Solved Problème Let’s Encrypt : impossible de générer un certificat pour mysql.domain.tld

[Hashut]

Question
Où DirectAdmin définit-il la liste exacte des sous-domaines autorisés pour Let’s Encrypt ?
Pourquoi webmail.domain.tld fonctionne sans être dans .subdomains, mais mysql.domain.tld non ?
Existe-t-il un moyen officiel et propre d’ajouter mysql.domain.tld aux SAN Let’s Encrypt sans :
créer un faux domaine
modifier des fichiers système à la main
casser les renouvellements automatiques
Toute piste ou retour d’expérience est bienvenu.

Merci d’avance

 

[Hashut]

Je rencontre un problème récurrent avec DirectAdmin + Let’s Encrypt concernant la génération de certificats pour un sous-domaine personnalisé de type mysql.domain.tld.

Contexte
Serveur : Debian + DirectAdmin
Webserver : Apache (httpd)
Let’s Encrypt activé via DirectAdmin
Les certificats sont bien générés pour :
domain.tld
www.domain.tld
webmail.domain.tld
ftp.domain.tld
Mais jamais pour mysql.domain.tld

 

[Hashut]

Erreur rencontrée
Lors d’une tentative manuelle : ./letsencrypt.sh request_single mysql.domain.tld
mysql.domain.tld was skipped due to unreachable

http://mysql.domain.tld/.well-known/acme-challenge/...

No domains pointing to this server
Alors que :
Le sous-domaine existe
Le DNS est bon
Le vhost Apache répond

Test révélateur
Si je remplace mysql.domain.tld par ftp.domain.tld dans le même vhost Apache → ça fonctionne immédiatement, car ftp.domain.tld est déjà présent dans le certificat.
Le problème vient donc clairement de Let’s Encrypt / DirectAdmin qui n’autorise pas ou n’intègre pas le sous-domaine mysql.

 

[Active8]

English please....

 

[Hashut]

Error encountered

During a manual attempt: ./letsencrypt.sh request_single mysql.domain.tld
mysql.domain.tld was skipped due to unreachable

http://mysql.domain.tld/.well-known/acme-challenge/...

No domains pointing to this server

Whereas:

• The subdomain exists
• DNS is correct
• The Apache vhost responds properly

Revealing test
If I replace mysql.domain.tld with ftp.domain.tld in the same Apache vhost → it works immediately, because ftp.domain.tld is already included in the certificate.
The issue therefore clearly comes from Let’s Encrypt / DirectAdmin, which does not allow or properly integrate the mysql subdomain.
I am experiencing a recurring issue with DirectAdmin + Let’s Encrypt regarding the generation of certificates for a custom subdomain such as mysql.domain.tld.

Context

• Server: Debian + DirectAdmin
• Web server: Apache (httpd)
• Let’s Encrypt enabled via DirectAdmin

Certificates are correctly generated for:

• domain.tld
• www.domain.tld
• webmail.domain.tld
• ftp.domain.tld

But never for mysql.domain.tld.

Question

• Where does DirectAdmin define the exact list of subdomains allowed for Let’s Encrypt?
• Why does webmail.domain.tld work without being listed in .subdomains, while mysql.domain.tld does not?
• Is there an official and clean way to add mysql.domain.tld to the Let’s Encrypt SANs without:creating a fake domain
  • manually editing system files
  • breaking automatic renewal

Any insight or feedback would be greatly appreciated.

 

[Active8]

did you create a new domain e. mysql.domain.com ? (section domains)
or did you installed it as subdirectory ?

 

[Hashut]

No, I didn’t create a subdomain, but I also didn’t create FTP, webmail, etc. — those are DNS records.

Even when I click on mysql.domain.tld in the dashboard, it never stays selected and it doesn’t generate the certificate.

 

[Ohm J]

First, you need to put "mysql" in the DNS record.

 

[Hashut]

The DNS record mysql is already present in the nameservers (NS) of each domain.

 

[Richard G]

You might need to add it to the letsencrypt list in the/var/log/directadmin/confdirectadmin.conf file.
Normally this looks like:
letsencrypt_list=www:mail:ftp:pop:smtp
since mysql is only a DNS record and no real subdomain you might need to change it to this:
letsencrypt_list=www:mail:ftp:pop:smtp:mysql
and restart directadmin after making the change.

Related:

Version 1.50.1 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

and below.

 

[Hashut]

letsencrypt_list=www:mail:ftpop:smtp:mysql is already set in the configuration, but it still doesn’t generate the certificate.

 

[Richard G]

With the same error?
The name must be reachable. If you use http://mysql.yourdomain.com in your browser, do you get an error or not?
If yes, than that is the reason LE can't issue a certificate either.

Otherwise I don't know what's going on.

 

[Ohm J]

Try dig the DNS from the outside.

dig mysql.domain.com @8.8.8.8
dig mysql.domain.com @ns1.yourhosting.com

 

[Hashut]

dig mysql.domain.com @8.8.8.8

# dig mysql.domain.tld @8.8.8.8

; <<>> DiG xxxxxxxx-Debian <<>> mysql.domain.tld @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47852
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mysql.domain.tld. IN A

;; ANSWER SECTION:
mysql.domain.tld. 10555 IN A xx.xx.xxx.xx

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Fri Jan 23 18:28:55 CET 2026
;; MSG SIZE rcvd: 63

 

[Hashut]

Thanks for your help, after restarting the server, everything is working.