Custom actions with Virtualmin's Letsencypt renewals?

It’s an old server (still on CentOS 7.9) and it stopped showing me any available updates a while ago:

(Some of the sites still rely on old PHP/MySQL versions so have also avoided updating those in fear of breaking anything)

Head exploding over CentOS 7, now.

But, you can get a newer Virtualmin.

Do this:

virtualmin setup-repos

And, then update packages.

Oh, wait, if you’re on an expired Virtualmin Pro, that would explain it, and setup-repos won’t fix it without downgrading to GPL.

It’s saying: Command setup-repos.pl was not found

It’s not Virtualmin Pro (I am a subscriber buy only run the GPL version on my servers)

I don’t recall in which version we fixed the bug so that post-actions were run on SSL cert rewals, but it’s definitely fixed in 7.30

No problem - I intend to move all these sites to a new server at some point so in the meantime I’ll set up an hourly cron job to copy over the certs to HAProxy, that way it will still use the existing certs until Virtualmin updates them.

Is there any way to trigger (or verify) the virtualmin Let’s Encrypt renewal script manually so I can just double check it’s all working as expected otherwise?

Oh, it’s so old you don’t have that command.

Just grab the latest install script and run it with the --setup option:

sudo sh -c "$(curl -fsSL https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh)" -- --setup

Making me nervous Joe could it potentially break anything? (it won’t up upgrade or change PHP/MySQL or anything like that will it?)

The --setup option only sets up the repos, or updates them if they are out of date.

Thanks Joe… should it show me a different message to this?

sudo sh -c "$(curl -fsSL https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh)" --setup

[INFO] Installation log is written to /root/virtualmin-install.log

Welcome to the Virtualmin GPL installer, version 7.5.2

This script must be run on a freshly installed supported OS. It does not
perform updates or upgrades (use your system package manager) or license
changes (use the “virtualmin change-license” command).

The systems currently supported by the install script are:

Red Hat Enterprise Linux and derivatives
  - RHEL 8 and 9 on x86_64
  - Alma and Rocky 8 and 9 on x86_64
  - CentOS 7 on x86_64
  
Debian Linux and derivatives
  - Debian 10, 11 and 12 on i386 and amd64
  - Ubuntu 20.04 LTS, 22.04 LTS and 24.04 LTS on i386 and amd64

If your OS/version/arch is not listed, installation will fail. More
details about the systems supported by the script can be found here:

https://www.virtualmin.com/os-support

The selected package bundle is LAMP and the size of install is
full. It will require up to 2 GB of disk space.

Exit and re-run this script with --help flag to see available options.

Continue? (y/n)

Oh, wait, stop. I made a copypasta error.

It needs an extra --

sudo sh -c "$(curl -fsSL https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh)" -- --setup

Thanks Joe, running that I get:

# sudo sh -c "$(curl -fsSL https://software.virtualmin.com/gpl/scripts/virtualmin-install.sh)" -- --setup
[INFO] Setup log is written to /root/virtualmin-repos-setup.log
[INFO] Started Virtualmin 7 GPL software repositories setup
Downloading Virtualmin 7 release package                                     ✔ 
Installing Virtualmin 7 release package                                      ✔ 
[SUCCESS] Repository configuration successful. You can now install Virtualmin
[SUCCESS] components using your OS package manager.

Should I be able to run setup-repos now? (Still not found)

# virtualmin setup-repos
Command setup-repos.pl was not found

Or should I install via the OS package manager? (If so any command in particular?)

No, that did the same thing as setup-repos. Now you can update Virtualmin.

Am getting this Joe: Webmin > System > Software Package Updates > Installed

Screenshot 2024-12-26 at 23.57.441384×352 119 KB

(Basically everything says no update exists)

What happens when you do:

dnf update

Or:

yum update

It’d have to be yum for this server… but will that update PHP/MySQL etc? I don’t want those updated as some of the sites are reliant upon old versions : /

Then simply update the packages you wish, e.g.:

yum update webmin usermin wbm*

Thanks @Ilia, I’m getting:

# yum update webmin usermin wbm*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64

Looks like as of July 24 I need to switch the contents of /etc/yum.repos.d/CentOS-Base.repo from:

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates 
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

to:

[base]
name=CentOS-$releasever - Base
baseurl=http://vault.centos.org/7.9.2009/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever - Updates
baseurl=http://vault.centos.org/7.9.2009/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever - Extras
baseurl=http://vault.centos.org/7.9.2009/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://vault.centos.org/7.9.2009/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

However in fear of something potentially breaking I might leave this until I’m ready to port the sites on this server to updated software with newer versions of PHP/MySQL

You don’t need to update other system packages together with Webmin and Virtualmin. This can be done entirely separately.

Since CentOS 7 has reached its EOL, you will need to update the system repositories to point to Vault or completely disable them. Virtualmin repositories operate differently, providing only packages related to Webmin and modules, such as Virtualmin virtual-server.

A couple of improvements you could apply to this script:

1. Virtualmin provides a ssl.everything file which also contains the private key (although may be dependent upon Virtualmin version)

2. You could use reload instead of restart to update the certificate. Reloading is seamless (you’d need to be running a more recent version, > 1.7):
   systemctl reload haproxy.service