Virtualmin doesn't use auto-updated Let'sEncrypt certificates

8 posts / 0 new
Last post
#1 Tue, 03/20/2018 - 07:41
Safael

Virtualmin doesn't use auto-updated Let'sEncrypt certificates

Hello,

I used Virtualmin v. 6.02 to generate Let's Encrypt SSL certificate successfully:

Server Configuration - Manage SSL Certifikate - Let's Encrypt - Request certificate (Monthts between automatical renewal: 2)

After 60 days, Certbot auto-updated SSL certificates successfully. New certificates are stored in: /etc/letsencrypt/live/MYDOMAIN/cert.pem (symlink to /etc/letsencrypt/archive/MYDOMAIN/cert2.pem) /etc/letsencrypt/live/MYDOMAIN/privkey.pem (symlink to /etc/letsencrypt/archive/MYDOMAIN/privkey2.pem)

But updated certificates are not used by apache or virtualmin. Virtualmin created his own copies of certificates in: /home/MYDOMAIN/ssl.cert /home/MYDOMAIN/ssl.key , which contains old versions of certicates.

Can I get Virtualmin to use automatically the current version of the certificate?

I saw some very complicated procedure below to enable Let's Encrypt certificates. But is there some easier method? Without need to create manually "extra long" crontab record for each secured domain separately? :)

Thank you very much for any help

Tue, 03/20/2018 - 10:34
atleast
atleast's picture

Great post. Can you kindly give steps you took to ensure that auto renewal works. In my case auto renewal is not working. What are the commands or steps you took to make it work? Kindly advise

Tue, 03/20/2018 - 10:54
Safael

Well, that was the easy part.

I installed certbot for my debian stretch. I simply followed official directions:

https://certbot.eff.org/#debianstretch-apache

steps:

1) add new source deb http://ftp.debian.org/debian stretch-backports main to your: /etc/apt/sources.list

2) then install certbot by SSH

sudo apt-get install python-certbot-apache -t stretch-backports
sudo certbot --apache

(I didn't activated SSL now for any domain).

3) Then I connected Certbot and Virtualmin: Webmin - Webmin configuration - cog icon - Full path to Let's Encrypt client command: /usr/bin/certbot (I needed first to find certbot location, it deffers for each system).

4) Then I activated SSL for some domain through Virtualmin:

Virtualmin - Edit virtual server - Enabled features - Apache SSL website enabled: check. Save virtual server

Server Configuration - Manage SSL Certifikates - Lets Encrypt - Request certificate

(Webmin - Servers - Apache webserver - Apply changes)

Everything worked fine untill auto update. Then I found that Virtualmin uses it's own copy of generated certificate and doesn't update the copy after certbot auto-update.

Wed, 03/21/2018 - 13:19 (Reply to #3)
unborn
unborn's picture

hi guys, im debian here, from jessie to 9 - and it all works, I did not even install bot my self..

Configuring/troubleshooting Debian servers is always great fun

Wed, 03/21/2018 - 13:27 (Reply to #4)
Safael

Hello user unborn. Thank you for your reply. Can you please suggest a solution to the issue of why virtumin copies the certificate to a different location than /etc/letsencrypt/live/* and why does it not update the certificate after automatic update? I do not have an XMPP client installed now and I think it would be useful information for other forum readers as well. Thanks a lot!

Wed, 03/21/2018 - 13:26
Safael

Hello user unborn. Thank you for your reply. Can you please suggest a solution to the issue of why virtumin copies the certificate to a different location than /etc/letsencrypt/live/* and why does it not update the certificate after automatic update? I do not have an XMPP client installed now and I think it would be useful information for other forum readers as well. Thanks a lot!

Wed, 03/21/2018 - 13:37
unborn
unborn's picture

Hi Safael, well first of all I repeat - I run debian which is not centos and I have no glue if you running centos or anything else. regards the issues I would look at /var/logs and read the logs regards your error. - then I would go from there. Also note please that virtualmin have nice irc live chat with capable folks there, no xmpp need it...just feel free to chat at any time at #virtualmin on freenode.net.

Configuring/troubleshooting Debian servers is always great fun

Thu, 03/22/2018 - 06:04 (Reply to #7)
Safael

Thank you for your help. OS is Debian 9 Stretch (mentioned above). I tried to reach you at freenode, but maybe we have different time zones (mine is CET, Prague). I'll try again later. Thanks

Topic locked