SSL and Virtualmin

SSL and Virtualmin

SSL is an encryption protocol that protects data sent to and from websites from snooping or modification when they are accessed using https URLs. In addition, it allows browsers to be sure they are connecting to the correct web server, and not one setup by an attacker that is intercepting network traffic.

A critical component of the SSL protocol is the certificate, which web servers present to browsers to prove their ownership of a domain name. They are typically issued by Certificate Authorities (CAs), following the submission of a certificate request and validation of the submitter's ownership of a domain. Thanks to the magic of public-key cryptography, browsers can check that the certificate presented by a web server was actually signed by one of the CAs that it knows about.

If you want to setup an SSL website that will be visited by customers or users, obtaining a valid certificate is important. Although Virtualmin will allow you to use a self-signed certificate that costs nothing and can be generated immediately, users accessing your website will see a warning message in their browsers. And they will have no real assurance that they are accessing your webserver, rather than that of an attacker.

However, a certificate signed by a CA costs time and money to obtain. You can find out how much by looking at the websites of some major CAs : http://www.google.com/search?hl=en&q=ssl+certificate+authority

Enabling SSL For a Virtual Server

An SSL website can be enabled for a virtual server either when it is first created, or later using the Edit Virtual Server page.

Adding a Virtual IP Address

In most cases, each SSL website needs to have its own IP address that is not shared with any other domain using SSL. This is due to the nature of the SSL protocol, which conflicts with name-based web virtual hosting. There are some exceptions though, as documented below.

Every Virtualmin system has at least one default shared IP address, and so can host at least one SSL website. However, to host more than one you will need to activate another IP on your system. For a typical system at a colo/hosting facility you will have several addresses available.

When creating a virtual server with SSL enabled, specify the new IP address as follows :

  1. Open the IP address and forwarding section the Create Virtual Server page.
  2. In the Network interface section, select Virtual with IP and enter the IP address into the adjacent text box.
  3. If the IP is already up on your system, check the Already active box.

This is not necessary when creating your first SSL website though, as it can use the default shared IP address.

Enabling the SSL Feature

To actually have an SSL website created for a new virtual server, you need to check the Setup SSL website too? box under Enabled features. Fill in all the other details of your new virtual server, then click Create Server to begin the process. However, if Virtualmin detects any errors (such as another SSL website using the same IP), an error message will be displayed.

As part of the SSL setup process, a self-signed certificate will be generated for your domain. When you access https://example.com/ in your browser, a warning about the self-signed cert will be displayed - but once you get past that, the website contents should appear as normal.

Requesting a Certificate

Unless your SSL website is for use on an internal or personal network only, getting a real SSL certificate is a good idea. This is a two step process, most of which can be performed within Virtualmin.

Generating a CSR

A Certificate Signing Request or CSR contains information about your company and domain name for verification by a CA. To create one using Virtualmin, do the following :

  1. Select the domain with the SSL website you need a certificate for from the left menu.
  2. Open the Server Configuration section, and click on Manage SSL Certificate.
  3. Go to the Signing Request tab, and fill in the form there. The Server name must be the hostname that will be used in the URL when accessing your website. This can be like example.com , www.example.com or even *.example.com if your CA supports wildcard certificates.
  4. Click the Generate CSR Now button.

This will create both a CSR and an SSL private key, and display them in Virtualmin. The CSR is just a block of text starting with —--BEGIN CERTIFICATE REQUEST—--, and must be send to the CA of your choice using whatever means they require.

Do NOT generate a new CSR after this point, as this will over-write your private key. The key and certificate must match for them to be used by Apache!

Installing a Certificate

After the CA verifies your request, you will receive back from them a signed certificate. This just a file starting with —--BEGIN CERTIFICATE—--. followed by several lines of base-64 encoded data. To use the new certificate, do the following :

  1. Go to the Manage SSL Certificate page, and click on the Apply Signed Certificate tab.
  2. Paste the certificate into the Signed SSL certificate box.
  3. Ensure that the Matching private key box contains the key generated in the previous section. Unless you have done something wrong, Virtualmin will display it automatically.
  4. Click the Install Now button.

Now try accessing your website at https://example.com/ in a browser, and make sure that its SSL certificate is recognized as valid.

SSL and Shared IP Addresses

In Virtualmin version 3.64 and later, more than one SSL website can share the same IP address. This can be very useful if IP addresses are hard to get - however, most of the same SSL protocol restrictions still apply.

Older Virtualmin releases would display an error message when trying to enable SSL for a virtual server on the same IP as an existing website. New versions instead check if the certificate for the existing site can also cover the new domain, and if so allow the SSL setup to process. If not, a warning message is displayed indicating that SSL certificate errors may occur - but you can click past it if desired.

When Virtualmin detects that multiple virtual servers are sharing the same certificate, the Manage SSL Certificate page will only be available for the first server. And any changes such as the creation of a new certificate will be applied to all domains that share it.

Wildcard Certificates

A wildcard cert is one that matches any sub-domain under some top-level domain, like *.example.com . Browsers will not complain if this certificate is used for www.example.com , office.example.com and so on. This means that all those virtual server websites can share the same IP address.

Using wildcard certificates in Virtualmin is simple - all you need to do is enter *.example.com as the Server name when generating the CSR. Once the certificate has been installed, you will be able to create sub-domain virtual servers on the same IP address with no warnings.

UCC Certificates

Unified Communications Certificates (UCC) are like regular certs, but contain more than one domain name that they are considered valid for. This allows the same certificate to be used for several websites on the same IP address, such as example.com , example.net and example.org . Internally, these additional domain names are stored in the certificate's subjectAltName field.

Requesting a UCC certificate in Virtualmin is easy - just enter all the extra domain names in the Alternate hostnames field when creating a CSR. Make sure your registrar knows about and can handle UCC requests though, as they are relatively new.

Once a UCC certificate is installed, you can create SSL virtual servers for the additional domain names on the same IP address as the primary domain name. Virtualmin will detect this, and will not display any warnings.

One catch with UCC certificates is that not all web browsers recognize the additional domain names. For example, the wget command will complain about a certificate mismatch.

Comments

Francewhoa's picture
Submitted by Francewhoa on Mon, 12/28/2015 - 20:30

This documentation page is useful :) But it needs minor updating. In the latest Virtualmin version 4.18 the wording changed. I created a ticket about that at https://www.virtualmin.com/node/39115

The following line: "Go to the Manage SSL Certificate page, and click on the New Certificate tab."

Should read: "Go to the Manage SSL Certificate page, and click on the Apply Signed Certificate tab."

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community