Letsencrypt is due out soon

33 posts / 0 new
Last post
#1 Tue, 11/03/2015 - 20:46
SeeBenClick

Letsencrypt is due out soon

I got on a Letsencrypt preview account. I'm using a Virtualmin GPL on Ubuntu 14 server. The server was just recently installed and is operating as a standard web server.

I've installed the latest letsencrypt-auto using the suggested git commands from the beta email. Sign up for the beta to get the git install command and certificate creation notes or wait for the official release, probably in a few weeks.

So far it appears that for this to work in Virtualmin/Ubuntu 14:

  1. Python needs an upgrade to 2.7.9 or newer.

  2. I didn't get the letsencrypt-auto automatic command to work with the Virtualmin. I may have just been reading the directions incorrectly. I believe in a Virtualmin environment you probably just want to do the certificate creation and manually link to the correct files.

  3. Certificates will be 90 days but that is not really a problem because renewing can be automated.

  4. Wildcard domains certificates are not likely going to happen.

  5. Multi-domains certificates are working.

In my test I noticed the latest Virtualmin doesn't use (in my setup) the apache keyword SSLCertificateChainFile that is suggested with the Letsencrypt. Virtualmin uses SSLCACertificateFile that is not referenced by Letsencrypt setup notes. Merely doing a ln without editing the apache domain config probably isn't going to work if the right directive isn't in use. However, I did a ln to the letsencrypt chain and used the SSLCACertificateFile without getting a browser error. Perhaps somebody can clear up why that wasn't throwing a browser error.

I installed python 2.7.9 as root and so far no noticeable breaking of the system yet but I didn't look too hard at the logs.

After the client is installed and python updated I proceeded to:

  1. stop apache to use the port with the letsencrypt client

  2. ./letsencrypt-auto certonly -t --agree-tos --email admin@mydom.com --domains www.mydom.com -d mydom.com

  3. link up the new certs

ln -s /etc/letsencrypt/live/www.mydom.com/cert.pem /home/username/domains/mydom.com/ssl.cert

ln -s /etc/letsencrypt/live/www.mydom.com/privkey.pem /home/username/domains/mydom.com/ssl.key

ln -s /etc/letsencrypt/live/www.mydom.com/chain.pem /home/username/domains/mydom.com/ssl.ca

  1. start apache

Browsers I tried worked without complaining. SSLLABS SSL testing didn't have any complaints after I fixed up my apache cipher security, eventually giving an A score. So it appears to work as expected.

There may be a problem with root owned certificates in virtualmin domain directories. The virtualmin panel says it can copy an existing domain certificate and appears to when I tell it to. It doesn't let me download the certificate in the web panel. I don't know yet if it is doable to just change the user permissions on the letsencrypt certificates in /etc/letsencrypt. From what I have read you'll want to leave these in place to be able to easily update, come renewal time. That is why I linked, instead of copied the certificates.

My question is, have you been able to run the automated install, linking generated certs in locations where virtualmin expects to find them for the control panel, or is there a Virtualmin patch that looks to /etc/letsencrypt for certs per domain, or do you have an even better way to approach this?

Tue, 11/03/2015 - 21:25
andreychek

Howdy,

Thanks for letting us know how you got things working!

We do intend on supporting letsencrypt.

We've been waiting on scripts we can download and test on our systems here... it sounds like that's available for folks in the beta program. We'll look into that a bit more.

However, we don't intend on making folks install package versions that don't come with their distro, such as Python.

We'll need to look into all that a bit more, but what we may end up doing is using their API, and developing our own client, if possible.

Then, we could just build the support into Virtualmin itself, and have all Virtualmin installations automatically support it without needing additional software.

Thanks again for the update, I'm going to go do some reading :-)

-Eric

Wed, 11/04/2015 - 02:47
PaliGap

Thanks SeeBenClick. And great news andreychek that VirtualMin is going to be getting into this!

Thu, 11/05/2015 - 13:22
Joe
Joe's picture

I did a little research based on some conversations in IRC, and it looks like they've recently checked in changes to the Let's Encrypt repo to support older Python versions. Eric is going to test that today. It may be that we still end up implementing our own client (Jamie did so for prior things like this, like the dynamic DNS support and some of the cloud storage providers), we'll have to experiment to know.

--

Check out the forum guidelines!

Thu, 11/05/2015 - 16:10
andreychek

I did some testing, and was able to install the letsencrypt client on a stock CentOS 7 and Ubuntu 12.04 system.

I then used a command such as this one to generate an SSL certificate for a domain I had on the server:

./letsencrypt-auto certonly --text -d foo.com --renew-by-default --agree-dev-preview --agree-tos --webroot-path /home/foo/public_html/ --authenticator webroot

With that, it generates an SSL certificate without any prompts (and without modifying Apache).

Jamie and I discussed all this today, and went over how the process works.

I believe for compatibility across all the platforms that Webmin supports, that Jamie is interested in incorporating a client into Webmin/Virtualmin itself, though he's currently in the process of reviewing all that.

We are highly interested in supporting letsencrypt! It's in Jamie's capable hands now, we'll see what sort of thing he comes up with :-)

-Eric

Thu, 11/05/2015 - 18:23
SeeBenClick

I think that you'll want to build into your script command extra -d options for each domain in the certificate, the signing server, and the admin email so you don't have to depend much on the cli settings file.

A single domain server is going to need at least three -d options in a single cert for domain.tld, www.domain.tld, and servername.domain.tld (for the web panel). You may want to default to this, to keep the copy cert to webmin option as easy as possible.

Order is significant. The resulting multiple domain cert is the first -d listed in the command line in my test.

It would be a nice touch to keep track of renewal dates and run the renew command at the specified 60 to 90 days, and then email the admin upon renew completion/failure.

Mon, 11/16/2015 - 11:10
wheeler

Hi All,

Just wanted to say I can't wait to see support for this in Virtualmin. Let's Encrypt is going to enter public Beta on December 3rd.

It would be amazing if Virtualmin could handle renewals automatically at 60 days (or perhaps a custom intervl) too. So you can simple check a 'use Let's Encrypt' checkbox for each domain and everything to happen automatically.

Could this be used for the service based certificates too? e.g. (Usermin, Webamil, IMAP, POP3 etc)

Thu, 12/03/2015 - 12:58
ctqui

Let’s Encrypt start public beta today. https://letsencrypt.org/2015/12/03/entering-public-beta.html

Thu, 12/03/2015 - 15:34 (Reply to #8)
astlor

Let's hope we hear back soon with an ETA for beta support!

Fri, 12/04/2015 - 02:54 (Reply to #9)
Fri, 12/04/2015 - 05:41
wheeler

I have this working. Native support in Virtualmin would be nice but until then renewals can be done via cron jobs.

Instructions below tested on CentOS 7.1. You'll need to replace domain.com with your domain, and you@youremail.com with your email.

WARNING: I'm not 100% sure on the permissions for the private key file as it looks like letssncrypt creates is world-readable - so be careful on a shared server. Any input on how this can be secured (or if its OK as is) would be appreciated.

  • Install Let's Encrypt

As root:

cd /root/ && git clone https://github.com/letsencrypt/letsencrypt

  • Setup Cronjob

(edit /var/spool/cron/root or run crontab -e)

15 6 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email you@youremail.com --agree-tos --webroot --renew-by-default -w /home/domain.com/public_html/ -d www.domain.com -d domain.com

(The above will renew the cert on the 1st of each month at 6.15 am). Let's Encrypt Certs are valid for 90 days).

  • Manually run cron command above to create first cert

  • Link Certificates

(You may need to delete the existing ssl.cert, ssl.key and ca.cert if they exist)

ln -s /etc/letsencrypt/live/www.domain.com/cert.pem /home/domain.com/ssl.cert

ln -s /etc/letsencrypt/live/www.domain.com/chain.pem /home/domain.com/ca.cert

ln -s /etc/letsencrypt/live/www.domain.com/privkey.pem /home/domain.com/ssl.key

  • Make sure you have the following in your Apache Conf

SLEngine on

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

SSLCertificateFile /home/domain.com/ssl.cert

SSLCertificateKeyFile /home/domain.com/ssl.key

SSLCACertificateFile /home/domain.com/ca.cert

  1. Restart Apache

service httpd restart

Fri, 12/04/2015 - 15:30 (Reply to #11)
fuerst

No need to symlink the cert files to the virtual servers directory. Just change the Apache Virtual Host config as following after running letsencrypt-auto:

SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.tld/chain.pem

Notes:

  • Check any .htaccess file inside your public_html/ directory. It may block or redirect authentification access for the Letsencrypt server and therefor prevent creation of the certificate. Sign for this is the Error: The client lacks sufficient authorization.
  • Use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to harden your SSL config.
Fri, 12/04/2015 - 09:21
andreychek

Howdy,

We just talked about this yesterday at our meeting -- we're quite excited about letsencrypt support.

Jamie tells us that things are on track for letsencrypt support in the next Virtualmin release.

The next Virtualmin release is a big one with lots of new things -- and it has a new website revamp coming as well, which is the main part we're waiting on at the moment. Joe it will be out soon!

-Eric

Fri, 12/04/2015 - 15:27 (Reply to #13)
Kintaro

Great to here that!

p.s. the forum will be a Xenforo? If yes, it could be awesome with their Resource Manager addon. :D

Sat, 12/05/2015 - 02:32 (Reply to #14)
ivanbg

Great news!

Thank you very much for your work! :)

Fri, 12/11/2015 - 17:41 (Reply to #15)
jazzman

Thank you!

Would you have an estimation of this next major release date? Do we have to wait days, weeks, months? It's really important for my timeline.

Sun, 12/06/2015 - 14:39
Thu, 12/10/2015 - 07:08
sschueller

I found this script https://github.com/lukas2511/letsencrypt.sh which makes it very simple and has no dependancies other than curl and openssl.

You just add an alias to apache or nginx for the verification and place everything into /etc/letsencrypt.sh/ for example. Then create the config.sh and domain.txt. You can also set a cron which will auto renew the certs when they are about to expire.

At the moment I just symlink from the server dirs into where the certificates get created.

Thu, 12/10/2015 - 12:22
jaldeguer

Exciting news! Can't wait to see the new virtualmin big release and support for letsencrypt.

Mon, 12/14/2015 - 06:07
Tsikura

Great to see a service like letsencrypt helping us people out lol.

Fri, 01/01/2016 - 00:06
colech

So is does this latest version Webmin 1.78 support letsencrypt then? It was released December 24.

Sat, 01/02/2016 - 19:35
Francewhoa
Francewhoa's picture

Webmin 1.780 was release today for Debian. It includes support for Letsencrypt. It's under "Webmin -> Webmin -> Webmin Configuration -> SSL Encryption" menu -> "Let's Encrypt" tab. Anyone tried it?

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Sat, 01/02/2016 - 19:35
Francewhoa
Francewhoa's picture

Subcribing

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Sun, 01/03/2016 - 15:06
gyorgy.chityil@...

I am also hoping for automated ssl support for virtualmin domains too :)

Sun, 01/03/2016 - 19:28
Chris sutu

I worked on a small script on my side

All infos are there/ http://en.sutublog.com/virtualmin-lets-encrypt-how-to-automate-script-it...

I think I mistake for the domain path and username recovery. I created a thread for this here: https://www.virtualmin.com/node/39175

Thu, 01/07/2016 - 16:43
virtualmin3123

When I want to use letsencrypt I get the failure listed below:

I have letsencrypt in /opt installed using git. Why does it not locate letsencrypt or can I select the location as a setting? Weird. Why does this not work out of the box or doesn't give directions to go?

Let's Encrypt is a free, automated, and open certificate authority that can be used to generate an SSL certificate for use by Virtualmin.

However, it cannot be used on your system : The client command letsencrypt was not found on your system

Fri, 01/08/2016 - 22:19
oak

Subscribing

Sat, 01/09/2016 - 07:30
hjm

When i was installing the latest version of Webmin, I saw a line that there was another file to download, butr at thje same time the hostingprovider seemed to have troubles, so the let's encrypt part was never downloaded ( if it was that ).

What can i do to rectify this?

Sat, 01/09/2016 - 12:45
Welshman
Welshman's picture

I just want something that works, as we all do, I just got a 2 year green light from startssl for 59 dollars. Class 2

Chaos Reigns Within, Reflect, Repent and Reboot, Order Shall Return.

Mon, 01/11/2016 - 12:50
scotwnw

For those getting this error with the included version in Virtmin 5.0
"However, it cannot be used on your system : The client command letsencrypt was not found on your system"

You have to tell webmin where letsencrypt is located.
Goto webmin > webmin configuration > then module config in top left of right hand pane.
You should see this
Full path to Let's Encrypt client command _____________________________.
Just put you path to the letsencrypt-auto command.
Mine is /root/letsencrypt/letsencrypt-auto and it is working fine. After you also install letsencrypt of course.

Wed, 01/13/2016 - 14:58
apidevlab
apidevlab's picture

Interesting... I actually had a play with Lets Encrypt and Virtualmin yesterday. I posted over at LET my experiences and mileage:

http://www.lowendtalk.com/discussion/comment/1479257/#Comment_1479257

It seems that a few strand of this thread provide some important additional info:

1 - Where are people installing the git repo? The official docs don't make it clear. Some are (inc me at first) dumping it into root which is probably not a great idea. I then whent with opt and as scotwnw says above:

You have to tell webmin where letsencrypt is located.
Goto webmin > webmin configuration > then module config in top left of right hand pane.
You should see this
Full path to Let's Encrypt client command _____________________________
Just put you path to the letsencrypt-auto command.

2 - It's important to understand the fact Virtualmin offers an SSL for the installion (miniserv.pem etc) (before any domains have been added)
3 - There is enough info in this thread to ensure we can put together a guide until official support arrives (doing things by hand/cmd line)
4 - The python issue means making use of options like (Centos SCL) but am not sure what support/options are available for other distros

For now these are worth a minute of your time:

A few other handy sites: (will take you through the manual steps to get your https certificate)

https://github.com/diafygi/gethttpsforfree < opensource / yuk name

https://github.com/yawalkar/Letsgetssl < opensource / better name

https://www.virtualmin.com/node/38853 < ubuntu guide

https://www.mikenabhan.com/how-to-use-lets-encrypt-to-issue-a-certificat...

Thu, 01/14/2016 - 18:12
apidevlab
apidevlab's picture

I actually got a little further with this tonight...

CentOS Linux 6.7 includes Python 2.6 when Letsencrypt is installed it advises that 2.6 support is experimental and advises running ./letsencrypt-auto -debug Issues with 2.6 are explained at https://urllib3.readthedocs.org/en/latest/security.html#insecureplatform...

Certain Python platforms (specifically, versions of Python earlier than 2.7.9) have restrictions in their ssl module that limit the configuration that urllib3 can apply. In particular, this can cause HTTPS requests that would succeed on more featureful platforms to fail, and can cause certain security features to be unavailable.

If you encounter this warning, it is strongly recommended you:

upgrade to a newer Python version
upgrade ndg-httpsclient with pip install --upgrade ndg-httpsclient
use pyOpenSSL as described in the OpenSSL / PyOpenSSL section

^ is possibly the reason the Webmin SSL module didn't work for me. The - debug flag cannot be added to the module path...

Let's Encrypt cannot be used on your system : The client command /opt/letsencrypt/letsencrypt-auto -debug was not found on your system < it was worth a shot :)

So I have opened up a terminal and (installed Letsencrypt in opt)

stop apache/ngix to use the port with the letsencrypt client

./letsencrypt-auto certonly -debug

Follow the screen prompts Remember at this point I only have the Webmin supplied SSL cert, in my case an updated self signed AND I have no Virtual Servers added JUST the default Apache port 80 & 443

After completion, you will have a message that contains the following:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/webmin.yourdomain.com/fullchain.pem

Update Webmin Panel Certificate

Point Webmin to the new certificates Webmin Configuration > SSL Encryption > SSL Settings

Find > Private key file and update /etc/letsencrypt/live/webmin.yourdomain.com/privkey.pem
Find > Certificate file / use seperate file and update /etc/letsencrypt/live/webmin.yourdomain.com/cert.pem
Find > Additional certificate files (for chained certificates) and update /etc/letsencrypt/live/webmin.yourdomain.com/chain.pem

Save

Update Apache Default Certificate

Point Apache to the new certificates Webmin Configuration > Servers > Apache > Virtual Server Options > For _default_:443 > SSL Options

Find > Certificate/private key file and update /etc/letsencrypt/live/webmin.yourdomain.com/privkey.pem
Find > Private key file and update /etc/letsencrypt/live/webmin.yourdomain.com/cert.pem
Find > Certificate authorities file and update /etc/letsencrypt/live/webmin.yourdomain.com/chain.pem

Save

Now you should restart Webmin/Apache (it's probably better to reboot the system with the command shutdown -r now

Now when you goto https://webmin.yourdomain.com:10000 or https://webmin.yourdomain.com you should see it's using your Letsencrypt certs....

Caveat(s):

  1. This is probably NOT the correct way to do things but it's working WITHOUT installing additional Python modules
  2. This assumes NO domains have been installed into Webmin eg a clean install
  3. The Webmin panel and Default domain are using the same certificate (I dont think thats a problem?)
  4. You should clear browser cache and remove any self signed certs from your browser
  5. If it all breaks.... Don't blame me :)

I will investigate and post further updates as I progress and I am going to attempt the same procedure with scl-utils and Python 2.7

https://www.softwarecollections.org/en/scls/rhscl/python27

Wed, 02/03/2016 - 15:04
rezitech

I threw together a script to do this. It's as simple as: ./encrypt.bash domain.com domain.com,www.domain.com

https://github.com/rezitech/letsencrypt-virtualmin