Concatenate LetsEncrypt SSL certificates in Virtualmin for normal working in Nginx

6 posts / 0 new
Last post
#1 Mon, 09/18/2017 - 01:46
Murz

Concatenate LetsEncrypt SSL certificates in Virtualmin for normal working in Nginx

Nginx needs that LetsEncrypt SSL certificates must be joined in one file, here is one of article about this: https://blog.sleeplessbeastie.eu/2016/07/18/how-to-use-letsencrypt-certi... Without this action - ssl failed via old versions of curl and some other SSL clients, example of problem with curl:

$ curl https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Solution for this problem is concatenate 2 files: ssl.ca and ssl.cert in one file: cat ./ssl.cert ./ssl.ca > ./ssl_combined.cert and use this file in Nginx config.

Will be good to add this action in Virtualmin for automatically concatenate certificate files for Nginx webserver, without manual action after each cert auto-update.

Mon, 09/18/2017 - 02:18
Murz

For me I solve this problem via Command to run after making changes to a server script like this:

if [ "$VIRTUALSERVER_ACTION" = "SSL_DOMAIN" ]; then
  cat $VIRTUALSERVER_HOME/ssl.cert $VIRTUALSERVER_HOME/ssl.ca > $VIRTUALSERVER_HOME/ssl_concat.cert
  chmod 600 $VIRTUALSERVER_HOME/ssl_concat.cert
  chown $VIRTUALSERVER_USER:$VIRTUALSERVER_GROUP $VIRTUALSERVER_HOME/ssl_concat.cert
  service nginx reload
fi
Wed, 09/27/2017 - 01:07
Murz

LetsEncrypt certbot script by-default create merged certificate file in /etc/letsencrypt/live/example.com/fullchain.pem file, so Virtualmin needs only to copy it to right location.

Mon, 11/20/2017 - 03:24
ngorohov

Bump to question. After updateing cert I need to concatenate it manually. In other case auth in some my websites(using OpenID) brokes.

Mon, 11/20/2017 - 04:04 (Reply to #4)
Murz

@ngorohov, yes - this works only when you manually update certificate via Virtualmin web interface. Via automatic update by cron - Virtualmin don't do virtualserver save function, so ignore this hook.

@Virtualmin_developers, is there any other hook on Virtualmin on cert auto-update action?

Mon, 11/20/2017 - 04:15
Murz

Seems new releases of Virtualmin partly fix this issue: I see new setting in Virtualmin config: Template for combined certificate path Default (~/ssl.combined) But on cert auto-update process this file is not updated. So I see fresh dates of all other files, but ssl.combined have old date:

Sep 11 13:45 ssl.ca
Nov 10 13:49 ssl.cert
Oct 11 19:17 ssl.combined
Nov 10 13:49 ssl.key

When I manually require certificate - it updates successfully.

Topic locked