I've been working on installing a godaddy certificate and was wondering if anyone else has done the same with Virtualmin? This is one of those funky (but cheap) intermediate certificates. See this thread for more background: http://www.virtualmin.com/forums/general-discussion/certificate-options.html

Anyway, the idea is to install 2 certificates as part of your "Chain". Your certificate as well as an intermediate cert. from Godaddy. I'm having trouble translating their instructions to a Virtualmin setup.

1. Copy your issued certificate, intermediate certificate and key file (generated when you created the Certificate Signing Request (CSR)) into the directory that you will be using to hold your certificates.
2. Open the Apache ssl.conf file and add the following directives:
* SSLCertificateFile /path to certificate file/your issued certificate
* SSLCertificateKeyFile /path to key file/your key file
* SSLCertificateChainFile /path to intermediate certificate/gd_intermediate_bundle.crt
3. Save your ssl.conf file and restart Apache.

Basically, instead of copying the files to a directory on the webserver, I installed my new cert via the "Mange SSL Certificate->New Certificate" menu.

But how do I install the intermediate cert? I have created this directive in my ssl.conf file.
* SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Will Apache know to use this for my certificate? Will it interfere with other certificates? Whill the Atlanta Hawks ever field a decent basketball team?

Post edited by: JimJenkins, at: 2007/07/17 16:54

Hey Jim,

Yep, it's been done. You're using one here at Virtualmin.com. We're cheap, and we know how to use chained certificates. It's a dangerous combination. ;-)

That said, I set ours up manually before any of the SSL handling stuff in Virtualmin had gotten reasonable (it still needs a little bit more work).

Here's the relevant VirtualHost section on our system (note that I said VirtualHost--the chain file probably ought to be set per-domain, though I can't be sure that's necessary, as it is the same for all that are purchased from the same folks...godaddy in my case and yours):

SSLEngine on
SSLCertificateFile /home/virtualmin/etc/certs/certfile.pem
SSLCertificateKeyFile /home/virtualmin/etc/certs/keyfile.pem
SSLCertificateChainFile /home/virtualmin/virtualmin/certs/sf_issuing.crt

Virtualmin's SSL management doesn't yet handle chained certs (I'll ask Jamie to add it), so the SSLCertificateChainFile will need to be added manually.

And, no, I'm guessing the Hawks will not field a decent team in our lifetime. (But, ya'know, the Houston Rockets were an also-ran until 1993...and now have become an also-ran again. Things change.) ;-)

Oh, yeah, you can also use this kind of cert for Postfix with these directives:

smtpd_tls_cert_file = /etc/postfix/virtualmin.pem
smtpd_tls_CAfile = /etc/postfix/sf_issuing.crt

Though it looks like I combined the key and the cert into a pem for Postfix use (I don't think this is necessary...not sure why I went that route.)

And Dovecot:

ssl_cert_file = /home/virtualmin/etc/certs/virtualmin-chained.cert
ssl_key_file = /home/virtualmin/etc/certs/keyfile.cert


Same story here, only with the chain and the cert combined--I think this one was actually necessary to make Dovecot use the chain.

cat sf_issuing.crt certfile.pem > chained.cert

I don't use FTP, but you could do the same for ProFTPd with the TLSCertificateChainFile directive.

Post edited by: Joe, at: 2007/07/18 01:02

I'm planning on getting a GoDaddy SSL cert this week, any update to the above?

Another related question, if I get the cert for www.MyDomain.com should I spec that as my POP3/SMTP servers in my mail client (as opposed to mail.MyDomain.com or just MyDomain.com)?

I believe chained certs are now configurable in Virtualmin. If not, they will be soon (and the above docs should get you there).

Yes, if your cert is www.domain.tld, then everything that uses the cert needs to be talking to www.domain.tld, or it will result in a security warning.

It looks like it knows about chained certificates:
Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate
"If your virtual server's SSL certificate is from a certificate authority that is not directly known to major browsers, you may need to upload the CA's certificate using this form."

I'll find out and report back in a couple of days.

On the mail servers question, if I wanted to maintain both a 'www.' cert for browsers and a 'mail.' cert for POP/SMTP/IMAP would your interface allow this, or is it back to the command line?

More GoDaddy info.

They offer 'Single' certs that, they say, if issued after 2006 will secure the domain name, with or without the www prefix. Has anyone tried this? See: http://help.godaddy.com/article.php?article_id=850&topic_id=234

They also offer 'Multiple Domain (UCC)' and 'Wildcard' certificates for A LOT more money. Multiple would be a single certificate for many separate domains!? And Wildcard seems to let you use just one certificate for how ever many subdomains your domain has.

Both are interesting. But it would still be cheaper to have two singles at $19/year. And if Virtualmin could plug-in two (www and mail) it would be a no brainer.

Easier than I can believe.

Virtualmin->Server Configuration->Manage SSL Certificate->Signing Request
Fill in the blanks ('Server name in URL' needs the 'www' but not 'http://'), click 'Generate Now', copy the result
Log in to GoDaddy, buy a certificate credit, use the credit to request a certificate (they have instructions)
Paste in the CSR you got from clicking 'Generate Now'
They e-mail you a link to a zip file containing your cert and a chain called 'gd_intermediate_bundle.crt'
Unzip the file
Virtualmin->Server Configuration->Manage SSL Certificate->New Certificate
Upload your cert into 'Signed SSL certificate'
Virtualmin->Server Configuration->Manage SSL Certificate->CA Certificate
Upload the chain into 'CA certificate file'
Restart Apache

Dovecot
Webmin->Servers->Dovecot->SSL Configuration (No chain needed?)
SSL certificate file /home/YOURDOMAIN/ssl.cert
SSL private key file /home/YOURDOMAIN/ssl.key
Save, Restart Dovecot

Postfix
Webmin->Servers->Postfix->SMTP Authentication
Enable TLS encryption? Yes
TLS certificate file /home/YOURDOMAIN/ssl.cert
TLS private key file /home/YOURDOMAIN/ssl.key
TLS certificate authority /home/YOURDOMAIN/ssl.ca
Save, Restart Postfix

ProFTPd
This takes just a bit more effort. It requires the chain file (now residing at /home/YOURDOMAIN/ssl.ca) and your cert together. Login to your system and
cat ssl.ca ssl.cert > ssl.chained.cert
Webmin->Servers->ProFTPD Server->Edit Config Files
(Explanation at: http://www.castaglia.org/proftpd/modules/mod_tls.html)
--------------------------------------------------------------------------------
FIND THIS SECTION (ABOUT HALF WAY DOWN):
<IfModule mod_tls.c>
TLSEngine off
</IfModule>

AND CHANGE IT TO READ:
##<IfModule mod_tls.c>
##TLSEngine off
##</IfModule>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /home/YOURDOMAIN/ssl.chained.cert
TLSRSACertificateKeyFile /home/YOURDOMAIN/ssl.key
TLSCipherSuite ALL:!ADH:!DES
--------------------------------------------------------------------------------
Save, Restart ProFTPd

Forgot one, Webmin itself.

Webmin->Webmin->Webmin Configuration->SSL Encryption

Private key file /home/YOURDOMAIN/ssl.key
Certificate file Separate file: /home/YOURDOMAIN/ssl.cert
Redirect non-SSL Yes
Additional cert /home/YOURDOMAIN/ssl.ca


Prolly time to add this to the Wiki . . .

Dovecot DOES need the chaining certificate.

Webmin->Servers->Dovecot->Edit Config File
(Tap PageDown about 5 times)
ssl_ca_file = /home/YOURDOMAIN/ssl.ca


(Would be nice if this had a Webmin field like Postfix)

Awesome research Transmobius! Definitely going in the wiki. And I'll bug Jamie again about getting all of this a bit easier to configure in the respective Webmin modules, and probably in Virtualmin itself--since the mail services can only really have one certificate, it makes sense to have a single place to configure it for Webmin's "default" (Webmin can serve other certs on other IPs, though), the mail servers and ProFTPd on the default IP.