Virtualmin stop generating new certificates or renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: Virtualmin LetsEncrypt module

It produced this output:

In domain
Requesting a certificate for,, * from Let's Encrypt ..
.. request failed : Web-based validation failed : Wildcard hostname * can only be validated in DNS mode DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
dns-01 challenge for
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: No TXT record found at, (dns-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "" found at

  • The following errors were reported by the server:
    Type: unauthorized
    Detail: No TXT record found at
    Type: unauthorized
    Detail: Incorrect TXT record
    "" found at
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Apache version 2.4.29

The operating system my web server runs on is (include version):Ubuntu Linux 18.04.4

My hosting provider, if applicable, is: Digital Ocean VPS

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
virtualmin 6.14, webmin 1.962

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Don't know how to get the values for the requested TXT DNS records, or what to do.

Step one:
Remove/replace the wildcard TXT record entry:

nslookup -q=txt       canonical name =       text =        ""

nslookup -q=txt       canonical name =       text =        ""

No matter what the TXT request is, the answer is always the same.

In short: The wildcard CNAME TXT entry may be overriding the new TXT entry (which may have been created correctly - hard to say as is configured)

1 Like

Zoho is my email service and need these 2 TXT DNS.

Can you replace it with something less WILD?

According to their own documentation:


You shouldn't be using * for entry.

Even the CNAME method makes no mention of using *
It specifically uses a single name in the CNAME field:


You seem to have combined the CNAME and TXT instructions and also added * into it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.