Guide to install FREE SSL certificate from Letsencrypt on Virtualmin & Webmin. 100% working.

73 posts / 0 new
Last post
Wed, 02/01/2017 - 18:13
azcunaga

One question I do have is: Do I need to add smtp.domain.com or imap.domain.com in the LE domain list in order to enable SSL in my e-mails? Or should this happen automatically in Virtualmin just with the regular LE request?

Thanks!

Wed, 03/01/2017 - 23:28 (Reply to #52)
samrich

azcugaga,

Did you ever find an answer to this question?

Thu, 09/21/2017 - 16:51 (Reply to #53)
Cloud4G Pro Licensee

You can include subdomains like smtp.domain.com in the request form. That seems to work just fine. Then you need to go back to Virtualmin>server configuration>manage SSl certificate and click on copy to Postfix and copy to Dovecot for those to make use of the cert. I have done that without using smtp.domain.com specified in the letsencrypt request, however, that could be a problem if the receiving server has strict requirements. You may want to look up Google requirements - they are among the strictest for conformance to the standard. There docs may specifically say what the cert needs to include as subdomains.

Mon, 03/06/2017 - 12:57
sumi

hi,

Can this work when using nginx instead of apache ?

Mon, 04/17/2017 - 14:16
thomnet

"Can this work when using nginx instead of apache ?"

I'm using nginx + fpm plugin by kintaro1981 (https://github.com/Real-Gecko/virtualmin-nginx-fpm) and the answer is yes, at least the certificate installation process seemed to work without errors. However in looking over the files in /etc/nginx/sites-available I didn't see any changes. That makes sense until you go back to the "Manage SSL Certificates" panel and tell Virtualmin how to use the certs created by LetsEncrypt. I clicked all of the "Copy to xxxxx" buttons and sure enough I was asked to authenticate, since I was using the IP address instead of the domain name in my Webmin session. After all buttons were clicked the "Manage SS Certificate" page now says:

This SSL certificate is already being used by : Webmin, ProFTPD, Usermin, Postfix, Dovecot,

however the default website for the domain does not. I have also yet to verify if email with SSL is working.

The fpm plugin prohibits the use of nginx-website & nginx-website-ssl features. using nginx instead of apache2 prohibits use of "SSL Website", but LetsEncrypt still worked with only the nginx-fpm feature enabled, once I fixed my location block exclusion below.

I did find an issue with a location rule intended to block access to "dot" files such as apache's .htaccess:

location ~ (^|/). { <------ Append htaccess after the . return 403; }

I simply made the match explicit to .htaccess and it worked without issues on my GPL 5.07 Virtualmin installation.

Fri, 11/24/2017 - 11:52 (Reply to #56)
Cloud4G Pro Licensee

I am using letsencrypt on two VPS with Centos 7.4, NGINX, PHP7.1, MariaDB 10.2. The servers are fresh installs using the newest virtualmin/Webmin 6.x install script.

The letsencrypt cert installs so long as you have your domain pointed to the server's IP address and it has had time to propagate.

Some hints:

If you are changing the IP address that the domain points to, first set the domain DNS catch time ($ttl) to be short, like 1200-2400 so that the DNS servers on the web will refresh. This can be set a day or more before. Letsencrypt uses the domain IP as it finds it. If it points to the old/wrong address, the cert request will be rejected. Point the domain to the new IP of the server. This is done at your domain host.

Set up the reverse PTR for the domain you wish to host your email server. This often requires a request of the server host. Some VPS providers allow a user to set their own reverse PTR, others require this via a service ticket or a call. This is not necessary for Letsencrypt to issue a certificate. However, if you wish for your mail server to be recognized by Google and other email services or want to encrypt emails, it has become needed.

I usually request additional sub-domains including mail.myserver.com. This may not be necessary, however, Letsencrypt issues a cert that includes proper subdomains.

Letsencrypt has worked 'out of the box' on a fresh install as described above. In the past, I installed letsencrypt from the command line but the new Virtualmin install script appears to take care of that. You may need to install the Webmin module. See the tutorials for how to do that.

Mon, 09/11/2017 - 18:44
iateadonut

This is all done through the Virtualmin interface now!

Just click on Server Configuration->Manage SSL Certificate

then click on the "Let's Encrypt" tab

Wed, 09/20/2017 - 00:03
neofutur

subscribing.

thanks for this great tutorial, worked perfectly for me

Wed, 09/20/2017 - 03:26
briand Pro Licensee

I just use 'domain.com' for the mail incoming and outgoing server name. SSL sorted ;o) is it ok to do it this way ?

Thu, 11/23/2017 - 12:23
LuigiMdg
LuigiMdg's picture

Hi.. I haven't understand.. This work only for 90 days..?

And at the end of 90 days..?

If I install on principal domain, this is applied to the sub-domains?

Thu, 11/23/2017 - 12:55
briand Pro Licensee

Use admin to generate update cert

You can change the months to 12

Thu, 11/23/2017 - 13:44
Cloud4G Pro Licensee

There is an option towards the lower portion of the page: Click on the option to automatically renew and put in the number of months. I usually set that for 2 months. The letsencrypt cert expires in 3 months.

Wed, 12/20/2017 - 21:32 (Reply to #63)
NigelAves

On the "auto" renewal .....

This is the default - "Months between automatic renewal {tick box - off} Only renew manually {tick box - on} 2 "

I believe this means that auto-renewal is on, but the layout is a tad weird / confusing and it is hard to know until the 2 months are up.

Any idea.

Thu, 12/21/2017 - 08:18 (Reply to #64)
Cloud4G Pro Licensee

I see that as a minor issue and not worth making any changes. If the server is set up properly. the Virtualmin LE module has always worked for me and it is easy to request a new cert if a mistake is made.

My biggest issue with certifications is that an automated process must be limited to domain or other type of certification that a BOT can verify without additional documents or process steps. That means that it is extremely unlikely that LE can ever be extended to eCommerce business or another type of certification that requires verification of the business or individual making the request. Commercial class certs are far more expensive than they could be if the certification process could be made streamlined from end-to-end. If, for example, the certificate authority that issues the cert had access to a clearinghouse for state and local business license records and those records required similar verification as currently done by each cert authority. Then the Class II/III cert could be automated similar to Letsencrypt. That would probably not result in commercial certs being free but since all providers would have a lower and much-streamlined cost basis, would drive down the cost dramatically and make the process much easier for the business. Since businesses must already pay for and maintain their business licenses, that would reduce duplication of something that has to be dealt with each time a server is moved or changed such that it normally requires reissue of a cert. Maybe that will happen over time. It might be available in some parts of the world due to government action in that direction.

Thu, 12/21/2017 - 08:48 (Reply to #65)
NigelAves

I totally agree with all your comments. In regards to the dialog, I was just looking at it all wrong! (operator error!), but I do (still) believe that a link to the "Lets Encrypt Agreement" should be provided on that page with a check box that asks to agree / disagree. It is something you have to do if run manually using the scripts and Virtualmin really should give the option.

I'm one of those "photographer / geeks" that runs their own web server so I can totally control the galleries with my photographs. I'm in the reverse position of all the companies because getting three or four certificates was just too darn expensive, at least a registered company can write off the cost on operating expenses. But looking at your idea for the process to automatically scan business records, but the Class II/III cert has become such a cash cow for companies like GoDaddy I could really see them pushing back.

And of course, this is all happening because some one (Google?) decided that everything has to be encrypted, when in fact it does not. The only reason I have gone this route is to stop visitors to my galleries getting the impression that "they are "not secure"", when in fact, they are perfectly secure as I'm not asking for any information!

Thu, 11/23/2017 - 14:02
briand Pro Licensee

ah ok, I'll keep an eye on the dates for expiry then. pity it's only 3 months.

Fri, 11/24/2017 - 08:54
LuigiMdg
LuigiMdg's picture

You are a fucked genius!! Much much respect for you! :-)

Sun, 11/26/2017 - 02:55
LuigiMdg
LuigiMdg's picture

I can manually copy the certificate in subdomains..? I've read that the next Virtualmin release will let you enter whatever hostnames you like for inclusion in the Let's Encrypt cert request

Mon, 11/27/2017 - 09:11
Cloud4G Pro Licensee

Virtualmin/Webmin do not control what domain names are accepted by Letsencrypt. The domain name must be the fully qualified domain name that is registered with the domain's registrar. Letsencrypt allows use of subdomains that resolve to the FQDN. See the Letsencrypt documents for a full explanation. Virtualmin automates the process: the form guides the user to fill in parameters that are input in the certificate request to Letsencrypt. It does not allow doing anything different than can be accomplished using the Letsencrypt Certbot ACME client script or similar script.

The Letsencrypt website has good documentation and blog info. And there are many tutorials including those for different servers including the popular versions of Linux and, Apache, NGINX, Virtualmin. An alternative to using Virtualmin is to use command-line interface and set up a CRON job. That is what Virtualmin does when the option to renew is selected. I have done both. Virtualmin/Webmin now does it all for you.

Tue, 03/13/2018 - 01:30
Peter Simon

Thanks for this working method.

spy hunter game

Sun, 03/18/2018 - 16:48
Cloud4G Pro Licensee

Letsencrypt has released a new version of the Achme BOT that can do wildcard certificates and has some other added features. Wildcard certs can cover a host of subdomains so that individual subdomains requests would not be required. For example, if your cert request had been set up to for mail.mydomain.com, mydomain.com and server.mydomain.com, a valid Achme 2 request could be either for *.mydomain.com or for *.mydomain.com, mydomain.com.

To use the V2 cert requires a V2 Achme client. That should usually be done through a standard upgrade.

Tue, 03/20/2018 - 10:36
atleast
atleast's picture

Can someone write simple steps, commands on latest virtualmin so that auto renewal works?

Currently auto renewal is not working as it gives an error related to permission error on ACME directory.

Pages