Let's Encrypt Certificate for Webmin / Virtualmin itself

Submitted by Vince42 on Tue, 04/26/2016 - 17:13 Pro Licensee

I want to have an auto-renewing Let's Encrypt certificate when connecting to Webmin / Virtualmin. When I choose the Let's Encrypt option via Webmin - Webmin Configuration - SSL - Let's Encrypt, it moans that there is no virtual server with the (DNS) name of my server. I would have expected that the module is able to see that the certificate is requested for Webmin / Virtualmin.

Status: 
Active

Comments

Submitted by JamieCameron on Tue, 04/26/2016 - 19:33

Unfortunately, even though the cert is requested for Virtualmin itself, the Let's Encrypt service requires that there be a regular website on port 80 that accepts requests for the same domain name.

Submitted by Vince42 on Wed, 04/27/2016 - 17:05 Pro Licensee

So what is the most elegant solution? Should I request it for domain.tld, www.domain.tld and webmin.domain.tld and then use the button "use this certificate for webmin"? How about the redirects? There is no solution visible for me ... the customers would try to enter virtualmin / usermin via admin.domain1.tld, admin.domain2.tld - and that would mean to recreate the certificate everytime I add a new domain ... It sounds as there is no easy way out ...

Submitted by JamieCameron on Wed, 04/27/2016 - 23:00

Yeah, there's no way to request a single cert for multiple different domains unless they are all aliases of a single domain.

Submitted by Vince42 on Thu, 04/28/2016 - 16:36 Pro Licensee

This is slightly off topic, but a few days ago I setup Let's Encrypt certificates successfully - and today tried to get the FQDN of the server as additional alias into the certificate. It failed with the following error:

Requesting a certificate for domain.tld, www.domain.tld server.domain.tld from Let's Encrypt ..
.. request failed : mkdir failed : mkdir: cannot create directory ‘/home/domain.tld/public_html/.well-known/acme-challenge’: Permission denied

Switching back to the default option resulted in the same error message?! What did I do?!?!

Submitted by JamieCameron on Thu, 04/28/2016 - 22:45

Try deleting /home/domain.tld/public_html/.well-known/acme-challenge and /home/domain.tld/public_html/.well-known first - they might have the wrong ownership.

Submitted by Vince42 on Fri, 05/27/2016 - 16:47 Pro Licensee

You were right: a chown -Rv on .well-known in all the domains did the trick - thank you! Now I need to find a way to implement an auto-renewing certificate for webmin itself and I will be satisfied ... :)

Submitted by JamieCameron on Fri, 05/27/2016 - 21:22

The latest Webmin release supports automatic cert renewal.

Submitted by Vince42 on Sat, 05/28/2016 - 14:16 Pro Licensee

I know - I am currently testing / using it for some virtual domains. I would like to have an auto-renewing Let's Encrypt certificate for Webmin / Virtualmin itself - that would be very nice ... as there is no public_html it does not seem to work. The only way I could think about would be to add server.domain.tld as sub server to domain.tld and to request a certificate for domain.tld, www.domain.tld and server.domain.tld ... but this sounds like a too complicated way to me ... I would love to have an "Keep Webmin always secured with Let's Encrypt certificate yes/no" ... :)

Submitted by JamieCameron on Sat, 05/28/2016 - 16:51

You can request a Let's Encrypt cert for webmin / virtualmin itself, at Webmin -> Webmin Configuration -> SSL Encryption, and have it auto-renew.

You do need to select an apache virtual host whose name matches the hostname you use to access Virtualmin though.

Submitted by Vince42 on Sat, 05/28/2016 - 17:22 Pro Licensee

Thank you for the hint - I cannot get the virtual server to run http, but I will find out how ...

Submitted by Vince42 on Mon, 05/30/2016 - 15:31 Pro Licensee

I managed to successfully request the Let's Encrypt certificate and to apply it to webmin - unfortunately this locked me out of Webmin / Virtualmin. How can I disable the newly applied certificate from the command line?

Submitted by andreychek on Mon, 05/30/2016 - 15:34

You can disable SSL entirely in Webmin by editing /etc/webmin/miniserv.conf, and set "ssl=0". Then restart Webmin.

You should then be able to access Webmin using http:// rather than https://.

Submitted by Vince42 on Mon, 05/30/2016 - 15:46 Pro Licensee

thank you - I am able to log in again ... :)

I just requested the certificate again and tried to enable SSL alternatively in Webmin, but I get the error message Failed to save SSL options : The SSL private key file /etc/webmin/letsencrypt-key.pem does not exist or does not contain a PEM format key - have you heard of such problems before?

lrwxrwxrwx 1 root root 34 May 30 22:23 letsencrypt-ca.pem -> ../../archive/x3.eec.de/chain1.pem
lrwxrwxrwx 1 root root 33 May 30 22:23 letsencrypt-cert.pem -> ../../archive/x3.eec.de/cert1.pem
lrwxrwxrwx 1 root root 36 May 30 22:23 letsencrypt-key.pem -> ../../archive/x3.eec.de/privkey1.pem

Just checked the existence: instead of x3.eec.de there is only eec.de-001 and eec.de-002. I guess that not the FQDNs are used, but enumerated dirs? May this be the cause?