Subdomain cert creation

19 posts / 0 new
Last post
#1 Thu, 04/14/2016 - 06:58
just_me

Subdomain cert creation

Well,

i just rebuilt one server and set hostname to server02.example.com.

Everything went smooth up to the letscencrypt thing.

I git'ed the code from letsencrypt in to folder /opt/letsencrypt/ and added /opt/letsencrypt/letsencrypt-auto to module config for Webmin.

Then i wanted to generate a system certificate and i got an errormessage, that i would need a virtual host for this.

So i created a virtual host for it and tried it again. Although apache is running and if i enter server02.example.com in my browser window it will show apache's default page, the letsencrypt creates w a 404 error:

Domain: server02.example.com Type: unauthorized Detail: Invalid response from http://server02.example.com /.well-known/acme-challenge/0A-xMf2B0waF04s- Od3muYoLGcaK0hj1qKInN5Y9JIg [176.9.19.49]: 404

I've also read in various places, that it could be a problem, when i redirect the http:// to https:// which i didn't do right now, but would like to.

So how to fix that or do i have to follow another best practice?

Thanks and best

I've seen this: but it seems it doesn't apply: https://www.virtualmin.com/node/40239

Fri, 04/15/2016 - 06:42
just_me

To elaborate a little more.

It makes sense in my eyes, having server02.example.com as the servers hostname and for postfix. i would like to use server02.example.com as serverwide mailserver address with postfix and dovecot certs; i also want to setup PFS for mailserver too. But if i can't create certs for server02.example.com, i can't use them for mailserver.

i have pointed the subdomain server02 as an A Record to the IP of this server. Would i need an mx record for server02 as well, pointing it to the same IP?

Update: I created a new subdomain and pointed it to the IP of server02, created a virtual host and guess what? The cert has been created. So why wouldn't it for server02?

And why does letsencrypt give back a 404 for server02, when the default apache website is being shown?

I also want to use server02.example.com for systemwide scripts like phpmyadmin, roundcube etc, therefore it makes sense in my eyes having also a virtual server with server02.example.com. Or will webmin/virtualmin being confused with that?

For one virtual host on that server i need this directive for apache:

Header add Access-Control-Allow-Origin "*"

Since that virtual host should run under https, i would add this to the 443 section of the conf file and do an htaccess rewrite like this:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

which i would use on every virtual host, since every virtual host should be only accessible via https.

So any insight is truly appreciated, perhaps i am barking up the wrong tree?

Thanks and best

PS: i am using Ubuntu 14.04 and, interestingly enough, i still have the problem, that the ftp daemon dies almost any day. i have tried in another installation to have a watchdog check on ftp and restart it, when it has gone, but this doesn't always work. So anyone, please?

Sat, 04/16/2016 - 06:09
johnp_

So, let's go through this...

  • Is there a reason you checked out letsencrypt manually instead of installing the official package (I assume Ubuntu provides one?)
  • Yes, if you redirect HTTP to HTTPS and you have no proper TLS setup, boulder (letsencrypts automatic CA-Server) won't be able to check for the acme challenge. Technically you can force the challenge to happen over TLS, then you'd have to serve HTTPS and couldn't request a certificate without it. But afaik the normal challenge should gracefully handle being upgraded to HTTPS via a redirect from the server, so you shouldn't run into issues with your setup once TLS is properly set up (even with a self-signed cert).
  • Create a file/.well-known/acme-challenge/test in the document root of the server02 virtual host. Can you access it through the browser? What do the apache access/error logs say?
  • Webmin/Usermin run on entirely different ports and shouldn't be confused because of the virtual host. Of course if you want to run different services on one virtual host they have to be distinguishable in a way, so you can for example do https://host.domaintld/roundcube/ by placing the roundcube directory in its own subdirectory within the virtual host document root.
  • Your apache directives seem to be ok to me.
  • If you really want everything to be HTTPS it can be a PITA to get letsencrypt to properly place all acme challenges into the document roots of all virtual hosts. To work around that you can redirect all the challenges to the same virtual host and make letsencrypt give you one SAN certificate for all your (sub)domains: Read here. This also makes it easy to just use a new subdomain for each new service (like roundcube on webmail.domain.tld)
Fri, 04/15/2016 - 07:27 (Reply to #3)
just_me

Well,

i haven't found a package in the official repos and was following a tutorial in the web; where it was said you would have to git it.

With another subdomain everything went smooth with letsencrypt creation. it is just server2 with problems. Btw, when i checked automatic renewal in webmin, and gave him 2 months, it wouldn't work at all with the subdomain. I also entered just subdomain.exampel.com, not www.subdomain.example.com; then it went through

I got another one concerning this: I have a application with a different home directory (in fact /opt/rm/public ) which i would also like to serve with https. Given, that i change that paths in its config file under available sites, where should i place the certfiles then, if the root directory is somewhere else?

I also think that i found out, what is happening:

If i enter server02 etc... in my browser, it will show the content of the var/www/html folder. And not /home/server02/public_html.

Therfore the server is sort of confused; because the hostname is server02.... and there is a virtualhost for server02 too.

But the cert creation feature of Webmin told me in order to have letsencrypt certs for my hostname server02.etc... i would need a virtual host. Sorta confusing.

So, what to do? I could delete the server02 virtualhost and setup everything like server02.... roundcube and server02 etc scripts manually, and not with the scriptinstaller from virtualmin.

Thank you very much for pointing this out,

PS: Could you please anonymize the server in your post? Thanks.

Sat, 04/16/2016 - 07:16
johnp_

The certificates should never leave the /etc/letsencrypt directory! Just point the virtual host SSLCertFile/SSLKeyFile/etc to the certificate files that are stored there in /etc/letsencrypt/live/subdomain.example.com. Regarding the /opt/... website you may get problems because of suexec by not placing the document root under the /home directory of the user for which you set up the domain. You'll have to try that out.

Yes, apache, by default, points ServerName to the default document root /var/www/html and because that is a global configuration it takes precedence over the virtualhost you created. Name-clashing a Virtual Server with the server hostname is something that most likely cannot be handled properly by virtualmin (there's just too much uncertainty as to what the user actually wants to happen. And programmatically it seems like it would require a lot of edge case handling in various different parts of the code, so it'd probably be best if virtualmin throws an error or a warning if someone tries to do this).

So yes, you could go the manual way and not use a Virtual Server and probably won't be able to use the install scripts.

Or you could trick virtualmin by pointing the default document root to /home/server02/public_html, but that's likely to cause problems later on, because virtualmin then still writes its apache configuration into the virtual host, which will still get ignored in favor for the default/global config.

IMHO it would be cleanest and easiest way to use a subdomain / multiple subdomains that do not name-clash with the server hostname for the http(s)-based-services you want to set up. This likely avoids the problems you encountered and also allows you to use the script installers.

Sun, 04/17/2016 - 04:39
just_me

I am now on the road to set up the letsencrypt thing you pointed out in the other post.

But i admit, i am still a little stuck.

Using Ubuntu 14.04 i have Apache 2.4.7; so i use the first part of th apache directives, correct? I've put them in conf-available letsencrypt.conf and symlinked it in conf-enabled too.

I see two options now:

  1. Create one cert for all domains in Webmin and setting the root dir to /var/www/html.
  2. Create them with this: /letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini and putting all domains whether www. or not into the cli.ini file. If the renew command does not find certs, will it create this right away? Then i could cron that command every 60 days or so, and it would initially create the certs i need

Since my server will get more virtual hosts over time, i am wondering whether i can get virtualmin to use the cert directories automatically instead having to change each .conf file.

BTW, how to get the server02 certs into postfix, webmin, dovecot and have them updated automatically as well? You said in the other post, not to copy that cert into webmin. I'd also like to use PFS; but there are different ways to get it done, i have to check the best way to implement this too :-)

I am sorry, if this sounds dumb :-) but i try to get on top to this.

Thank you very much, i am farther down the road now than two days ago.

Sun, 04/17/2016 - 05:07
johnp_

I am sorry, if this sounds dumb :-) but i try to get on top to this.

No problem, explaining things always helps both parties to understand them better. Your option 2 actually looks quite nice, so lets go with that ;)

First: I think you put the apache directives into the wrong file. AFAIK conf-available is just the source for symlinks in conf-enabled and isn't sourced by default and actually is meant to be used for virtual hosts. Global configurations should go into httpd.conf or into a conf/ or conf.d/ subdirectory. I'm not sure things work the way you did it, because virtual hosts that alphabetically come before 'letsencrypt' may not be affected by the later sourced global directives. In any way, I think it's cleaner to put things into the above mentioned one of the above mentioned files or directories.

Anyway, once you have that and restarted apache, put a test-file in /var/www/html/.well-known/acme-challenge/ and try to access it from different domains. Then you'll see whether or not the rewrite directive works.

Now, try to run the command as shown in your second option. Make sure that you also set the webroot-path in the cli.ini to /var/www/html. Also, make sure that the first domain listed is your server hostname, as I think that will be the directory name in /etc/letsencrypt/live. If that works, there should be privkey.pem, cert.pem, chain.pem and fullchain.pem in the respective directory.

So, how to get applications use those files:

  • For virtualmin it looks like this can't be set in the server templates, and I'm not sure if virtualmin will overwrite this, but you should be able to globally set the default SSLCertificateFile, SSLCertificateChainFile and SSLCertificateKeyFile. grep for them in the apache config directory to find the place where they are documented. They first two should point to the fullchain.pem, the last one to the privkey.pem (Reasoning here).
  • For postfix and dovecot grep for things like ssl, tls, cert or similar in the config directories. You should find what you are looking for there. Always, when they have a _cert directive link them to the fullchain.pem, as otherwise they won't send the intermediary certificate and you'll get TLS warnings in the clients. Of course this can also be done in webmin, but this way is always good to learn things a bit better (as there's often very good documentation in those configuration files).
  • For the Webmin and Usermin servers it's really easiest to do that in Webmin->Webmin->{Webmin, Usermin} Configuration.

To set up PFS I'm gonna direct you to some very good sources, because I am in a hurry unfortunately:

(If you also want ECDSA, here is the most up-to-date information source for that, but first you should get RSA running :)

Wed, 04/20/2016 - 01:31
just_me

Hi, i've been two days on the road, so i can tackle this again.a i tried various ways to include this:

# Globally redirect ACME challenges to /var/www/html
<If "%{HTTP_HOST} != '%{SERVER_NAME}'">
  # simpleHttp challenge by default uses HTTP
  Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/
  # If simpleHttp is used with TLS the above may not work.
  # In that case we have to do something like this:
  # (doesn't work for me right now; if someone gets this working please respond)
  #  <If "%{SERVER_PROTOCOL} != 'HTTPS'">
  #    Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </If>
  #  <Else>
  #    Redirect /.well-known/acme-challenge/ https://%{SERVER_NAME}/.well-known/acme-challenge/
  #  </Else>
</If>

into apache2 :-) Whether i put it into a conf file in a conf directory or whether i put it in the apache.conf, it won't redirect. Of course it will work with the server's own domain name, but not with the other virtual hosts i have running. Perhaps it is my apache 2.4.7, whichis the latest version for Ubuntu 14.04 as of today?

I will dig more on that, and give the other option a try:

# Global Rewrite Rules for ACME challenges
#RewriteEngine on
# New in Apache 2.4.8: gets rid of the explicit `RewriteOptions inhert` in every vhost
# NB: With the right InheritOptions this can also be used to have a global configuration
#     that can be overridden in selected virtual hosts.
#RewriteOptions InheritDown
# HTTP
#RewriteCond %{SERVER_PORT} !^443$ [OR]
#RewriteCond %{HTTPS} !=on
#RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/.*
#RewriteRule ^(.*) http://%{SERVER_NAME}:80/ [R]
# HTTPS
#RewriteCond %{SERVER_PORT} ^443$ [OR]
#RewriteCond %{HTTPS} =on
#RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/.*
#RewriteRule ^(.*) https://%{SERVER_NAME}:443/ [R]

Thanks and best

Wed, 04/20/2016 - 07:38 (Reply to #8)
johnp_

I just checked the Ubuntu 14.04 docs and things should work if placed in apache.conf. Check if mod_alias is enabled with apache2ctl -M and check the configuration with apache2ctl configtest. Did you replace %{SERVER_NAME} with the servers own domain name? My original post may have been a bit unclear about this. If nothing works, try something like this in apache.conf to see if the redirect directive is actually getting applied:

Redirect /.well-known/acme-challenge/ https://google.com/
Wed, 04/20/2016 - 11:03
just_me

So i edited here:

<If "%{HTTP_HOST} != '%{SERVER_NAME}'">

and here

Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/

To:

<If "%{HTTP_HOST} != '%{server02.example.com}'">

and

Redirect /.well-known/acme-challenge/ http://server02.example.com/.well-known/acme-challenge/

service apache2 restart

and if i enter mydomain.com/.well-known/acme-challenge/index.html it will show in the browser the index.html i put in there. The link in the browser changes to server02.example.com/.well-known/acme-challenge/index.html.

So i assume, this should work now.

Next thing is to create the cert. And then do the following:

change virtual hosts conf file for new location of certs and change dovecot and postfix confs to find the correct cert folder.

Or do i miss something?

Thanks again.

Wed, 04/20/2016 - 11:16 (Reply to #10)
johnp_

No, looks good. Create the cert with letsencrypt-auto or via webmin, whatever you feel more comfortable with.

Wed, 04/20/2016 - 12:50
just_me

I did it. (lol) I ran that option 2:

/letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini

And experienced some confusion in the /etc/letsencrypt/live directory. Since i had created one cert before for another subdomain, it created the new SAN cert not with servername, although i had this first in my domain list, but with the existing subdomain. So i cleared all folders by removing all content in all folders and ran that command again. And guess what? it worked. Now the live folder contains server02.example.com folder with all other files.

Then i moved on to change virtualmins virtual host config so it can use the new cert.

You wrote

but you should be able to globally set the default SSLCertificateFile, SSLCertificateChainFile and SSLCertificateKeyFile.

Instead setting it globally i did it in the virtualhost conf file.

i found out that the options are this:

SSLCertificateFile /etc/letsencrypt/live/server02.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server02.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server02.example.com/fullchain.pem

Since i am still running apache 2.4.7, i think the SSLCertificateChainFile setting you mentioned is here the SSLCACertificateFile, so i set it like above.

then

service apache2 restart

....

Next i opened the domain where i changed the config file and it showed the green lock in front and opening the cert it says:

DSA Root Level 3 has identified this site as:

whatever.com
This connection to the server is encrypted.

Show certificate yields this:

issued for: server02.example.com

issued by Let's Encdrypt Authority X3

So as far as i came here, i think this should work.

Next is to put this certs in place with Postfix, Dovecot and Virtualmin.

I put it within Webminconfig, which was working, when i pointed it to letsencrypt folder. If i view the cert in Webmin it shows me the additional domains, so that is working too.

In Virtualmin i have the option to copy certs into dovecot, proftpd and postfix, but i haven't found something within webmin for the webmin cert yet.

If i cant find anything i will need to do it manually.

But didn't think i would get so far. Thanks again.

Best

PS: If i am through with everything i will put together an according guide for this, because it is hard to figure everything out and work your way. But it is fun and you learn a lot, as you pointed out above.

Thu, 04/21/2016 - 01:03
just_me

Next one:

I found the according config in webmin for dovecot and set it up like this:

SSL certificate file: /etc/letsencrypt/live/server02.example.com/cert.pem
SSL private key file: /etc/letsencrypt/live/server02.example.com/privkey.pem
SSL CA certificate file: /etc/letsencrypt/live/server02.example.com/fullchain.pem

Looks logical for me. More interesting are Postfix settings:

TLS certificate file: /etc/letsencrypt/live/server02.example.com/cert.pem
TLS private key file: /etc/letsencrypt/live/server02.example.com/privkey.pem
TLS CA certificate file: /etc/letsencrypt/live/server02.example.com/fullchain.pem

But there is more:

Standardsetting after using install.sh are:

Require SASL SMTP authentication: Yes
Enabel TLS encryption: Yes
Send outgoing mail via host Option 1: Deilver directly Option 2: (emptyfield for manual config). Selected is option 2 without any input
Use SASL SMTP authenthication: No
SMTP login to outgoing mailhost: None needed

Shouldnt those options being set like:

Require SASL SMTP authentication: Yes
Enabel TLS encryption: Yes
Send outgoing mail via host:Ö Deilver directly
Use SASL SMTP authenthication: YES
SMTP login to outgoing mailhost: None needed

? It doesn't sound very logical for me, having

Require SASL SMTP authentication: yes

and then

Use SASL SMTP authentication: No

I am also wondering why the option for sending outgoing mail via host is not being set to deliver directly instead pointing to a config field, which is empty.

So how should i proceed here? I also remember, that virtualmin had a feature about copying a cert into ProFTPd, but in Webmin there doesn't seem to be an option for this. But if there is an option, i haven't found it, so i will dig within its config files. Given that ProFTPd is also not very reliable running on Ubuntu 14.04, i might break everything. But i will find out ...

Thank you very much.

PS: When my cronjob will renew certs, they will be found afterwards in correct place, not in those special subfolder config, webmin/virtualmin is using, correct?

Thu, 04/21/2016 - 02:36 (Reply to #13)
johnp_
  1. Your dovecot/postfix configurations won't work. You have to set the 'certificate file' to fullchain.pem. The SSL/TLS CA file option in dovecot and postfix are for client certificate validation. You usually don't need to set those options as long as you are not using client certificates for authentication.

  2. SASL SMTP authentication isn't enabled by default because it isn't used by Virtualmin. Every user in Virtualmin has his own unix account.

  3. Yes, normally, unless your using an internal to outbound mail gateway, this should be set to 'deliver directly', but it looks like an empty field and the first option are semantically equivalent.

  4. I haven't set up ProFTP here either, because it's not working in CentOS 7 either... :/

  5. Assuming the correct place is /etc/letsencrypt/live, then yes. But any copy that is placed elsewhere will then be outdated. That's why I am so keen to not use copies at all, but just configure everything correctly and point everything there. Nevertheless, it's a good practice to test your cron-script to make sure it actually renews the certificate and doesn't place the new one in /etc/letsencrypt/live/server02.example.com-002/ or so. From what I'm remembering from the documentation this should only happen if you remove domains from the .ini-file you are using, because it only renews a certificate in place, if all domains from the previous certificate are also in the newly requested one [Source]. I should probably check the letsencrypt issues if there's something planned to make this easier to handle...

Thu, 04/21/2016 - 05:53
just_me

I will deselct the option with the CA cert file in dovecut / postfix.

Before i saw your post i made a new emailaccount and got Outlook to set SSL always to automatic and checked lateron the logs:

dovecot:

Obsolete setting in /etc/dovecot/dovecot.conf:103: ssl_ca_file has been replaced by ssl_ca = <file

I've got to check this out.

Any chance that there is a log file where i can check, whether Mailtransfer runs via SSL with Dovecot and TLS with Postfix (that are the settings i had to use in outlook, since Postfix doesn't seem to use SSL).

I also made it PCI Compliant as of here.

So on my roadmap is now proftpd and PFS :-)

Thanks and best

Thu, 04/21/2016 - 14:40
AustinTX

I've been eyeing those "copy to Webmin/Usermin/Dovecot/Postfix/ProFTPD" buttons, but confess I'm afraid to click one. I don't know what changes they'll make to my server. I'd hate to try turning something on and find that something breaks. I'd be more confident if these were check-boxes as in "Edit Virtual Server" so that I can reverse the cert support instead of scramble to clean things up manually. :)

Thu, 04/21/2016 - 16:31
johnp_

@just_me: I don't know where Ubuntu stores the mail logs, but for me it's `/var/log/maillog`.
I listed some web services for client side testing in a previous post. There's also a very good command line tool that can pretty much test everything: https://github.com/rbsec/sslscan/releases

@AustintX: Excerpts from my configuration (CentOS 7 based), if you want to have a bit more control over what actually happens without having to read the perl scripts in `/usr/libexec/webmin`:

`/etc/webmim/miniserv.conf` and `/etc/usermin/miniserv.conf`:

keyfile=/etc/letsencrypt/live/host.example.com/privkey.pem
extracas=/etc/letsencrypt/live/host.example.com/chain.pem
certfile=/etc/letsencrypt/live/host.example.com/cert.pem

`/etc/postfix/main.cf`:

smtpd_tls_cert_file = /etc/letsencrypt/live/host.example.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/host.example.com/privkey.pem

`/etc/dovecot/local.conf`:

ssl_cert = </etc/letsencrypt/live/host.example.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/host.example.com/privkey.pem

My ProFTPD configuration is in `/etc/proftpd.conf`. The settings should be `TLSRSACertificateFile` and `TLSRSACertificateKeyFile`, but I'm not using ProFTPD at the moment and am not quite sure whether one has to pass the `cert.pem` or `fullchain.pem` to `TLSRSACertificateFile`.

For everything else like SSL/TLS versions, ciphers, cipher suite ordering, DHE parameters (or not using DHE), etc the reading recommendations from my earlier post still stand. These things have to be configured according to clientele or company policy and anything written here would only become outdated over time.

Mon, 11/07/2016 - 23:59
midihipi
midihipi's picture

You can have letsencrypt in opt but those are only scripts and binaries. your keys are stored in etc/letsencrypt/live/yourdomainname subdirectories

In the live directory you should have a subdirectory for each domain url you want a cert for with a cert and key in it.

I use a crontab job (one for each virtual domain) to obtain the .pem files, update them if needed, and copy them them to the domains home directoty folder for me. it copies them to a location in the users home directory that is known i.e. /home/mydomainname/ssl_certificates. Note: crontab should be pointed to the directory that you installed the scripts and binaries into, /opt/letsencrypt in your case to launch the certbot.

Then, after obtaining, updating and copying the certs with whatever mechanism you choose to do so, AND while managing one of your virtual domains in virtualmin, go to the "manage ssl configuration" area of "server configuration" point the virtual domain to look for its keys in the /home/domainname/ssl_sertificates that have been copied there. Do this for each domain you want to use ssl with. You of course have enabled the ssl website option in the virtual domain enabled Options settings.

To eleminate the dovecot error just hit the copy to dovecot button but only do this for the main domain you set virtualmin up with. It's the fqdn you see when you run hostname. don't use the servername anywhere just the domain. I am actually here in this forum for that very reason .... how to set up dovecot to look for a cert for each virtualdomain not just one......

It just works and you can set the job up to take place monthly or whatever your scenario needs.

I can set this up manually and have many time in the past but virtualmin adds a twist to your configuration files and sometime they are not what you think they should be. I try and use virtualmin automation as much as I can but sometime you have to think a step ahead of it. I don't like "nano"ing config files to solve problems, i just look at them to see the path that virualmin has taken for authentication and things like that and work with them.

Hope I helped you.

Owner of Linux Nuts Professional Services

Mon, 11/07/2016 - 23:46
midihipi
midihipi's picture

OH and it should go without saying, after all your configurations stop and start all services dependent upon your new certs to make sure they stick like glue. This will point you to any errors you made in configuring them.

Owner of Linux Nuts Professional Services