How to add existing LetsEncrypt cert to Webmin? Etc comments

shebang · October 29, 2025, 11:37am

Operating system: Ubuntu Linux 24.04.3
Webmin version: 2.520

I’ve been unable to configure Webmin to accept an existing LetsEncrypt certificate. Following are some things I’ve tried so far (after Webmin -> Backup Configuration Files).

In /etc/webmin/miniserv.conf I replaced keyfile=/etc/webmin/miniserv.pem with the following.

keyfile=/etc/letsencrypt/live/MYDOMAIN.TLD/privkey.pem
certfile=/etc/letsencrypt/live/MYDOMAIN.TLD/cert.pem
extracas=/etc/letsencrypt/live/MYDOMAIN.TLD/chain.pem

Then sudo systemctl restart webmin.
Restarting webmin failed, so I had to revert to get it to start.
sudo journalctl -xeu webmin.service said “Failed to open SSL cert /etc/letsencrypt/live/MYDOMAIN.TLD/privkey.pem”.

And…

keyfile=/etc/letsencrypt/live/MYDOMAIN.TLD/privkey.pem
certfile=/etc/letsencrypt/live/MYDOMAIN.TLD/fullchain.pem

Same thing.

Side question: Is it possible to add comments to miniserv.conf, and if so how?

I’m a bit afraid to try the above via the web-interface in case it breaks my access and I can’t readily figure out which config files etc got modified incorrectly. At least via the cli it’s clear to me what got changed and how to undo it without breaking more things.

…

The following is more of a (hopefully constructive) criticism than a question. Please excuse any apparent frustration on my part.

There doesn’t seem to be any documentation for Webmin which covers the above scenario. It’s always assumed that the web-interface will be used to request a brand new certificate, or if using Virtualmin appears that a whole new separate user account, login, etc, should be created for it, and for every other domain, website, email, etc, that gets added. Unfortunately requesting a cert via Webmin/Virtualmin also means that if for any reason one decides to no longer use Webmin/Virtualmin at some point (eg. sudo systemctl stop webmin, sudo systemctl disable webmin, etc), then certificate renewals would stop and potentially break altogether, as well as possibly other associated services which the application likewise handles in a non-standard way and aren’t documented as such.

Moreover, the individual fields and options able to be selected on the Webmin -> Webmin Configuration -> SSL Encryption -> Let's Encrypt page and others are not documented in terms of what they actually do beyond their very terse option labels. If they correspond to the same fields as above in miniserv.conf, then presumably they wouldn’t work as I anticipated. Same goes for Webmin -> Webmin Configuration -> ⚙ -> Let's Encrypt configuration -> Re-use existing Let's Encrypt keys. It’s just assumed that one already knows what all these things do and depend on, or is fine with the cookie-cutter use-case recommended in the existing documentation.

Without some explicit and up-to-date documentation of what’s going on under the hood (and short of reverse engineering a fair chunk of the ~180K lines of Perl 4 code, etc), it seems like selecting the wrong option(s), or entering incorrect information related to TLS could disable further access to the web-interface. Obviously without access to the web-interface, or some parallel documentation of the comparable cli commands, it also wouldn’t be possible to painlessly restore configs from backup when that happens.

I hesitate to imagine what will happen when I try to configure apache to serve it from behind a reverse proxy, and/or from a directory within another website, so I can close the extra ports or similar to mitigate potential future remote exploits, or anything else whatsoever that isn’t within the limited scope/architecture assumed. I can certainly see a potential benefit to my hosting clients, but the documentation and DevEx still needs some work.

$0.02

shebang · October 30, 2025, 6:39am

I finally figured it out. Turns out I’d overlooked that there was a second entry for certfile= and extracas= at the end of /etc/webmin/miniserv.conf which was causing the config for those to be reset to undef.

Also, it is possible to add comments to /etc/webmin/miniserv.conf by using #, but this will be removed from the file (which gets overwritten) each time the webmin web-interface is accessed.

Thanks for everyone’s help with answering my questions. I hope the comments I made prove useful for improving future iterations of the software.

FYI, the corrected config is as follows:

keyfile=/etc/letsencrypt/live/MYDOMAIN.TLD/privkey.pem
certfile=/etc/letsencrypt/live/MYDOMAIN.TLD/cert.pem
extracas=/etc/letsencrypt/live/MYDOMAIN.TLD/fullchain.pem

Lastly, use strict, use warnings and perlcritic are your friends.

Ilia · October 30, 2025, 9:10am

Why not just use “Webmin ⇾ Webmin Configuration: SSL Encryption / Upload Certificate” page?

shebang · October 30, 2025, 9:25am

The certificate is already on the system with secure permissions. To use the web-form would involved copying it to another directory, changing it’s ownership, downloading it to my PC, opening the various .pem files in a text editor and then cut/paste into the form. And that’s presuming I get it right the first time and don’t disable my access to the web-interface without knowing how to backtrack. As opposed to just changing 3 values in a text file. I also wasn’t sure how that would be effected when the certificate expires (ie. would this need to become a regular routine).

I had also considered getting Webmin to register the cert in the first place, but since I’m still just evaluating whether or not this will be a good fit for my needs, I didn’t want having Webmin/Virtualmin running be a hard dependency when it comes time for renewal. I’d really just rather have certbot handle it as normal, because it’s well documented and I have sufficient experience to manage that effectively. In fact that’d be my preference for all the domains I plan to serve from that machine.

Incidentally, have you ever tried sudo perl -cw /usr/share/webmin/miniserv.pl or sudo perl -Mstrict -cw /usr/share/webmin/miniserv.pl?