There are additional providers beginning to offer completely free SSL certificates, but Let’s Encrypt changed the landscape in how they’re offering their service.
The guide you linked to describes a series of steps to obtain a free SSL cert (and, to my knowledge, those free certs are only available in certain cases).
There aren’t any steps to follow in using Virtualmin’s Let’s Encrypt support. It’s simply, click the Let’s Encrypt button, and you’re finished. No creating an account on a remote system, no emails, no manual validation, no manual renewals. It’s all immediate and automatic. Validation is handled automatically as part of their protocol. Renewals occur automatically after several months.
They really have greatly simplified the SSL process.
LE made it possible for me to offer easy, free ssl basic ssl connections. Most of my client opt for my second level product because free ssl is part of the package. My cost driven clients do not get that among a few other perks. Beforehand free ssl was a PITA now it is simply a checkbox…
When using virtualmin and webmin with nginx the following error occurs when trying to install Let’s Encrypt certificate for webmin administration interface via “Webmin -> Webmin -> Webmin Configuration -> SSL Encryption” menu -> “Let’s Encrypt”. Although adding Let’s Encrypt for virtualmin nginx virtual host works at a glance.
Failed to request certificate : No virtual host matching apraft.com was found
I get the following error when running this on debian 8 An unexpected error occurred:
Bug in pythondialog: expected an empty output from u’infobox’, but got: u’Error opening terminal: unknown.\n’Please see the logfile ‘certbot.log’ for more details.
There is a bug in letsencrypt 0.9.x with python’s dialog module. Simple fix just add -n before the first -d in your chrontab command and it will not need to run interactively and not use dialog…
One question I do have is: Do I need to add smtp.domain.com or imap.domain.com in the LE domain list in order to enable SSL in my e-mails? Or should this happen automatically in Virtualmin just with the regular LE request?
“Can this work when using nginx instead of apache ?”
I’m using nginx + fpm plugin by kintaro1981 (https://github.com/Real-Gecko/virtualmin-nginx-fpm) and the answer is yes, at least the certificate installation process seemed to work without errors. However in looking over the files in /etc/nginx/sites-available I didn’t see any changes. That makes sense until you go back to the “Manage SSL Certificates” panel and tell Virtualmin how to use the certs created by LetsEncrypt. I clicked all of the “Copy to xxxxx” buttons and sure enough I was asked to authenticate, since I was using the IP address instead of the domain name in my Webmin session. After all buttons were clicked the “Manage SS Certificate” page now says:
This SSL certificate is already being used by : Webmin, ProFTPD, Usermin, Postfix, Dovecot,
however the default website for the domain does not. I have also yet to verify if email with SSL is working.
The fpm plugin prohibits the use of nginx-website & nginx-website-ssl features. using nginx instead of apache2 prohibits use of “SSL Website”, but LetsEncrypt still worked with only the nginx-fpm feature enabled, once I fixed my location block exclusion below.
I did find an issue with a location rule intended to block access to “dot” files such as apache’s .htaccess:
location ~ (^|/). { <------ Append htaccess after the .
return 403;
}
I simply made the match explicit to .htaccess and it worked without issues on my GPL 5.07 Virtualmin installation.
I have used StartSSL in the past. However, the company was sold to a Chinese SSL provider who has become no longer recognized by Google Chrome, Microsoft and other popular web browsers due to issues of back-dating of certs or some such. StartSSL is now owned by a Chinese security software and services company, the one that provides 360 Total Security software for PC and mobile devices. They have said that they are in the process of regaining cert status with leading browsers and others but have not yet done so. They had said this would happen by April of 2017.
I hope they do because StartSLL offered the lowest price for corporate level certificates and had other features not (yet) provided by Letsencrypt including wildcard certs. That would allow the TLD to be certified with subdomains included under the wildcard. Their certs also worked for one or two years, depending on the type. You could certify specific email addresses and servers separately, which allowed hosting email servers more independent. The biggest benefit was the cost was less… company certs are expensive… think about it - the process can be automated once the identity of the site or business owner has been verified. Although business verification requires such things as sending of certified mail to the address of the business as registered in the business license, the process should not be so expensive.
Until StartSSL is recertified with the major web browsers it is best to not try to use them.
You can include subdomains like smtp.domain.com in the request form. That seems to work just fine. Then you need to go back to Virtualmin>server configuration>manage SSl certificate and click on copy to Postfix and copy to Dovecot for those to make use of the cert. I have done that without using smtp.domain.com specified in the letsencrypt request, however, that could be a problem if the receiving server has strict requirements. You may want to look up Google requirements - they are among the strictest for conformance to the standard. There docs may specifically say what the cert needs to include as subdomains.
