Support certbot-dns-linode ?

UPDATE3_BEGIN

After all is said and done, this support request boiled down to a feature request:

Support certbot-dns-linode within Virtualmin's LetsEncrypt implementation.

Also, since some of us are forced to use certbot directly from time to time, provide a graceful way to integrate the files generated under /etc/letsencrypt/ into Virtualmin via the GUI, as per this comment made to a prior request for support:

Typically, even when you install your own SSL certificate, you should be doing it through the GUI to ensure all the appropriate settings and such are changed correctly.

UPDATE3_END

Former Subject Line: "Wildcard LetsEncrypt Certificate Fails with ERR_SSL_PROTOCOL_ERROR Possibly Due To [ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name"

I successfully requested a LetsEncrypt wildcard certificate for all my domains. However, I can't access https://mydomain.com because the browser reports ERR_SSL_PROTOCOL_ERROR.

UPDATE2_BEGIN

OK, the problem appears to be that Linode's DNS doesn't play nice with Virtualmin.

Once I hacked virtualmin into running again, hopefully without damaging my system -- the only way I could get a successful certificate was to invoke certbot manually as per the Linode directions for certbot-dns-linode:

certbot certonly --dns-linode --dns-linode-credentials .linode_api/certbot -d *.mydomain1.com -d *.mydomain2.com ...etc... -d mydomain1.com -d mydomain2.com ...etc...

Of course, now I face the challenge of ensuring that this certificate -- and the associated files -- located in /etc/letsencrypt/archive/somedomain.com/ is going to work with Virtualmin (be referenced properly in all the VirtualHost configurations, renew on schedule, etc.

UPDATE2_END

UPDATE1_BEGIN

I think I've narrowed down the problem to LetsEncrypt's failure to find TXT entries for the non-wildcard domains when attempting to do both wildcard and non-wildcard domains.

I'm getting a bunch of these errors:

- The following errors were reported by the server:

   Domain: somedomain.com
   Type:   None
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.somedomain.com

This may have to do with a weakness in the certbot-dns-linode authenticator plugin.

Using the certificate that contained only wildcards (which LetsEncrypt successfully issues) I was able to get one domain's subdomains to match the wildcard, but only the one named in the Certificate->Signature Algorithm:->Subject->commonName = *.somedomain.com field. None of the X509v3 Subject Alternative Name->DNS:*.anyothername.com,... fields would match.

Unfortunately, I can no longer access even Virtualmin as it is returning the same ERR_SSL_PROTOCOL_ERROR. Setting ssl=0 in miniserv.conf and restarting doesn't help.

UPDATE1_END

This happens on all my VirtualHosts.

I suspect that this is due to my explicit IP in the VirtualHost directive in all my 443 hosts:

<VirtualHost 123.123.123.123:443>

rather than:

<VirtualHost *:443>

However, changing it to *:443 (and *:80) for one of my domains doesn't fix it for that domain.

Is this likely and if so, what is the best way of changing all of my domains to use the *:443 spec?

Another possibility is that the only domains permitted are _sub_domains as listed in:

openssl x509 -noout -text -nameopt multiline -in ssl.cert
...
X509v3 Subject Alternative Name:
                DNS:*.mydomain.com,  DNS:*.anothermydomain.com,...

ie: they all begin with *. and none of them are, say, DNS:mydomain.com.

Could that be the problem? If so, I did try to request a LetsEncrypt certificate with both the *.mydomain.com and mydomain.com domains listed but I got an error on that LetsEncrypt request so I thought it must mean one can't mix them.

-rwxr-xr-x 1 mydomain mydomain 1647 Jan 25 16:40 ssl.ca
-rwx------ 1 mydomain mydomain 2134 Jan 25 16:40 ssl.cert
-rwx------ 1 mydomain mydomain 3783 Jan 25 16:40 ssl.combined
-rwx------ 1 mydomain mydomain 5488 Jan 25 16:40 ssl.everything
-rwx------ 1 mydomain mydomain 1704 Jan 25 16:40 ssl.key

Moreover, during systemctl reload apache2 I get the warning:

[ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name

System hostname debian (127.0.1.1) Operating system Debian Linux 9
Webmin version 1.900 Usermin version 1.751
Virtualmin version 6.05 Pro Authentic theme version 19.23-beta3
...
Status: 
Active

Comments

Title: Wildcard LetsEncrypt Certificate Fails with ERR_SSL_PROTOCOL_ERROR Possibly Due To [ssl:warn] [pid 29244] AH01909: mydomain.com:443:0 server certificate does NOT include an ID which matches the server name » Support certbot-dns-linode ?
Category: Support request » Feature request
Body: View changes

So to clarify .. in your case, is Linode entirely doing your DNS hosting?

Yes, and using Linode's DNS by systems hosted there is necessary if one wants to run Postfix mail servers that are not blocked by gmail etc.

Ok .. this is something that in theory could be supported (as part of larger work on using external DNS providers), but will take non-trivial work to do properly.