Certificates for Webmin / Virtualmin / Postfix / Dovecot

It might be a good one, being able to copy certs to postfix and dovecot and proftp. I know it is possible within a domain under virtualmin, but not within webmin. If i copy a cert from mylittledomain.com to dovecot and postfix, the mailserver shows this cert mylittledomain also, if someone from myverybigcompany is sending a mail. Therefore i think my setting like having a neutral domainname for webmin/virtualmin/proftpd like server-config.com would be better. So i would like to have in webminconfiguration the same buttons as in virtualmin.

Otherwise i would need to create a virtual server for my server-config.com to be able to copy my certs there. But this, i tried that before, confuses my DNS and Webmin and other services.

What do you mean?

Given, that i would have those three files from letsencrypt, where would i put them manually, and which other settings would be nessescary to get it up and running on which port? It looks like the autoconfig for Thunderbird and outlook doesn’t work accordingly.

When i did that manually the last time, i had encryption, but it only worked with plain password; which i do not want either.

Any help is truly appreciated.


PS: While we are at it: I’d also like the script installer within webmin, so i can build a central data structure for multiserver access to phpmyadmin, roundcube etc. Why to have it in each virtualserver, if one central installation does the trick and i would have to update just one instance of phpmyadmin, not 5 or 10 or 20. I need anyway a FQDN for installation of webmin/virtualmin/cloudmin, so this would make life a lot easier.

If I understand you… server 1 has certificates for all its services, webmin, virtmin, postfix,dovecot.
Then you also want user certificates to point to the same services for users?

One, not sure its possible, two, certificates for your services should be the only ones users use when connecting to YOUR services.
Like user A has a certificate for a.domain.com for his https. That user will still connect to mail.yourserver.com for mail and not mail.a.domain.com. Thus assigning user cert to mail, other services on the server is useless. You should be in control of those certs at all times. Not users.

No. It’s the other way round. I have a central multidomain Let’s encrypt certificate, which contains my server01.server-config.com domain and my userdomain1.com userdomain2.com userdomain3.com etc. This certificate i also want to use for Postfix / Dovecot / ProFTPD. Every user is using the same certificate, which also works for his domain. The apache conffile for each virtual server contains this three lines:

SSLCertificateFile /etc/letsencrypt/live/server01.server-config.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server01.server-vonfig.com/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/server01.server-config.com/fullchain.pem

And i use one directory for the challenge, as given in apache.conf:

#letsencrypt change for one webroot dir # Globally redirect ACME challenges to /var/www/html # simpleHttp challenge by default uses HTTP Redirect /.well-known/acme-challenge/ http://server01.server-config.com/.well-known/acme-challenge/ # If simpleHttp is used with TLS the above may not work. # In that case we have to do something like this: # (doesn't work for me right now; if someone gets this working please respond) # # Redirect /.well-known/acme-challenge/ http://%{SERVER_NAME}/.well-known/acme-challenge/ # # # Redirect /.well-known/acme-challenge/ https://%{SERVER_NAME}/.well-known/acme-challenge/ #

And i feed all domains via a cli.ini file into letsencrypt and have renewal each friday, via cronjob:

# This is an example of the kind of things you can do in a configuration file. # All flags used by the client can be configured here. Run Let's Encrypt with # "--help" to learn more about the available options.

Use a 4096 bit RSA key instead of 2048

rsa-key-size = 4096

Uncomment and update to register with the specified e-mail address

#email =

Uncomment and update to generate certificates for the specified


domains = server01.server-config.com, userdomain1.com, userdomain2.com, userdomain3.com

Uncomment to use a text interface instead of ncurses

text = True
expand = True

Uncomment to use the standalone authenticator on port 443

authenticator = standalone

standalone-supported-challenges = tls-sni-01

Uncomment to use the webroot authenticator. Replace webroot-path with the

path to the public_html / webroot folder being served by your web server.

authenticator = webroot
webroot-path = /var/www/public_html

Unfortunately let’s encrypt does not support wildcard domains, which would make life a lot easier and has some advantages:

One central point of challenges.

One central certificate, which i have to take care of, perhaps i will pin down a script, which adds new virtualserver’s domain to that file

Just one certificate folder. If you do it the standard way you will see a new folder for each renewal, piling up over time for each cert. .

I just have one folder, which is always current due to the cronjob.