After all is said and done, this support request boiled down to a feature request:
certbot-dns-linode within Virtualmin's LetsEncrypt implementation.
Also, since some of us are forced to use
certbot directly from time to time, provide a graceful way to integrate the files generated under
/etc/letsencrypt/ into Virtualmin via the GUI, as per this comment made to a prior request for support:
Typically, even when you install your own SSL certificate, you should be doing it through the GUI to ensure all the appropriate settings and such are changed correctly.
Former Subject Line: "Wildcard LetsEncrypt Certificate Fails with ERR_SSL_PROTOCOL_ERROR Possibly Due To [ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name"
I successfully requested a LetsEncrypt wildcard certificate for all my domains. However, I can't access https://mydomain.com because the browser reports ERR_SSL_PROTOCOL_ERROR.
OK, the problem appears to be that Linode's DNS doesn't play nice with Virtualmin.
Once I hacked virtualmin into running again, hopefully without damaging my system -- the only way I could get a successful certificate was to invoke
certbot manually as per the Linode directions for certbot-dns-linode:
certbot certonly --dns-linode --dns-linode-credentials .linode_api/certbot -d *.mydomain1.com -d *.mydomain2.com ...etc... -d mydomain1.com -d mydomain2.com ...etc...
Of course, now I face the challenge of ensuring that this certificate -- and the associated files -- located in
/etc/letsencrypt/archive/somedomain.com/ is going to work with Virtualmin (be referenced properly in all the VirtualHost configurations, renew on schedule, etc.
I think I've narrowed down the problem to LetsEncrypt's failure to find TXT entries for the non-wildcard domains when attempting to do both wildcard and non-wildcard domains.
I'm getting a bunch of these errors:
- The following errors were reported by the server:
Detail: DNS problem: NXDOMAIN looking up TXT for
This may have to do with a weakness in the
certbot-dns-linode authenticator plugin.
Using the certificate that contained only wildcards (which LetsEncrypt successfully issues) I was able to get one domain's subdomains to match the wildcard, but only the one named in the
Certificate->Signature Algorithm:->Subject->commonName = *.somedomain.com field. None of the
X509v3 Subject Alternative Name->DNS:*.anyothername.com,... fields would match.
Unfortunately, I can no longer access even Virtualmin as it is returning the same ERR_SSL_PROTOCOL_ERROR. Setting
miniserv.conf and restarting doesn't help.
This happens on all my
I suspect that this is due to my explicit IP in the
VirtualHost directive in all my
However, changing it to
*:80) for one of my domains doesn't fix it for that domain.
Is this likely and if so, what is the best way of changing all of my domains to use the
Another possibility is that the only domains permitted are _sub_domains as listed in:
openssl x509 -noout -text -nameopt multiline -in ssl.cert
X509v3 Subject Alternative Name:
ie: they all begin with
*. and none of them are, say,
Could that be the problem? If so, I did try to request a LetsEncrypt certificate with both the
mydomain.com domains listed but I got an error on that LetsEncrypt request so I thought it must mean one can't mix them.
-rwxr-xr-x 1 mydomain mydomain 1647 Jan 25 16:40 ssl.ca
-rwx------ 1 mydomain mydomain 2134 Jan 25 16:40 ssl.cert
-rwx------ 1 mydomain mydomain 3783 Jan 25 16:40 ssl.combined
-rwx------ 1 mydomain mydomain 5488 Jan 25 16:40 ssl.everything
-rwx------ 1 mydomain mydomain 1704 Jan 25 16:40 ssl.key
systemctl reload apache2 I get the warning:
[ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name
System hostname debian (127.0.1.1) Operating system Debian Linux 9
Webmin version 1.900 Usermin version 1.751
Virtualmin version 6.05 Pro Authentic theme version 19.23-beta3