HowTo: Centralize your Certificate needs (debian/ubuntu) with letsencrypt on an existing system running already virtual hosts

2 posts / 0 new
Topic locked
Last post
#1 Wed, 09/14/2016 - 11:46
just_me

HowTo: Centralize your Certificate needs (debian/ubuntu) with letsencrypt on an existing system running already virtual hosts

Well,

i spent quite some time to figure this out, and in the end i found a solution.

  • If you want to use certs for mail service, you should consider having a neutral domain.
  • This FQDN i use to setup virtualmin and this is the servername. I am using something like server01.serverconfig.com. Therefore i do not run into the problem, that email client is nagging, that certificate does not fit the virtual server's domain name.
  • i install all my scripts, which are available to a client in the standard web root (/var/www/ or whatsoever). So i always only need to update ONE installation of webmail, phpmyadmin, you name it. ( I would like to have those scriptinstallers in webmin too for that purpose, makes a lot of sense) Your clients can log in there, even if they have different databases, users etc. Way easy.
  • All clients on that server are using then the mailserver server01.serverconfig.com, making life easier :-)
  • You don't clutter your letsencrypt folder with subfolders for each domain and sub-subfolders for each renewal.

If you setup a fresh install of virtualmin and want to use centralized certs, just head over here: https://www.virtualmin.com/node/43454

To have the centralized SSL cert (if you happen to have already virtualmin installed and several virtual hosts running:

  • SSH to your machine and do the following:
apt-get install git
cd /opt
git clone https://github.com/certbot/certbot

So you get letsencrypt installed. You don't have to worry about updates and that this is not a standard debian/ubuntu package, because letsencrypt vulgo certbot checks for updates itself if you run it.

To have it somehow easier lateron, you should consider creating a virtual host in virtualmin for your server's hostname. Let's say, the name of your server's hostname is server01.example.com, which we will use furtheron. Please keep in mind to change this example hostname to your own, also change the according folders.

  • Edit your apache.conf in /etc/apache2 and add the following code:
#letsencrypt change for one webroot dir
# Globally redirect ACME challenges to your server's host webroot
<If "%{HTTP_HOST} != 'server01.example.com'">
  # simpleHttp challenge by default uses HTTP
  Redirect /.well-known/acme-challenge/ http://server01.example.com/.well-known/acme-challenge/
  # If simpleHttp is used with TLS the above may not work.
  # In that case we have to do something like this:
  # (doesn't work for me right now; if someone gets this working please respond)
  #  <If "%{SERVER_PROTOCOL} != 'HTTPS'">
  #    Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </If>
  #  <Else>
  #    Redirect /.well-known/acme-challenge/ https://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </Else>
</If>

This will take care of using just one webroot directory for checking validity of your cert request.

  • Now create a cli.ini file and put it into /etc/letsencrypt. If the directory is not already there, create it.

It should look like this (don't forget to change the domain names to yours.

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
#email =

# Uncomment and update to generate certificates for the specified
# domains.
domains = server01.yourdomain.com, www.yourdomain2.com, yourdomain2.com


# Uncomment to use a text interface instead of ncurses
text = True
expand = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /home/server01.example.com/public_html

Don't forget to set the webroot path here e. Put your server's name in and ONLY the domains of the virtual servers you already have running otherwise letsencrypt gives back error code and the certificate won't be created. If you want to create certs for "www.example.com" and "example.com" make sure, that you got a wildcard type A entry on that domain in your DNS record, otherwise the creation will fail.

  • Go to /etc/apache2/sites-available and open the conf file for the domain where you want to have let'sencrypt certificate(s)

Look for those two lines:

SSLCertificateFile /home/example2.com/ssl.cert
SSLCertificateKeyFile /home/example2.com/ssl.key

and comment them out:

#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key

Add the following lines to the domains conf file just below that two lines from above:

SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server01.example.com.com/fullchain.pem

Update: With apache 2.4.8 the ca certificate is not being used anymore. In this case add the following lines:

SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem

Now this part should look like this, up to apache 2.4.7

#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem

or for apache 2.4.8:

#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem

Change this for all domains where you want to use letsencrypt certificates.

then restart apache2 to activate the changes:

service apache2 restart
  • Create a script for creating or renewal of this certificate. i call it letsencrypt.sh and i usually have them inside my Scripts folder under root directory:
/opt/certbot/letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini

Make it executable.

  • Now go to /etc directory and open the file crontab

Add one line for calling the script at least once a week. Change the scriptlocation and the log location according to your needs. I call it every friday:

00 00   * * 5   root    /root/Scripts/letsencrypt.sh >> /root/Scripts/autocreate.log

Save the file and restart cron, so cron is aware of the new job.

service cron restart
  • Now head back to your directory, where you have your letsencrypt script running and execute it with
./letsencrypt.sh

If you don't have any typos or the like and only use domains which are known to the system, because you run them already in virtualmin, you should get a message that the certificate is being created successfully.

  • Optional: I put a redirect into the htaccess of my webroot to get all http:// links over to https:
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  • Now open one of your websites and voila: it has a green lock in front of the link in your browser indicating you have obtained a correct certificate.

  • If you have new domains in your virtualmin, all you have to do is:

a) add the domain to /etc/letsencrypt/cli.ini and b) make those changes in your domains config file under /etc/apache2/sites-enabled.

i hope you can make some use of it.

Best

Sat, 07/14/2018 - 09:34
jabowery

The date on this is 09/14/2016 -- aren't these directions obsolete for the current version of virtualmin?

Topic locked