Consolidate self-signed and Let's Encrypt SSL certificate generation [#54549]

Submitted by yngens on Mon, 12/04/2017 - 14:20

With Let's Encrypt certificate enabled by default for the new virtual servers, the usual log looks like the following:

Creating home directory ..
.. done
Adding records to DNS zone mydomain.com ..
.. done

Adding new virtual website ..
.. done

Performing other Apache configuration ..
.. done

Creating SSL certificate and private key ..
.. done

Adding new SSL virtual website ..
.. done

Setting up log file rotation ..
.. done

Creating MySQL database domain_sub ..
.. done

Re-starting DNS server ..
.. done

Applying web domain configuration ..
.. done

Re-starting Webmin ..
.. done

Re-starting Usermin ..
.. done

Saving server details ..
.. done

Sending email notification to domain owner ..
.. email sent to info@mymail.com

Requesting a certificate for sub.mydomain.com, www.sub.mydomain.com from Let's Encrypt ..
.. request was successful!

Applying web domain configuration ..
.. done

So as you see from:

Creating SSL certificate and private key ..
.. done

Adding new SSL virtual website ..
.. done

the system (1) first generates self-signed certificate with the bunch of ssl.* files created in the websites home directory like:

-rwxr-xr-x   1 mydomain mydomain 1647 Dec  4 19:56 ssl.ca
-rwx------   1 mydomain mydomain 1814 Dec  4 19:56 ssl.cert
-rwx------   1 mydomain mydomain 3461 Dec  4 19:56 ssl.combined
-rwx------   1 mydomain mydomain 5140 Dec  4 19:56 ssl.everything
-rwx------   1 mydomain mydomain 1679 Dec  4 19:56 ssl.key
-rwxr-xr-x   1 mydomain mydomain 5140 Dec  4 19:56 ssl.pem

and then only after setting up log file rotation, creating MySQL database, re-starting DNS server, applying web domain configuration, re-starting Webmin, re-starting Usermin, saving server details, sending email notification to domain owner finally in the very end it (2) requests Let's Encrypt certificate. Moreover, after generating the Let's Encrypt certificates the system never cares of deleting all those ssl.* files created in step (1).

I wonder if it is possible at all to avoid completely step 1 (self-signed certificate) if we are going to get Let's Encrypt certificate little bit later? If not, then somehow these two steps should be consolidated and the system should clean up unnecessary ssl files generated for self-signed certificate.

Status:

Closed (works as designed)

Comments

Submitted by yngens on Mon, 12/04/2017 - 14:40 Comment #1

Body:

View changes

Submitted by JamieCameron on Tue, 12/05/2017 - 17:54 Comment #2

No, the self-signed cert step is needed because we don't know if the Let's Encrypt request will work - and we still need some cert to fall back on in order to enable SSL.

Submitted by yngens on Tue, 12/05/2017 - 19:54 Comment #3

Status:	Active	» Closed (works as designed)
Body:	View changes

No, the self-signed cert step is needed because we don't know if the Let's Encrypt request will work - and we still need some cert to fall back on in order to enable SSL.

Fair enough as this was not crucial issue anyway. So I'm marking this as closed.