Concatenate LetsEncrypt SSL certificates in Virtualmin for normal working in Nginx

Murz · September 18, 2017, 6:46am

Nginx needs that LetsEncrypt SSL certificates must be joined in one file, here is one of article about this: https://blog.sleeplessbeastie.eu/2016/07/18/how-to-use-letsencrypt-certificate-with-nginx/
Without this action - ssl failed via old versions of curl and some other SSL clients, example of problem with curl:
$ curl https://example.com curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Solution for this problem is concatenate 2 files: ssl.ca and ssl.cert in one file:
cat ./ssl.cert ./ssl.ca > ./ssl_combined.cert
and use this file in Nginx config.

Will be good to add this action in Virtualmin for automatically concatenate certificate files for Nginx webserver, without manual action after each cert auto-update.

Murz · September 18, 2017, 7:18am

For me I solve this problem via Command to run after making changes to a server script like this:
if [ “$VIRTUALSERVER_ACTION” = “SSL_DOMAIN” ]; then cat $VIRTUALSERVER_HOME/ssl.cert $VIRTUALSERVER_HOME/ssl.ca > $VIRTUALSERVER_HOME/ssl_concat.cert chmod 600 $VIRTUALSERVER_HOME/ssl_concat.cert chown $VIRTUALSERVER_USER:$VIRTUALSERVER_GROUP $VIRTUALSERVER_HOME/ssl_concat.cert service nginx reload fi

Murz · September 27, 2017, 6:07am

LetsEncrypt certbot script by-default create merged certificate file in /etc/letsencrypt/live/example.com/fullchain.pem file, so Virtualmin needs only to copy it to right location.

ngorohov · November 20, 2017, 9:24am

Bump to question.
After updateing cert I need to concatenate it manually. In other case auth in some my websites(using OpenID) brokes.

Murz · November 20, 2017, 10:04am

@ngorohov, yes - this works only when you manually update certificate via Virtualmin web interface.
Via automatic update by cron - Virtualmin don’t do virtualserver save function, so ignore this hook.

@Virtualmin_developers, is there any other hook on Virtualmin on cert auto-update action?

Murz · November 20, 2017, 10:15am

Seems new releases of Virtualmin partly fix this issue: I see new setting in Virtualmin config:
Template for combined certificate path Default (~/ssl.combined)
But on cert auto-update process this file is not updated. So I see fresh dates of all other files, but ssl.combined have old date:
Sep 11 13:45 ssl.ca Nov 10 13:49 ssl.cert Oct 11 19:17 ssl.combined Nov 10 13:49 ssl.key
When I manually require certificate - it updates successfully.