Well,
i spent quite some time to figure this out, and in the end i found a solution.
If you setup a fresh install of virtualmin and want to use centralized certs, just head over here: https://www.virtualmin.com/node/43454
To have the centralized SSL cert (if you happen to have already virtualmin installed and several virtual hosts running:
apt-get install git
cd /opt
git clone https://github.com/certbot/certbot
So you get letsencrypt installed. You don't have to worry about updates and that this is not a standard debian/ubuntu package, because letsencrypt vulgo certbot checks for updates itself if you run it.
To have it somehow easier lateron, you should consider creating a virtual host in virtualmin for your server's hostname. Let's say, the name of your server's hostname is server01.example.com, which we will use furtheron. Please keep in mind to change this example hostname to your own, also change the according folders.
#letsencrypt change for one webroot dir
# Globally redirect ACME challenges to your server's host webroot
<If "%{HTTP_HOST} != 'server01.example.com'">
# simpleHttp challenge by default uses HTTP
Redirect /.well-known/acme-challenge/ http://server01.example.com/.well-known/acme-challenge/
# If simpleHttp is used with TLS the above may not work.
# In that case we have to do something like this:
# (doesn't work for me right now; if someone gets this working please respond)
# <If "%{SERVER_PROTOCOL} != 'HTTPS'">
# Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/
# </If>
# <Else>
# Redirect /.well-known/acme-challenge/ https://%{SERVER_NAME}/.well-known/acme-challenge/
# </Else>
</If>
This will take care of using just one webroot directory for checking validity of your cert request.
It should look like this (don't forget to change the domain names to yours.
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Uncomment and update to register with the specified e-mail address
#email =
# Uncomment and update to generate certificates for the specified
# domains.
domains = server01.yourdomain.com, www.yourdomain2.com, yourdomain2.com
# Uncomment to use a text interface instead of ncurses
text = True
expand = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
webroot-path = /home/server01.example.com/public_html
Don't forget to set the webroot path here e. Put your server's name in and ONLY the domains of the virtual servers you already have running otherwise letsencrypt gives back error code and the certificate won't be created. If you want to create certs for "www.example.com" and "example.com" make sure, that you got a wildcard type A entry on that domain in your DNS record, otherwise the creation will fail.
Look for those two lines:
SSLCertificateFile /home/example2.com/ssl.cert
SSLCertificateKeyFile /home/example2.com/ssl.key
and comment them out:
#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key
Add the following lines to the domains conf file just below that two lines from above:
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server01.example.com.com/fullchain.pem
Update: With apache 2.4.8 the ca certificate is not being used anymore. In this case add the following lines:
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
Now this part should look like this, up to apache 2.4.7
#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
or for apache 2.4.8:
#SSLCertificateFile /home/example2.com/ssl.cert
#SSLCertificateKeyFile /home/example2.com/ssl.key
SSLCertificateFile /etc/letsencrypt/live/server01.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.example.com/privkey.pem
Change this for all domains where you want to use letsencrypt certificates.
then restart apache2 to activate the changes:
service apache2 restart
/opt/certbot/letsencrypt-auto certonly --renew-by-default -c /etc/letsencrypt/cli.ini
Make it executable.
Add one line for calling the script at least once a week. Change the scriptlocation and the log location according to your needs. I call it every friday:
00 00 * * 5 root /root/Scripts/letsencrypt.sh >> /root/Scripts/autocreate.log
Save the file and restart cron, so cron is aware of the new job.
service cron restart
./letsencrypt.sh
If you don't have any typos or the like and only use domains which are known to the system, because you run them already in virtualmin, you should get a message that the certificate is being created successfully.
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Now open one of your websites and voila: it has a green lock in front of the link in your browser indicating you have obtained a correct certificate.
If you have new domains in your virtualmin, all you have to do is:
a) add the domain to /etc/letsencrypt/cli.ini and b) make those changes in your domains config file under /etc/apache2/sites-enabled.
i hope you can make some use of it.
Best
The date on this is 09/14/2016 -- aren't these directions obsolete for the current version of virtualmin?