Letsencrypt is due out soon
Letsencrypt is due out soon
I got on a Letsencrypt preview account. I'm using a Virtualmin GPL on Ubuntu 14 server. The server was just recently installed and is operating as a standard web server.
I've installed the latest letsencrypt-auto using the suggested git commands from the beta email. Sign up for the beta to get the git install command and certificate creation notes or wait for the official release, probably in a few weeks.
So far it appears that for this to work in Virtualmin/Ubuntu 14:
Python needs an upgrade to 2.7.9 or newer.
I didn't get the letsencrypt-auto automatic command to work with the Virtualmin. I may have just been reading the directions incorrectly. I believe in a Virtualmin environment you probably just want to do the certificate creation and manually link to the correct files.
Certificates will be 90 days but that is not really a problem because renewing can be automated.
Wildcard domains certificates are not likely going to happen.
Multi-domains certificates are working.
In my test I noticed the latest Virtualmin doesn't use (in my setup) the apache keyword SSLCertificateChainFile that is suggested with the Letsencrypt. Virtualmin uses SSLCACertificateFile that is not referenced by Letsencrypt setup notes. Merely doing a ln without editing the apache domain config probably isn't going to work if the right directive isn't in use. However, I did a ln to the letsencrypt chain and used the SSLCACertificateFile without getting a browser error. Perhaps somebody can clear up why that wasn't throwing a browser error.
I installed python 2.7.9 as root and so far no noticeable breaking of the system yet but I didn't look too hard at the logs.
After the client is installed and python updated I proceeded to:
stop apache to use the port with the letsencrypt client
link up the new certs
ln -s /etc/letsencrypt/live/www.mydom.com/cert.pem /home/username/domains/mydom.com/ssl.cert
ln -s /etc/letsencrypt/live/www.mydom.com/privkey.pem /home/username/domains/mydom.com/ssl.key
ln -s /etc/letsencrypt/live/www.mydom.com/chain.pem /home/username/domains/mydom.com/ssl.ca
- start apache
Browsers I tried worked without complaining. SSLLABS SSL testing didn't have any complaints after I fixed up my apache cipher security, eventually giving an A score. So it appears to work as expected.
There may be a problem with root owned certificates in virtualmin domain directories. The virtualmin panel says it can copy an existing domain certificate and appears to when I tell it to. It doesn't let me download the certificate in the web panel. I don't know yet if it is doable to just change the user permissions on the letsencrypt certificates in /etc/letsencrypt. From what I have read you'll want to leave these in place to be able to easily update, come renewal time. That is why I linked, instead of copied the certificates.
My question is, have you been able to run the automated install, linking generated certs in locations where virtualmin expects to find them for the control panel, or is there a Virtualmin patch that looks to /etc/letsencrypt for certs per domain, or do you have an even better way to approach this?