curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
Solution for this problem is concatenate 2 files: ssl.ca and ssl.cert in one file: cat ./ssl.cert ./ssl.ca > ./ssl_combined.cert
and use this file in Nginx config.
Will be good to add this action in Virtualmin for automatically concatenate certificate files for Nginx webserver, without manual action after each cert auto-update.
For me I solve this problem via Command to run after making changes to a server script like this:
if [ “$VIRTUALSERVER_ACTION” = “SSL_DOMAIN” ]; then
cat $VIRTUALSERVER_HOME/ssl.cert $VIRTUALSERVER_HOME/ssl.ca > $VIRTUALSERVER_HOME/ssl_concat.cert
chmod 600 $VIRTUALSERVER_HOME/ssl_concat.cert
chown $VIRTUALSERVER_USER:$VIRTUALSERVER_GROUP $VIRTUALSERVER_HOME/ssl_concat.cert
service nginx reload
fi
LetsEncrypt certbot script by-default create merged certificate file in /etc/letsencrypt/live/example.com/fullchain.pem file, so Virtualmin needs only to copy it to right location.
@ngorohov, yes - this works only when you manually update certificate via Virtualmin web interface.
Via automatic update by cron - Virtualmin don’t do virtualserver save function, so ignore this hook.
@Virtualmin_developers, is there any other hook on Virtualmin on cert auto-update action?
Seems new releases of Virtualmin partly fix this issue: I see new setting in Virtualmin config: Template for combined certificate path Default (~/ssl.combined)
But on cert auto-update process this file is not updated. So I see fresh dates of all other files, but ssl.combined have old date: Sep 11 13:45 ssl.ca
Nov 10 13:49 ssl.cert
Oct 11 19:17 ssl.combined
Nov 10 13:49 ssl.key
When I manually require certificate - it updates successfully.