A newbie question regarding Letsencrypt (Solved)

10 posts / 0 new
Last post
#1 Wed, 10/10/2018 - 15:55
OliverF

A newbie question regarding Letsencrypt (Solved)

Hello!

So far, I didn't bother myself with adding SSL to the websites I host (basically: "you want me to host you, cool, but don't bother me with SSL"), however the announcement that Chrome was going to block non-SSL websites worked as a good motivation, let us delicately say.

Could I just ask you for a confirmation, please, regarding the way to install it and have it run?

Basically, if I understood it right, today in 2018, we only have to

  • open a virtual host's page in Virtualmin
  • go to Server Configuration > Manage SSL certificate
  • open the "Let's Encrypt" tab
  • click the "Request certificate" button

And this is it? Are we done, are no further steps required at all, now whoever asks for the https version of the website of that virtual host, will have it work properly?

Sorry to ask, I have no sandbox on hand, and I wouldn't want to screw up any website :)

Thanks if you have the time to confirm (or disconfirm) it to me!

SECOND EDIT:

I'm sparing possible future readers the chore of enduring reading everything below: YES, IT WORKS LIKE THAT! Thank you Virtualmin! :D

However, if you are behind Cloudflare, it is possible that some subdomains created automatically by Virtualmin were not automatically added to the DNS records of Cloudflare (thus, won't be "served" to the rest of the internet), and in that case those subdomains will block the auto-configuration as Virtualmin tries to run it.

In that case, it would give this result:

requesting a certificate for domain-name-that-I-censor.tld, www.domain-name-that-I-censor.tld, autoconfig.domain-name-that-I-censor.tld, autodiscover.domain-name-that-I-censor.tld from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :

autoconfig.domain-name-that-I-censor.tld challenge did not pass: DNS problem: NXDOMAIN looking up A for autoconfig.domain-name-that-I-censor.tld

In that case, simply, the solution is to go to Cloudflare, DNS records options, and manually add the subdomains that Virtualmin attempts to register, in the present case, autoconfig and autodiscover, as A with the same IP as the other entries. Once you've done that, Let's Encrypt will succcessfully work with Cloudflare.

THIRD EDIT:

Sorry for all those edits, but I'm the kind of guy who solves his problems with information found in support forums, I can't be the only one here, so allow me to gather all the info in the opening post, in case it helps future anons :)

If you're cloudflare. It may be worth to mention.

Once you have installed the certificate in Virtualmin, if you are with Cloudflare, please do remember to go to your Cloudflare account, Crypto menu, and choose "SSL (strict)". Otherwise you'll have wasted time trying to figure out why your website reverts back to HTTP or is flagged with an invalid certification ;)

Wed, 10/10/2018 - 16:00
andreychek

Howdy,

If SSL isn't yet enabled, you'd first need to go into Edit Virtual Server -> Enabled Features, and there you can enable the SSL Website feature.

Once that's enabled, you can then go into the screen you mentioned to obtain a Let's Encrypt SSL certificate.

Once that's done, if you then request the HTTPS version of the site it should be properly secured with SSL. Some folks also like to setup some sort of redirect so that it always uses HTTPS, but that's optional.

-Eric

Wed, 10/10/2018 - 16:31 (Reply to #2)
OliverF

Hello Eric,

Thank you for the confirmation that it ought to work :)

However, when I tried with one website, it failed. Details follow...

equesting a certificate for domain-name-that-I-censor.tld, www.domain-name-that-I-censor.tld, autoconfig.domain-name-that-I-censor.tld, autodiscover.domain-name-that-I-censor.tld from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :

autoconfig.domain-name-that-I-censor.tld challenge did not pass: DNS problem: NXDOMAIN looking up A for autoconfig.domain-name-that-I-censor.tld

I did some googling after I read your confirmation that it should have worked out of the box, and it seems to be a Cloudflare related problem - yeah, that was a website behind them.

I read on as much as I can within the little time left for me today, and all I saw was that it was, actually, hopeless,

  • it meant I would have no choice but to install manually the letsencrypt client on the server,
  • and then proceed to manually setting it up by hand, by command line, virtual host by virtualhost.
  • Worse: apparently, once there is a /etc/letsencrypt/ directory, as it is created by the letsencrypt manual installer, Virtualmin doesn't want to automatically install letsencrypt anymore, for any domain, even the ones not behind cloudflare O_o

Would I have gotten it wrong, by any chance? (knocking on wood, all that ;) ) Thank you again!

Wed, 10/10/2018 - 16:45
andreychek

You may want to tweak the domain names it's requesting for the cert to be just domain.tld and www.domain.tld ... it sounds like one of the aliases it's attempting to use isn't resolving correctly.

-Eric

Thu, 10/11/2018 - 02:39 (Reply to #4)
OliverF

Ah, I think I understand why (I googled a bit, admittedly)

I asked the admin of the abandoned website, and he told me the records for autoconfig and autodiscover don't exist @ cloudflare. He copied them (A, same IP) as autodiscover and autoconfig, and then, when I ran the auto-setup tool for Let's Encrypt in Virtualmin, this time it worked!

It's a huge relief, phiew.

I apologize for wasting your time Andrew, but, case closed, and thank you very much :)

*

A side note maybe, to help, a suggestion: that you add a mention of Let's Encrypt in the documentation.

This is naturally obvious for you, that Virtualmin has an autoconfig menu for Let's Encrypt, but place yourself in the newcomer's shoes, or in the shoes of an old user that last checked several years ago when only the manual commandline option existed, that would not be so obvious.

Maybe add it to https://www.virtualmin.com/documentation/ > DNS https://www.virtualmin.com/documentation/dns or https://www.virtualmin.com/documentation/ > Getting Started > Step By Step tutorials https://www.virtualmin.com/documentation/tutorial

It would take just two chapters. 1: go to Server Config, Manage SSL Certificates, Let's Encrypt tab, confirm, confirm again, done. 2: if you're behind cloudflare, make sure to manually add an A field for autoconfig and autodiscover fields with the same IP as the rest of the entries ;)

Thu, 10/11/2018 - 06:11
amityweb

I would just like to say if someone's attitude was "you want me to host you, cool, but don't bother me with SSL" then I would reply "you want my business, cool, well you ain't having it because that attitude sucks!".

With LetsEncrypt adding SSL is EASY. ALL your new sites should have it. I informed all my customers years ago they really should have it, and I charge a little bit to add it and configure for existing sites. New sites its included by default.

So you really really need to have the attitude that SSL is a GOOD thing, and recommend it and push it!

:)

Thu, 10/11/2018 - 06:18 (Reply to #6)
OliverF

True. But I host family members and friends for free on my server that I use for other purposes, so it's another context. Clearly, not customers ;)

Fri, 10/12/2018 - 04:43
amityweb

When SSLs were a real pain to install and cost money, then yes I agree, I would not have done so for personal/hobby/family/favour (so free!) sites. But hopefully now you know how EASY it is to setup SSL using LetsEncrypt there is no excuse to add it even for these sites! :).

Fri, 10/12/2018 - 06:37 (Reply to #8)
OliverF

Yep. Let's Encrypt and its smooth integration within Virtualmin are a game changer, I wouldn't have had that attitude if I knew, hats off :)

Sun, 10/14/2018 - 18:34
OliverF

I briefly pop back inside this discussion, in case people read it in the future and are also with Virtualmin and Cloudflare and Let's Encrypt.

Once you have installed the certificate in Virtualmin, if you are with Cloudflare, please do remember to go to your Cloudflare account, Crypto menu, and choose "SSL (strict)". Otherwise you'll have wasted time trying to figure out why your website reverts back to HTTP or is flagged with an invalid certification ;)

Topic locked