
[10/Sep/2020:09:19:09 -0500] Restarting
[10/Sep/2020:09:19:12 -0500] miniserv.pl started
[10/Sep/2020:09:19:12 -0500] IPv6 support enabled
[10/Sep/2020:09:19:12 -0500] Using MD5 module Digest::MD5
[10/Sep/2020:09:19:12 -0500] Using SHA512 module Crypt::SHA
[10/Sep/2020:09:19:12 -0500] PAM authentication enabled
[10/Sep/2020:09:19:27 -0500] Reloading configuration
restarting miniserv
[10/Sep/2020:09:22:27 -0500] Restarting
[10/Sep/2020:09:22:30 -0500] miniserv.pl started
[10/Sep/2020:09:22:30 -0500] IPv6 support enabled
[10/Sep/2020:09:22:30 -0500] Using MD5 module Digest::MD5
[10/Sep/2020:09:22:30 -0500] Using SHA512 module Crypt::SHA
[10/Sep/2020:09:22:30 -0500] PAM authentication enabled
[10/Sep/2020:09:22:45 -0500] Reloading configuration
[10/Sep/2020:09:29:17 -0500] Reloading configuration
Error: Missing or invalid email address
[10/Sep/2020:10:48:49 -0500] Reloading configuration
Use of uninitialized value $logtarget in pattern match (m//) at /usr/share/webmin/fail2ban/syslog_logs.pl line 17.
Use of uninitialized value $logtarget in pattern match (m//) at /usr/share/webmin/fail2ban/syslog_logs.pl line 17.
Use of uninitialized value $logtarget in pattern match (m//) at /usr/share/webmin/fail2ban/syslog_logs.pl line 17.
Use of uninitialized value $logtarget in pattern match (m//) at /usr/share/webmin/fail2ban/syslog_logs.pl line 17.
Use of uninitialized value $logtarget in pattern match (m//) at /usr/share/webmin/fail2ban/syslog_logs.pl line 17.

No clue yet… I’m just looking at the web-based auth first (first screenshot), because I have absolutely no idea how Virtualmin manages the DNS-based authorization. I mean, did you somewhere enter your CloudFlare DNS credentials in VirtualMin? Because I see your domain is hosted on CloudFlare and Virtualmin would need access to that for DNS-based authorization.

If we concentrate first on your webbased authorization errors, we see that:

  • admin.sturtz.ml doesn’t exist in the DNS system: no A or AAAA record. And without an IP address to connect to, Let’s Encrypt can’t authorize that hostname
  • same goes for the webmail subdomain: doesn’t exist
  • your www subdomain and base domain do have an AAAA record for 2604:99c0:8:2f96:223:24ff:fe08:581f. However, that host is down: I can’t ping it and I can’t connect to port 80 or 443. So Let’s Encrypt can’t authorize those hostnames either.

So my suggestion, unless you can explain me in detail how the Virtualmin DNS based authorization works exactly, is to get your site up in general again. Perhaps update your DNS if you’ve changed IP addresses?

all admin.sturtz.ml dose is it redirects me to the webmin port https://sturtz.ml:10000/
webmail goes to http://sturtz.ml:20000/
my DNS on cloudflare


all of the IPs are correct
ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:23:24:08:58:1f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s25
       valid_lft 68804sec preferred_lft 68804sec
    inet 192.168.1.20/24 brd 192.168.1.255 scope global secondary noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet 192.168.1.21/24 brd 192.168.1.255 scope global secondary noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet 192.168.1.22/24 brd 192.168.1.255 scope global secondary noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet 192.168.1.23/24 brd 192.168.1.255 scope global secondary noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet 192.168.1.24/24 brd 192.168.1.255 scope global secondary noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet6 2604:99c0:8:2f96:223:24ff:fe08:581f/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::223:24ff:fe08:581f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Now I see the webmail subdomain, but I fail to see the admin currently:

sturtz.ml.		3600	IN	SOA	deborah.ns.cloudflare.com. dns.cloudflare.com. 2035142853 10000 2400 604800 3600
admin.sturtz.ml.	3600	IN	NSEC	\000.admin.sturtz.ml. RRSIG NSEC
sturtz.ml.		3600	IN	RRSIG	SOA 13 2 3600 20200911192128 20200909172128 34505 sturtz.ml. o4lCE2qy0i52pMqJ8UeGEz1sxYvx2/WhyFhqxq1fL8ZFBRnbpVtWXWDw RBX++YCe4vWd6Rtghs8vDLJivuputw==
admin.sturtz.ml.	3600	IN	RRSIG	NSEC 13 3 3600 20200911192128 20200909172128 34505 sturtz.ml. kcXlgN3GfSANAs1V6Ki83tQMsxtk/TajkQzYgSmflPAPfYhO3LuhR9Sc m0172bMm2gBpxNUJ+L3d7873i2XeKg==
;; Received 358 bytes from 2a06:98c1:50::ac40:226f#53(deborah.ns.cloudflare.com) in 19 ms

Notice the NSEC resource record: a DNSSEC method of showing the resource record doesn’t exist.

Which might be because you do have a “admin.cloud” subdomain, but not a “admin”? I don’t see it anyway.

I can’t connect to it. Neither can Let’s Encrypt. The traceroute fails at hop 13 from my point of view: 2607:f070:500:e00::

Of course I can’t tell if that’s the last hop just in front of your server or somewhere half way…

Anyway, from my endpoint (and Let’s Encrypts) your server is completely down.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.