Problems with SOME subdomains regarding SSL Certificate

17 posts / 0 new
Last post
#1 Wed, 10/31/2018 - 14:44
Parapluie

Problems with SOME subdomains regarding SSL Certificate

Hullo!

I have a LetEncrypt Certificate enabled using the excellent tool provided within VirtualMin:

Server Configuration / Manage SSL Certificate / Let's Encrypt

It works perfectly for those domains which it lists in "Domains associated with this server":

mysite.com
www.mysite.com

But I still have issues with important subdomains of the site, including "mail":

webmail.mysite.com
smtp.mysite.com
mail.mysite.com*
ded.mysite.com

The "*" being especially important, as I can not currently receive mail through the site using client software.

Is there an easy way to add the four required subdomains to the certificate?

My plan was to merely complete the "Domain names listed here" section of the Let's Encrypt page with the two existing "Domains associated with this server" while adding the new domains. However, I'm worried that this will break everything. I mean everything: government everywhere crumbles… the world thrown into anarchy… puppies cry… that kind of thing.

Thu, 11/01/2018 - 12:03
Parapluie

Alright. I went ahead and tried a new "Request Certificate For" and chose the "domain names listed here". The result was an error and rejection: DNS-based validation failed: Failed to request certificate. and then: Gave up waiting for validation

The full list of domains that I submitted was:

mysite.com
www.mysite.com
mail.mysite.com
smtp.mysite.com
ded.mysite.com

The first attempt reported:

ded.mysite.com challenge did not pass: Fetching https://www. ded.mysite.com/.well-known/acme-challenge/KNbhGxSIH5kqfAv0JPtgtbPonVehmon1LRP0tMcVXhU: Error getting validation data

And a second attempt, in which I eliminated only the "ded" name resulted in this:

mail.mysite.com challenge did not pass: Fetching https://www.mail.mysite.com/.well-known/acme-challenge/VWnyDf8hPvsAtvMyn... Error getting validation data

What am I missing?

Thu, 11/01/2018 - 12:47
TheRavenKing Pro Licensee

Hi, I found something similar testing in my new server, the problem I have is that the sub-server newly created had no index.html in /public_html. Means, Let's encrypt can't check ownership of the sub-server. My problem is related that my skeleton folder only seems to work with main domain and is copied below /public_html for a sub-server, not found yet what is causing that,

Make sure you have a index.html file in the sub-server and it should work.

Thu, 11/01/2018 - 13:09 (Reply to #3)
Parapluie

Hi, TheRavenKing.

An HTML index (php, rather) exists, and the web certification seems to work well already.

I am still wondering how I can extend the certificate (or maintain more certificates) to cover mail. and ded.

Thu, 11/01/2018 - 13:50
Parapluie

I think that I am able to add a subdomain to the existing certificate from the command line by keying this: ./certbot-auto --apache -d mail.mysite.com --agree-tos

However, I am met with an error: Could not install OS dependencies. Aborting bootstrap!

I am unsure why we are confronted with a dependency error. Everything is up to date according to Webmin. Here is the full text:

Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, replace, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirror.netflash.net
* epel: download-ib01.fedoraproject.org
* extras: centos.mirror.globo.tech
* ius: ius.mirror.constant.com
* ius-archive: ius.mirror.constant.com
* remi: mirror.team-cymru.com
* remi-safe: mirror.team-cymru.com
* updates: centos.mirror.globo.tech
Package gcc-4.4.7-23.el6.x86_64 already installed and latest version
Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2018.2.22-65.1.el6.noarch already installed and latest version
Package 2:mod_ssl-2.2.15-60.el6.6vm.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package python34.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python34-libs(x86-64) = 3.4.8-1.el6 for package: python34-3.4.8-1.el6.x86_64
--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.8-1.el6.x86_64
---> Package python34-devel.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python3-rpm-macros for package: python34-devel-3.4.8-1.el6.x86_64
--> Processing Dependency: python-rpm-macros for package: python34-devel-3.4.8-1.el6.x86_64
---> Package python34-tools.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: python34-tkinter = 3.4.8-1.el6 for package: python34-tools-3.4.8-1.el6.x86_64
--> Running transaction check
---> Package python-rpm-macros.noarch 0:3-13.el6 will be installed
--> Processing Dependency: python-srpm-macros for package: python-rpm-macros-3-13.el6.noarch
---> Package python3-rpm-macros.noarch 0:3-13.el6 will be installed
---> Package python34-libs.x86_64 0:3.4.8-1.el6 will be installed
---> Package python34-tkinter.x86_64 0:3.4.8-1.el6 will be installed
--> Processing Dependency: libtk8.5.so()(64bit) for package: python34-tkinter-3.4.8-1.el6.x86_64
--> Processing Dependency: libtcl8.5.so()(64bit) for package: python34-tkinter-3.4.8-1.el6.x86_64
--> Running transaction check
---> Package python-srpm-macros.noarch 0:3-13.el6 will be installed
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package                   Arch          Version              Repository   Size
================================================================================
Installing:
libffi-devel              x86_64        3.0.5-3.2.el6        base         18 k
python34                  x86_64        3.4.8-1.el6          epel         50 k
python34-devel            x86_64        3.4.8-1.el6          epel        186 k
python34-tools            x86_64        3.4.8-1.el6          epel        426 k
Installing for dependencies:
python-rpm-macros         noarch        3-13.el6             epel        5.6 k
python-srpm-macros        noarch        3-13.el6             epel        5.6 k
python3-rpm-macros        noarch        3-13.el6             epel        5.1 k
python34-libs             x86_64        3.4.8-1.el6          epel        8.4 M
python34-tkinter          x86_64        3.4.8-1.el6          epel        336 k
tcl                       x86_64        1:8.5.7-6.el6        base        1.9 M
tk                        x86_64        1:8.5.7-5.el6        base        1.4 M

Transaction Summary
================================================================================
Install      11 Package(s)

Total download size: 13 M
Installed size: 40 M
Is this ok [y/N]: Exiting on user Command
Your transaction was saved, rerun it with:
yum load-transaction /tmp/yum_save_tx-2018-11-01-13-28R1KqtO.yumtx
Could not install OS dependencies. Aborting bootstrap!
Thu, 11/01/2018 - 14:30
TheRavenKing Pro Licensee

Not sure what your OS is but it looks like CentOS, you can use the scl to install python 3.4 or any other version.

yum install centos-release-scl
yum install rh-python34

https://www.softwarecollections.org/en/scls/?search=python&policy=&repo=...

Thu, 11/01/2018 - 19:21 (Reply to #6)
Parapluie

Hmm… I ran the upgrade (I had to use EPEL repository). However, python -V still points to Python 2.6.6

Fri, 11/02/2018 - 04:18
TheRavenKing Pro Licensee

@ Parapluie Hi, not sure how safe it is as I don't know your system, but if I was you I would check if you require the 2.6.6 version for anything if not remove it...

Fri, 11/02/2018 - 05:56
TheRavenKing Pro Licensee

BTW, have you ticked the option Share SSL certificates between domains where possible? in Virtualmin, System settings, Virtualmin Configuration?

Fri, 11/02/2018 - 13:08 (Reply to #9)
Parapluie

Yes: This SSL certificate is already being used by : Webmin, Usermin, Dovecot (host codexrarebooks.com), Postfix, ProFTPD After that, this sentence appears: The buttons below will copy this domain's SSL certificate as the default for the chosen service. This will be used if no per-domain or per-IP certificate is configured. with no buttons after it. (Nothing after it, in fact.)

It's a busy day, and I am still looking into the details of your previous comment. I just have to figure out what depends on Python 2.6.6

Thanks for your help. I'll let let you know what comes of the search.

Sat, 11/03/2018 - 04:49
Jfro

Hmm certbot is a different way to ad letsencrypt than the one VM is using itself sofar i know!

Mon, 11/05/2018 - 14:07 (Reply to #11)
Parapluie

Jfro, are you able to elaborate? I have used this in the past. However, now I am stuck. I would think that I should be able to remove the existing certificate (including using the extra manual steps as The Raven King suggests in the next comment), and then re-issue a new certificate for the domain (of course, with all four subdomains included in the certificate).

Sat, 11/03/2018 - 10:44
TheRavenKing Pro Licensee

@parapluie I think it's a problem many of us face, as the documents are saying, you can only issues a SSL cert. on a Static IP and not a Shared IP. When trying things out I discovered when you delete a virtualserver the ssl keys are still in /etc/webmin folder and in /etc/webmin/miniserv.conf file. So it seems they are not deleted when you delete a virtual server with a ssl certificate, I had to clean up by hand to get it working normal again after me testing..... sadly i can't do more testing as i had my quota for the ssl certs.... :-) I suggest you peek and poke in same place as i did.

Thu, 11/08/2018 - 11:37 (Reply to #13)
Parapluie

I dunno, TheRavenKing. I've torn the domain apart and put it back together. I'm no further along.

All I can say at this point is that I'm a bit disappointed. Virtualmin and Let's Encrypt seem like a perfect match. The similar price tag makes them a natural combination for cheap ba… er… people like me.

I would think that such a community and demand (both quite large, it seems) would have an easier solution worked out already; but it doesn't seem that way.

I'll sit tight with what I have for now, but I'll keep my eye out for a solution. If I do find one, I will make sure to post it here.

Thank you for your help on this. I appreciate that you could offer some useful guidance.

All the best.

Thu, 11/08/2018 - 12:13
Jfro

I only know that things changed over the time and using parts and so on from before some updates ( i don't know whem started) things worked before.

But now you have to take special care doing all things 100% right in the new way. ( don't know you'have to remove old parts i'm newbie and startet with the VM6 with some early bugs.. ;) )

For everything Cert that failed after more then 10 months working. I checked all ipv4 ipv6 the extra external dns settings ( we use) some have to be put here extra autodiscover and so on , before there was no need for those. ( maybe some dns things changed at our place hmm)

Take care of redirects and so on.

BUT it should be possible to things working.

THE DOCS are OLD YEP. ( so for things with SNI IP, ipv4 ipv6 own IP's for domains, own certs for mail domain not pointing to host cert are all things to plan before you doing things. So i can't help here futher, support can do please give them al they need read forumrules all versions and log error file info's and config settings.

CERTBOT is old no supported way to have LE certs in virtualmin i expect! YOU DID that here https://www.virtualmin.com/comment/804608#comment-804608

AND ALL DNS should be done and known and set 100% right, before doing certs, so test with things as mxtoolbox and other dns tools

Thu, 11/08/2018 - 12:13
TheRavenKing Pro Licensee

@Parapluie
you haven't told your OS, you haven't told me you where able to cleanup and instal as I suggested, so, the last resort is as follow.

https://www.sslforfree.com/create?domains=domain.com+*.domain.com

You must replace the domain.com with yours of course, then upload manually the certificates.

:-)

But to me seems you need to clean your system from unwanted software...

Thu, 11/08/2018 - 14:41
Parapluie

Okay, Thanks to you both for your help. I can't do it today, but I will include these ideas in my next steps.

It's CentOS 6, btw. You guessed it correctly in a previous comment.