Fresh Install - Lets Encrypt Cert

Continuing the discussion from Fresh install does not get Lets Encrypt cert:

SYSTEM INFORMATION
OS type and version RHEL 8.5
Webmin version 1.991
Virtualmin version 7.0

From previous topic regarding Fresh install does not get Lets Encrypt cert.

If this is doomed to fail, should it even be an option in the Install Wizard?

JoeVirtualmin Staff

Jun '21

Yeah, I don’t like how prone to failure the wizard is on this front. I talked about it with @Ilia and Jamie, but I guess it’s still in there. I think we need to roll it back. It’s so unlikely to ever work right on first install…it assumes so many things are going to be configured right that the vast majority of users have no idea how to get right. It’s just a mess.

Yeah, I was against adding it, honestly, and I still think it’s not worth the high likelihood of failure. I thought I’d convinced @Ilia and @Jamie to make it fail gently (i.e. not look like a serious error, not prevent proceeding, make it clear what happened and why, etc.), but I guess we’re still not on the same page about that.

Doesn’t it also waste a certificate attempt at LE?

Does failure to request the LE cert completely break the install wizard process? It should be just a warning that you can skip.

Virtualmin is unfortunately in a bit of a catch-22 situation here, as many browsers complain if an HTTPS site doesn’t have a valid cert. But it’s hard to get a cert from Let’s Encrypt until at least one domain has been created and properly registered.

It wouldn’t fail if this info were to be included on the first page of the post-install wizard:

Jaimie, It appears to fail and create a new self signed certificate, so you have to accept the new self signed, the same as you do to start the wizard. There are no error messages etc.

There may be a log that has more details?

As there is already a self signed cert, why not leave that in place, finish the virt server creation and then offer to run LE right at the end?

Edit: Summary, it’s as if you had selected to create a new self signed cert.

Jamie, I made it fail nicely on UI side. It’d generate a modal that gives you a link to open a popup from which you can confirm without interrupting wizard process.

However, this must not happen! We had this discussion (unfinished) in the past.

I want to be super clear when this certificate error in wizard happens:

  1. LE failed and self-signed certificate is generated
  2. URL is myvirtbox.com:10000 and requested default domain on the wizard is also myvirtbox.com. If those do not match, all is fine then and the error won’t happen.

Solution(s):
     a) Do not restart Webmin in case self-signed certificate generated in wizard
     b) Not to replace self-signed certificate at all for the default domain

1 Like

The issue there is that the host domain then only has a certificate for the webmin port :10000

How about:

c) Offer to run LE after the host server is created.

If the wizard LE request failed, there is no reason to expect SSL on the host domain website. If it failed, you’re not getting valid SSL, so there’s no reason to do anything about SSL. The user just needs to be informed about their next steps, and reassured that this isn’t a terrible thing they need to panic about (because anything that can be interpreted as an error during the install/wizard will be treated as a thing to panic over…some folks give up immediately and go try something else).

I’ll do some tests and see if we can at least skip any scary failure messages.

So I just did a test run of the wizard with the latest version of Virtualmin from the installer, and even though the Let’s Encrypt cert failed I didn’t see any scary error messages.

1 Like

The main concern (once you know what’s been going on and that the errors were due to sub-domains that you don’t want or use) is that you’re then locked out of attempting to get the SSL certs from Lets Encrypt for a period of time.

Does this solution solve that, or is it just a way to tidy those specific errors? Because if its only hiding the error, users are going to again try and get SSL and it’ll fail again because of the rate limits.

Personally, I’d rather be able to tell the system that I don’t want any sub-domains at all earlier in the setup process - which solves the core issue (requesting 4 domains that are invalid, which ends up blocking you from further Lets Encrypt requests)

1 Like

Only posting here fo readers having problems a kind of workarround.
If you use upfront ( temp) a external DNS service provider to configure dns then use that, also for all needed “sub” domains.
Take care of the TLS times that dns is resolvin every thing.

This is only workarround.

If using external dns as default then you have to take care that all is resolving well upfront, then there should be no problems i think right?

(Sofar my own experience (not this new version setup) was when dns wasn’t resolving yet then problems.) ( also then the browser cache, htts if it was set before once for that domain , dns cache , dnssec…and so on…)

Yeah, you could set all the subdomains up - but we have never used any of them. We just plain don’t want them at all (the mail. etc). While we can change the option on “new servers” once Webmin is set up, so that we can provide a manual list - we can not do that in the wizard. You can’t tell it “just the TLD”.

@Jamie as we discussed earlier today, this would only break if you use mydom.com:10000 in URL and mydom.com as default domain in the wizard. The reason is that miniserv.conf gets a new SNI records, for that new default domain, like ipcert_mydom.com... and when Webmin configuration is applied, miniserv starts serving this newly self-generated certificate. This is where a new confirmation is required on the browser side to continue using the page.

The best solution in my opinion is simply not to restart Webmin at this point, and continue serving existing self-signed certificate.

I’ll take another look at this, and update this ticket with findings…

As I don’t use the Host default domain other than for managing the server, I found it best to select to make a new self certificate, then once the wizard is finished, I disable DNS and then run LE and it just gets a certificate for the domain without all the alias’ eg webmail etc - which otherwise fail.
I also have my DNS on a separate dedicated server.
So it now works for me as it is, but I can see that other people might want the LE to work in the Wizard.

Oh, wait! We mustn’t add to a default domain any aliases! I wasn’t aware that we’re still doing it, as I remember we already discussed it in the past and I though we stopped adding any aliases to a default domain!

@Jamie, also, as we now support Cloud DNS Providers, I assume it would make sense to ask on the wizard if a user hosts DNS locally or using Cloudflare, Google Cloud DNS or Amazon Route 53. If the DNS hosted locally, then go straight to default domain setup, but in case of cloud DNS provider, let a user to configure it on the next wizard step? What do you think about it?

1 Like

Setting up a cloud DNS provider is a complex process though, which I don’t think is suited to the wizard (and is generally done later).

1 Like

FYI, I just checked in a fix that will prevent the original issue of re-generating a self-signed cert for Webmin from happening.

1 Like