This new Letsencrypt feature rocks (for webmin admin and virtual servers). My server is Debian Wheezy + latest Virtualmin.
Virtualmin virtual server
Enable SSL for domain (Administration Options>Enabled features)
Forward 443 port to your server
Install Letsencrypt certificate for domain (Server Configuration>Manage SSL Certificate>Let's Encrypt) In "Months between automatic renewal" field enter "2", hit Request Certificate. Now you have installed your free certificate.
Make redirect from http to https (optional): Add something like this to your .htaccess:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
Test your settings here: https://www.ssllabs.com/ssltest/ You will probably get B or B- score. If you want A score follow this additional steps:
You site will probably work OK in Chrome, but not in Firefox because you must add correct key chain. You can generate it here: https://whatsmychaincert.com/ Enter your domain and hit "Test". Download generated .crt file and upload it to your domains root.
Go to /etc/apache2/sites-enabled/ and open your domains .conf file and find lines (at the end):
SSLEngine on
SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert
SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key
SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca
Add this line:
SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt
Now you need to enable Forward Secrecy and block RC4 (for best security). You can edit SSLCipherSuite line to suit your needs.
add this 3 lines:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$
So your SSL configuration looks like:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA$
SSLCertificateFile /home/username/domains/yourdomain.com/ssl.cert
SSLCertificateKeyFile /home/username/domains/yourdomain.com/ssl.key
SSLCACertificateFile /home/username/domains/yourdomain.com/ssl.ca
SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt
RESTART APACHE SERVER and run test again https://www.ssllabs.com/ssltest/
If everything is OK you should get A score.
Feature request: Virtualmin could automatically generate proper key chain so you wouldn't need to manually generate it and add this line: I don't know yet what will happen on renew.
SSlCertificateChainFile /home/username/domains/yourdomain.com/yourdomain.com.chain.crt
Maybe I missed something. Thank you!
Sources: https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrec... https://www.virtualmin.com/node/38853
Awesome write up! I really hope they add Let's Encrypt for Nginx SSL website as well.
Is this still valid as of Webmin 1.881? if you go to Webmin/Webmin Configuration/SSL Encryption there is an option to select "Only strong ciphers with perfect forward secrecy" In addition, the test at https://whatsmychaincert.com/ returns a valid certificate with FF
That said, it appears Webmin 1.881 has some problem with PFS. The version of Net:::SSleavy (1.55) installed by default doesn't support PFS and updating the module is not a straight forward process.