Copy SSL Certificate to Dovecot, Postfix and Webmin

Submitted by martlam on Wed, 09/07/2016 - 17:06

Dear Virtualmin Team,

I would like to report two issues:

1) Via [ Webmin -> Webmin Configuration -> SSL Encryption ] it is possible to request new SSL certificates from Let's Encrypt.

Added several domains to Hostnames for certificate in Let's Encrypt tab. Clicked Request Certificate and certificates are created successfully but the domains entered in 'Hostnames for certificate' field are not saved. Only first domain is saved.

This is problematic since the Auto-renewal in 2 months will no re-create the certificate with the necessary domain names.

2)

With VirtualMin it is possible to copy SSL Certificate to Dovecot, Postfix, Usermin and Webmin. However, if one creates certificate via [Webmin -> Webmin Configuration -> SSL Encryption ] there are no buttons to copy certificates to Dovecot, Postfix, Usermin and Webmin. Only method I found was to copy the certificates manually.

This is problematic since the auto-renewal within 2 months and will require the manual copying of the certificates and the manual restarting of services for changes to take effect.

Status: 
Closed (fixed)

Comments

Submitted by andreychek on Thu, 09/08/2016 - 10:14

Howdy -- thanks for your report, Jamie will be able to comment on that. But doing things to automate the Let's Encrypt certs would definitely be helpful!

Submitted by JamieCameron on Thu, 09/08/2016 - 22:36

1) That's odd, in my tests the custom domain name does get saved and shows up on that form.

2) It sounds like the real issue here is that the automatically renewed Let's Encrypt cert doesn't get copied to Webmin, Postfix, etc. We will look into fixing that.

Submitted by martlam on Sat, 09/10/2016 - 12:54

Thanks.

1) It is true that it does save the custom domain name but it does not save multiple domain names.

I am using multiple custom domain names. I have added mail.domain.com for several of my domains so that dovecot and postfix SSL matches the domain name to prevent any warning in the mail client about SSL certificate not matching the domain.

There are only two buttons there. [Request Certificate] [Just Update Renewal]. I think there should be a 3rd button to simply save the settings of the form. This is for cases where you want to update the domains without requested or changing the renewal interval.

2) Great. That would be a great fix. Looking forward to it.

Submitted by JamieCameron on Mon, 09/12/2016 - 22:19

Ok, this should be fixed in the next release.

The "Just Update Renewal" button is the one that just saves the form settings without requesting a new cert.

Submitted by martlam on Sun, 10/02/2016 - 23:39

Ok, this is great. I will try the 'Just Update Renewal' this week as I have two new domains to add to the SSL cert chain.

Appreciate the support. As always, all the best!

Submitted by singhdd on Mon, 10/03/2016 - 01:48

Will this be available in just released 1.820 or next version ?

Submitted by JamieCameron on Mon, 10/03/2016 - 10:27

No, this will be in the 5.05 Virtualmin release.

Submitted by martlam on Sat, 10/08/2016 - 16:05

For those that want to copy the certificates (Debian) manually you can follow these steps.

To manually copy your certificates to dovecot and postfix so that your mail clients do not display a warning about bad certificates follow these steps.

You will want to copy the latest certificate which will be located in the folder name starting with your primary domain followed by largest the iteration number.

copy your private keys

cp /etc/letsencrypt/archive/server1.domain.ca-0005/privkey1.pem /etc/dovecot/private/dovecot.pem

cp /etc/letsencrypt/archive/server1.domain.ca-0005/privkey1.pem /etc/postfix/postfix.key.pem

copy your certificates

cp /etc/letsencrypt/archive/server1.domain.ca-0005/cert1.pem /etc/dovecot/dovecot.pem

cp /etc/letsencrypt/archive/server1.domain.ca-0005/cert1.pem /etc/postfix/postfix.cert.pem

copy your fullchain

cp /etc/letsencrypt/archive/server1.domain.ca-0005/fullchain1.pem /etc/dovecot/dovecot.ca.pem

cp /etc/letsencrypt/archive/server1.domain.ca-0005/fullchain1.pem /etc/postfix/postfix.ca.pem

Restart the Services

service dovecot restart

service postfix restart

Submitted by JamieCameron on Sun, 10/23/2016 - 23:21

This feature has been implemented, and will be included in the 5.05 release.

Submitted by JamieCameron on Sun, 10/23/2016 - 23:21

Status: Active ยป Fixed

Submitted by martlam on Tue, 11/29/2016 - 22:40

singhdd, I'm sorry to hear this. Can you describe your issue in more detail. Did you renew a cert just yesterday? Can you share the SSL configuration that Dovecot, Postfix, Webmin are using with us? Thanks.

Submitted by singhdd on Wed, 11/30/2016 - 00:06

The problem is if I add multiple hostnames for Lets Encrypt request. It doesnt save them. The certificate is requested for all the hostnames entered. See the images attached

Pic 0

Pic 1

Pic 2

I opened the Lets Encrypt tab, it was like Pic 0. I added the hostnames as in Pic 1. and then requested certificate. I checked the current certificate details after the completion of above step. Check Pic 2 Now again I go to Lets encrypt Tab and its again like Pic 0. It should have saved all the hostnames I entered.

I dont copy certs to Postfix, Dovecot etc. I gave them path to webmin's certificate location.

Submitted by JamieCameron on Wed, 11/30/2016 - 17:52

Oh, I see the bug here. This will be fixed in the next Webmin release.

Submitted by martlam on Thu, 12/01/2016 - 17:38

Thanks for reporting singhdd. Thanks for confirming a fix Jamie.

Submitted by Johnster on Sat, 12/17/2016 - 23:27

Did this implement 'Copy to' buttons for Postfix and Dovecot in the Webmin SSL Encryption page because I can't see it?

I just changed Postfix and Dovecot to use the Webmin cert files.

Submitted by JamieCameron on Sun, 12/18/2016 - 11:53

Those copy buttons don't appear if the cert has already been copied to Postfix or Dovecot.

Submitted by Johnster on Sun, 12/18/2016 - 22:45

Thanks for info. I was sure Postfix and Dovecot were still using the self signed cert until I pointed them to the Webmin cert.

Submitted by fabe on Thu, 12/22/2016 - 20:01

Nice solution to point Postfix and Dovecot directly to the Webmin cert files. Can you confirm, that both services do not need a restart after a cert gets changed?

Submitted by JamieCameron on Thu, 12/22/2016 - 23:08

You will need to restart Dovecot and Postfix after updating the cert files.

Submitted by martlam on Mon, 01/09/2017 - 08:43

Morning!

It appears the certificates still require manual copy. I'm writing here today as the Let's Encrypt certificates expired today. I renewed them manually but cannot copy them to Postfix or Dovecot from Webmin SSL page.

The buttons to copy to PostFix and Dovecot should never be hidden since if a new domain is added to the chain then the new certificate needs to be copied immediately.

Or as in my case, I renewed the certs and now I can't use the Copy buttons and have to copy them manually.

Submitted by JamieCameron on Mon, 01/09/2017 - 15:51

Are you sure it wasn't copied already? The latest version of Virtualmin does this automatically where appropriate for Let's Encrypt certificates.

Submitted by martlam on Mon, 01/09/2017 - 19:37

Yes I'm certain.

At first I restarted both Postfix and Dovecot and would still get the cert warnings.

Then I regenerated the SSL cert manually and still got the warnings.

Then I looked everywhere for the new Copy to Dovecot and Copy to Postfix buttons but could not find them.

I then opened a terminal session and issue 4 cp commands to manually copy the certs. Then I went back to Virtualmin and restarted services. Then tested with mail client and warnings went away.

Questions: After new cert is created is it supposed to be copied automatically and restarted Postfix and Dovecot?

Would there be a log file somewhere to record this operation so that it can be monitored?

Since this is fairly critical part of the system would it be possible to receive an notification by email similar to after backups are performed or failed? Typically this would be 60 days after certificate creation so there would be sufficient time to intervene before stuff starts breaking and the users start freaking out.

Submitted by JamieCameron on Mon, 01/09/2017 - 23:01

For a Let's Encrypt cert, if you have already copied it to Dovecot or Postfix it should get re-copied at renewal time.

When you go to the Manage SSL Certificate page, do you see the buttons? Or do you see a message saying that the cert has already been copied?

Submitted by martlam on Mon, 01/09/2017 - 23:07

I don't see any buttons to copy certs. Am I looking at the right page?

Webmin->Webmin Configuration->SSL Encryption.

Submitted by JamieCameron on Mon, 01/09/2017 - 23:12

Oh, that's the wrong place. You need to select your Virtualmin domain from the left menu, and go to Server Configuration -> Manage SSL Certificate.

Submitted by martlam on Mon, 01/09/2017 - 23:16

Okay.. I think we're talking about two separate things.

The certificate I'm referring to with this issue is the Webmin cert generated at this page Webmin->Webmin Configuration->SSL Encryption.

It has multiple values in the 'Hostnames for certificate' field.

This one is copied to Dovecot and Postfix so that the specified Hostnames i.e. mail.domain.com can connect with valid SSL.

Using the Copy to Dovecot at a domain level means that others hosts will get SSL warnings.

Submitted by martlam on Sat, 01/21/2017 - 16:16

Hi Jamie,

If you want to have valid SMTP, IMAP and POP SSL connection the mail servers certificates must include the domain names.

Using a Virtualmin level certificate the mail servers, webmin and usermin servers are sharing a certificate with a Virtualmin host .

This is why the certificate created at the Webmin level is the best certificate to be copied to Dovecot and Postfix. It is an independent certificate which would still survive if the Virtualmin host is deleted, or even in the case where no Virtualmin host is created with the server's domain name.

Finally, it is an undesirable security practice to allow 3rd party domains to be included a website's SSL certificate. This can create new attack vectors that are difficult to protect against. For a site to be PCI compliant the SSL should be locked down to only domain names that the site operator controls.

For these reasons there should be copy to Dovecot and Postfix at Webmin level.

philmck's picture
Submitted by philmck on Wed, 02/08/2017 - 12:09

I think I've found a better solution

You can use the new webmin Letsencrypt feature to generate an automatically-renewing certificate, then just copy the three webmin certificate locations from Webmin > Webmin Configuration > SSL Encryption > SSL settings to the corresponding settings in postfix, dovecot and usermin. For example, Webmin > Servers > Postfix Mail Server > SSL Authentication and Encryption > TLS certificate file becomes /etc/webmin/letsencrypt-cert.pem.

Generating the webmin certificate is a little tricky, because it must include the hostname of the server and the domain part must resolve to a virtualmin website but the full hostname must not. So if your server is called hostname.mydomain.com you need to set up a website that is effectively *.mydomain.com (Virtualmin > Server Configuration > Website Options > Website matches all subdomains) then generate a certificate for both the webmin domain (mydomain.com) and the server name that will be used by postfix etc. (hostname.mydomain.com).

Submitted by JamieCameron on Wed, 02/08/2017 - 23:31

Oh, I see what you mean. There is no functionality currently to copy the cert from Webmin to Postfix / Dovecot directly, however you could copy it to a Virtualmin domain (on the Manage SSL Certificate page, under "Update Certificate and Key") and then to Dovecot. Or just use that page to request the cert in the first place, and copy to Webmin/Dovecot/etc.

Submitted by dumorian on Tue, 02/14/2017 - 13:41 Pro Licensee

  1. Should the script that generates the new LetsEncrypt cert also restart the services where the cert is used? I could see some of these not being restarted for 3 months.

Edit: this could actually be only 1 month with no restart.

  1. On CentOS 7, while under Virtualmin, if I use the 'Copy to {some server}' button, does this replace the existing cert or does it actually store individual certs on a per domain name basis?

Edit: Sorry, after I posted I see this thread was closed.

Submitted by JamieCameron on Wed, 02/15/2017 - 19:15

  1. Yes, it should - or at least, it should send a signal to reload the configuration. For servers like Apache this doesn't actually require a full restart.

  2. The "Copy to X" buttons copy the cert for use as the default by the server. This won't touch any per-IP cert.

Submitted by lulatsch66 on Wed, 09/06/2017 - 03:33

Hi,

found this issue about copying the cert to dovecot, postfix, webmin etc. - this works great for me.

But what doesn't work is: when I've used one domain's cert to be copied to dovecot, postfix etc. and then I change the mail domain - and then use another domain's cert.

When the renewal of the former/older domain's cert takes place, it is copied over the newer one from the now wanted domain ...

So IMHO the setting of the "old copy to ... domain" should be resetted when the copy to ... button is used on a new domain?

You can see that e.g. when the "copy to Webmin" button is missing on two domains ..

Thanx in advance and best regards Falko