This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

HowTo: Centralize your Certificate needs (debian/ubuntu) with letsencrypt on an virtualmin fresh install

1 post / 0 new

Topic locked

#1 Thu, 11/10/2016 - 00:04

just_me

HowTo: Centralize your Certificate needs (debian/ubuntu) with letsencrypt on an virtualmin fresh install

Well,

i spent quite some time to figure this out, and in the end i found a solution.

First of all: Before you start tampering your system, i would recommend to read this completely to make sure, you have all prerequisites beforehand.

If you want to use certs for mail service, you should consider having a neutral domain.
This FQDN i use to setup virtualmin and this is the servername. I am using something like server01.example.com. Therefore i do not run into the problem, that email client is nagging, that certificate does not fit the virtual server's domain name.
i install all my scripts, which are available to a client in the standard web root (/home/server01.example.com/public_html). So i always only need to update ONE installation of webmail, phpmyadmin, you name it. So i can make use of virtualmins script installers. Your clients can log in there, even if they have different databases, users etc. Way easy.
All clients on that server are using then the mailserver server01.example.com, making life easier :-)
You don't clutter your letsencrypt folder with subfolders for each domain and sub-subfolders for each renewal.

To have the centralized SSL cert for a fresh install of virtualmin:

SSH to your machine and do the following:

apt-get install git
cd /opt
git clone https://github.com/certbot/certbot

So you get letsencrypt installed. You don't have to worry about updates and that this is not a standard debian/ubuntu package, because letsencrypt vulgo certbot checks for updates itself if you run it.

To have it somehow easier lateron, you should consider creating a virtual host in virtualmin for your server's hostname. Let's say, the name of your server's hostname is server01.example.com, which we will use furtheron. Please keep in mind to change this example hostname to your own, also change the according folders.

Edit your apache.conf in /etc/apache2 and add the following code:

#letsencrypt change for one webroot dir
# Globally redirect ACME challenges to your server's host webroot
<If "%{HTTP_HOST} != 'server01.example.com'">
  # simpleHttp challenge by default uses HTTP
  Redirect /.well-known/acme-challenge/ http://server01.example.com/.well-known/acme-challenge/
  # If simpleHttp is used with TLS the above may not work.
  # In that case we have to do something like this:
  # (doesn't work for me right now; if someone gets this working please respond)
  #  <If "%{SERVER_PROTOCOL} != 'HTTPS'">
  #    Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </If>
  #  <Else>
  #    Redirect /.well-known/acme-challenge/ https://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </Else>
</If>

This will take care of using just one webroot directory for checking validity of your cert request.

In Virtualmin go to System Settings -> Virtualmin Configuration
Scroll down until you find the SSL part of the config.

If you happen to have apache 2.4.7 or older:

Set Template for private key path to: etc/letsencrypt/live/server01.example.com/privkey.pem Set Template for certificate path to: etc/letsencrypt/live/server01.example.com/fullchain.pem Set Template for CA certificate toetc/letsencrypt/live/server01.example.com/fullchain.pem

Set Redirect HTTP to HTTPS by default to yes

if you happen to have apache 2.4.8 or higher:

Set Template for private key path to: etc/letsencrypt/live/server01.example.com/privkey.pem Set Template for certificate path to: etc/letsencrypt/live/server01.example.com/fullchain.pem

Set Redirect HTTP to HTTPS by default to yes

Now setup all your virtual hosts
You will get a certificate error, when you connect to them.
Now create a cli.ini file and put it into /etc/letsencrypt. If the directory is not already there, create it.

It should look like this (don't forget to change the domain names to yours.

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
#email =

# Uncomment and update to generate certificates for the specified
# domains.
domains = server01.example.com, www.example2.com, example2.com


# Uncomment to use a text interface instead of ncurses
text = True
expand = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /home/server01.example.com/public_html

Don't forget to set the webroot path here. Put your server's name in and ONLY the domains of the virtual servers you already have running otherwise letsencrypt gives back error code and the certificate won't be created. If you want to create certs for "www.example.com" and "example.com" make sure, that you got a wildcard type A entry on that domain in your DNS record, otherwise the creation will fail.

then restart apache2 to activate the changes:

service apache2 restart

Create a script for creating or renewal of this certificate. i call it letsencrypt.sh and i usually have them inside my Scripts folder under root directory:

/opt/certbot/letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini

Make it executable.

Now go to /etc directory and open the file crontab

Add one line for calling the script at least once a week. Change the scriptlocation and the log location according to your needs. I call it every friday:

00 00 * * 5 root /root/Scripts/letsencrypt.sh >> /root/Scripts/autocreate.log

Save the file and restart cron, so cron is aware of the new job.

service cron restart

Now head back to your directory, where you have your letsencrypt script running and execute it with

./letsencrypt.sh

If you don't have any typos or the like and only use domains which are known to the system, because you run them already in virtualmin, you should get a message that the certificate is being created successfully.

Now open one of your websites and voila: it has a green lock in front of the link in your browser indicating you have obtained a correct certificate.
If you have new domains in your virtualmin, all you have to do is:
add the domain to the cli.ini file and renew your certificate by running your letsencrypt script you created before.

i hope you can make some use of it.

Best