It's not overly intuitive.
1) I've been told that Virtualmin is very particular of the packages one has installed on the system and the way to install certbot involves adding a bunch of packages from a backport distro. Seems like there's opportunity for problems there.
2) Google can't show me any documentation for the Let's Encrypt tab of the SSL configuration page.
3) I had to create a virtualhost with the FQDN of the webmin install. Why can't the script just append port 10000 when testing? Why duplicate things into a virtualhost running on the production side of the house?
4) The meat of why I'm here. The certificate request process creates files owned by root:root that the virtualmin process apparently can't read because they're being flagged as 404s when I see those files when I do an ls -al.
I haven't thought of a way out of #4 yet.
Okay, so it looks like Apache is ignoring the DocumentRoot directive for the site. No idea why.
You've probably got a default site that's overriding all of your VirtualHosts. There's a FAQ about that called The Wrong Site Shows Up
--
Check out the forum guidelines!
Any ideas?
1) I've been told that Virtualmin is very particular of the packages one has installed on the system and the way to install certbot involves adding a bunch of packages from a backport distro. Seems like there's opportunity for problems there.
You've been told wrong. Let's Encrypt support is currently provided by a slightly modified version of Acme Tiny, which is a very small Python program (about 200 lines) with no extra dependencies.
We used the original official LE client in the beginning of LE support in Virtualmin, but that path was quickly abandoned due to the ridiculous dependencies. We've been shipping the Acme Tiny client for a long time now. We never used Certbot when it was called Certbot (it was just called Let's Encrypt client, I think).
3) I had to create a virtualhost with the FQDN of the webmin install. Why can't the script just append port 10000 when testing? Why duplicate things into a virtualhost running on the production side of the house?
Webmin has a sort of weird web server meant just for Webmin. It isn't very comfortable serving unauthenticated files (it has a hack to allow it to do so, but I'm not sure how easy it'd be to make it work for LE). It probably could, but Jamie added DNS support a while back to address cases where there is no web server, or the domain we need to authenticate for doesn't have a Virtualmin domain associated with it.
The domain does need to be under control of Webmin, though. I'm not super familiar with how that works, so I can't provide much guidance on making it happen. As I understand it, it's supposed to fall back to it automatically in cases where web can't work.
4) The meat of why I'm here. The certificate request process creates files owned by root:root that the virtualmin process apparently can't read because they're being flagged as 404s when I see those files when I do an ls -al.
I haven't seen that. I'm not sure how that'd happen. LE actions should happen at the domain owner. Are you sure you're running the latest versions of everything? (Virtualmin 6.00 and Webmin 1.851 at the moment.)
--
Check out the forum guidelines!
I am trying to get LE to work on webmin itself as opposed to a hosted domain.
You need a domain hosted with Virtualmin (or a DNS zone managed by Webmin, which also happens for Virtualmin-managed domains) to issue the certificate for. There has to be a domain name for LE to validate against.
So, create a domain in Virtualmin, get a certificate from LE, and then click the button to copy it to Webmin.
--
Check out the forum guidelines!
Don't know this is a right way to go.?
Managed to get for (subdomain) vps.domain.tld a LE cert on WEBMIN this way.
So created a virtualmin server for maindomain first: domain.tld Then created a virtualmin server for the hostname/server itself: vps.domain.tld. Sofar i remember then created a LE cert in maindomain: DOMAIN>TLD where i did manual added the VPS.DOMAIN.TLD.
Then the steps i don't remember the orderor i did first after this. Copy cert to webmin Tried to get ssl LE cert on VPS.DOMAIN.tld itself.
Checked webmin and LE cert on webmin port 20000 and 10000 worked. Then deleted the virtualmin server VPS.DOMAIN.TLD While the LE cert Webmin itself is created with maindomain ( DOMAIN.TLD) with added subdomain for hostname server VPS.DOMAIN.tld in it, and also this "maindomain"is the domain to serve as default. This works out for me sofar. ( OYEA remember you have to have ofcourse a resolving DNS record somewhere for that Subdomain, we have this at third party DNS service)
I didn't want a virtualmin server for the host ( hostname > vps.domain.tld) itself if possible? Result here is the LE CERT is on maindomain used for the hostname server.maindomain.tld having also the subdomain manually added to maindomain letsencrypt cert. So not complaining anymore about domainname is not... , domain is default served ofcourse.
Yes mailprobs with installer as mentioned in other topic als de sasl probs, and PHP FPM package if not in a base php directory location) and so on but the LE cert seems to work
WITH LE cert also new domain new virtualmin server the problem with the mail.newdomain.tld , i had to create first a subserver for mail.newdomain.tld before i managed to get the mail.newdomain.tld in the same LE cert. Though the mail.newdomain.tld was already longer and resolving in de external third party DNS. You need to do this also ( create a subserver in virtualmin for mail..) to get a working DKIM for mail.newdomain.tld!
NO DNS used here on the Virtualmin server only all third party DNS! ( IPv4 and IPv6 CSF firewall)
Joe you asked to post experiences with new version so this is one. ;) (Important is here a resolving DNS for that virtualmin/webmin hostname domain.tld third party external DNS should work to)
Installed 25-08-2017, tried more newer test installations after that date 31-08 and so on but they failed at diferent points. So used snapshot function to get the one succesfull back working. ( you can find more of these kind of probs in forum here as, https://www.virtualmin.com/node/53531 and )
( centos 7.3 with patches, codeitguru http2 apache repo, remi php repo, mariadb direct repo, repel repo and then virtualmin installer script repo exluded manual the http and php things in virtualmin repo)
"( centos 7.3 with patches, codeitguru http2 apache repo, remi php repo, mariadb direct repo, repel repo and then virtualmin installer script repo exluded manual the http and php things in virtualmin repo)"
You can't possibly expect us to support that many different things! They'll mostly work, but you're going to have to spend some time configuring Virtualmin to deal with them.
But, those aren't installer bugs; that's making the decision to not use the default stack. If that's the system you want, that's fine, but you're going to have to configure it manually. It is not expected to Just Work, and there's no way we can ever make it all Just Work for an arbitrary (and infinite) variety of third-party repositories and packages.
--
Check out the forum guidelines!
Sofar i had the ( though at that time INSTALLER BUGS) problems with: POSTFIX and SASSL (after that the procmail ;) ) PROFTP and some other things but i read others did had these same probs also in that period with the VM6 installer.
I don't expect you to support all of these, and yes i spend extra time, only posting experience and in short the way i did this, the question is this 1 way also OK? to get a LE CERT on Virtualmin Webmin itself?
Sofar it seems OK but ofcourse don't know automatic renewal for now.
I'm not entirely sure I understand the process you're describing, but it sounds like you're wanting to create a domain, and then delete it after creating the certificate? That won't work because you have to renew the certificate every 90 days.
Webmin does support issuing a certificate for itself (Webmin->Webmin->Webmin Configuration->SSL Encryption->Let's Encrypt), though I've never used that feature. In that case, you'd just need to make sure the hostname of your Webmin server resolves, and that Webmin either has control of the Apache configuration for the server and there's an Apache VirtualHost for the name, or it manages the DNS for the zone in question (Webmin can use DNS records to validate domain ownership).
From my perspective, since you either have to have a DNS zone or a website setup on the server for the hostname you're using for the certificate and Virtualmin can automatically setup both for you, I can't think of many good reasons not to let Virtualmin manage that domain. It can even be an alias for an existing domain and share a certificate with one of your other domains if you were concerned about domain consumption in Virtualmin Pro (aliases do not consume domains).
To be clear: The easy way is to use Virtualmin to create and manage the domain, and share the certificate with Webmin. The hard way is anything else.
--
Check out the forum guidelines!
i have a alias now for the vps.server.tld after Andy or you pointed me out this is ok and so on.
DNS is third party and resolving as hostname is.
I had first at start ( not a virtualserver or also not a alias ) for the vps.server.tld itself only main domain.tld was a virtualserver, Then to get a le cert for the subdomain ( hostname) handle with virtual min, it didn't work to put the subdomain in the LE cert list with the main domain, some or one person more had also this kind of prob here in forum. After making a virtualserver for the hostname and LE, then putting/adding the subdomain (VPS) in maindomain LE cert running a renew LE CERT for main domain ( server) with the Subdomain ( hostanme) in the list it worked also after deleting the Virtualmin ( hostname) virtualserver renew manualy keeps working ( new date for the vps.domain.tld LE cert) ( mayby together with the resolving and working hostname and third party DNS this is working that way also i don't know for sure if it is working for everyone and stay / keeps working in future...) ( hmm don't remeber now or i did made a directory in the maindomain docroot html for the subdomain together with this step or separate, while that could be the reason together with resolving Hostname and third party DNS the PATH sudomain vps is then reachable from outside LE check)
But poining out other problems could acure by Andy i added sometime later a alias for the hostname, and testet again the renew manually.
Yep that the problem starting as newbee and finding to much info not knowing where to look for the right solution, but some/little experience with other panels and also LE CERT manual at the beginning of LE.
I'm going on testing virtualmin webmin panel, running for short more time testing reboots and several updates out of panel so to be more sure it didn't break, then going live but also booking a extra VPS for a testing updates and other settings for virtualmin, before i do them on live box, and ofcourse for playing to get more experience , don't like to do this local only)
Also i don't know or and how Topic starter has solved his problem with LE cert for WEBMIN? mhammett ??