When using a self-signed cert you simply ‘copy to dovecot’/postfix, but how do you automate or set that up for a letsencrypt (or similar) cert?
Is this not automated already by default? I never had to do anything for it and SSL for email always has worked fine with the letsencrypt certs?
Only one time I had to activate it due reasons on a later moment. This was just via Virtualmin → Server Configuration → SSL Certificate → Current Certificate and than click the button below: Copy SSL Certificate to services. And like that, it worked.
1 Like
Yes, correct! It is all automated by default. @Brook You don’t need to do anything else!
1 Like
Thanks everyone - anyone know which files need to be copied where?
I think I know why it’s not working. We use a script that handles the letsencrypt renewals because HAProxy handles the serving of http/s (this is because we also use docker to serve some sites). The script runs daily and then copies any renewed files to HAProxy before restarting it.
Here’s the code responsible:
def create_combined_files
@msgs << "Creating combined files... \n"
@list_of_domains_requiring_renewal.each do |domain|
fullchain = File.read("/etc/letsencrypt/live/#{domain}/fullchain.pem")
privkey = File.read("/etc/letsencrypt/live/#{domain}/privkey.pem")
File.open("/etc/haproxy/certs/#{domain}.pem", "w") do |f|
f.write(fullchain)
f.write(privkey)
end
@msgs << "Finished creating combined_file for #{domain}... \n"
end
end
Should I also copy the combined file to the following?
/home/DOMAIN/ssl.combined
Will that be enough for Dovecot and Postfix or does it (or something else) have to be copied anywhere else as well?
You can see where Virtualmin configures SSL certificates by going to System Settings ⇾ Server Templates: SSL website for domain page.
Virtualmin writes out a file containing both the domain and CA SSL website to ssl.combined file.
1 Like
Hi @Ilia, looking at System Settings ⇾ Server Templates ⇾ Default Templates (or Settings For Sub-Servers) there is no SSL website for domain in the drop down (there is a Website for domain drop down item but no SSL website for domain)
The server is using Virtualmin version 6.16 - should I be looking somewhere else or does another option need to be active somewhere else first?
Is there a reason that this is so out of date?
I think it’s because on this server we need older versions of PHP (can’t remember now whether upgrading VM also upgrades PHP)
PHP updates come from your OS updates.
Virtualmin can handle multiple versions of PHP for websites with different needs.
What Operating system is on the server and what version?
It’s on CentOS 7 @Randomz
Tried to do an update and it failed (wonder if a mod can split this post and the one above into a new thread please?)
Here’s the error message:
One of the configured repositories failed (Virtualmin Distribution Neutral Packages),
and yum doesn’t have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work “fix” this:1. Contact the upstream for the repository and get them to fix the problem. 2. Reconfigure the baseurl/etc. for the repository, to point to a working upstream. This is most often useful if you are using a newer distribution release than is supported by the repository (and the packages for the previous distribution release still work). 3. Run the command with the repository temporarily disabled yum --disablerepo=virtualmin-universal ... 4. Disable the repository permanently, so yum won't use it by default. Yum will then just ignore the repository until you permanently enable it again or use --enablerepo for temporary usage: yum-config-manager --disable virtualmin-universal or subscription-manager repos --disable=virtualmin-universal 5. Configure the failing repository to be skipped, if it is unavailable. Note that yum will try to contact the repo. when it runs most commands, so will have to try and fail each time (and thus. yum will be be much slower). If it is a very temporary problem though, this is often a nice compromise: yum-config-manager --save --setopt=virtualmin-universal.skip_if_unavailable=truefailure: repodata/883e4468ae0bdea7f31cb76d63e9f67a75cc7d858a3f26f8ea4e2b62b44c235a-filelists.sqlite.bz2 from virtualmin-universal: [Errno 256] No more mirrors to try.
http://software.virtualmin.com/vm/6/gpl/universal/repodata/883e4468ae0bdea7f31cb76d63e9f67a75cc7d858a3f26f8ea4e2b62b44c235a-filelists.sqlite.bz2: [Errno 14] HTTP Error 404 - Not Found
That repo isn’t anything like what my systems use.
Suggest to first take a full backup or snapshot if you can.
Do the OS update with the repo temporarily disabled.
Fix the repo - this thread may help/.
Then update again to bring Virtualmin up to date.
That is not a reason to use an old Virtualmin version. There is no connection between Virtualmin version and PHP versions. (The installer also does not determine versions. Installing with an old Virtualmin install script does not result in old PHP versions.)
There are two maintained repos. /vm/6 and /vm/7; they have different layouts to accommodate adding more OSes (since CentOS sort of fragmented into a bunch of EL distros, among other things, we needed to care less about the distro name and more about the packages) more easily. Both work fine, and there is no reason to change a /vm/6 system to the newer one at this point (6 repos will be maintained until some time after the release of Virtualmin 8).
@Brook you probably just need to do yum clean all and yum update again.
Just tried that and now I get:
# yum clean all
Loaded plugins: fastestmirror
Cleaning repos: base centos-sclo-rh centos-sclo-sclo docker-ce-stable epel
: extras nodesource passenger pgdg-common pgdg10 pgdg11 pgdg12
: pgdg13 pgdg96 updates virtualmin virtualmin-universal
Cleaning up list of fastest mirrors
# yum update
Loaded plugins: fastestmirror
Determining fastest mirrors
epel/x86_64/metalink | 32 kB 00:00
* base: mirror.checkdomain.de
* centos-sclo-rh: mirror1.hs-esslingen.de
* centos-sclo-sclo: mirror.netcologne.de
* epel: mirror.de.leaseweb.net
* extras: mirror1.hs-esslingen.de
* updates: mirror1.hs-esslingen.de
base | 3.6 kB 00:00
centos-sclo-rh | 3.0 kB 00:00
centos-sclo-sclo | 3.0 kB 00:00
docker-ce-stable | 3.5 kB 00:00
epel | 4.7 kB 00:00
extras | 2.9 kB 00:00
nodesource | 2.5 kB 00:00
passenger/7/x86_64/signature | 833 B 00:00
passenger/7/x86_64/signature | 2.9 kB 00:00 !!!
pgdg-common/7/x86_64/signature | 198 B 00:00
pgdg-common/7/x86_64/signature | 2.9 kB 00:00 !!!
https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Trying other mirror.
To address this issue please refer to the below wiki article
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use https://bugs.centos.org/.
One of the configured repositories failed (PostgreSQL 10 for RHEL/CentOS 7 - x86_64),
and yum doesn't have enough cached data to continue. At this point the only
safe thing yum can do is fail. There are a few ways to work "fix" this:
1. Contact the upstream for the repository and get them to fix the problem.
2. Reconfigure the baseurl/etc. for the repository, to point to a working
upstream. This is most often useful if you are using a newer
distribution release than is supported by the repository (and the
packages for the previous distribution release still work).
3. Run the command with the repository temporarily disabled
yum --disablerepo=pgdg10 ...
4. Disable the repository permanently, so yum won't use it by default. Yum
will then just ignore the repository until you permanently enable it
again or use --enablerepo for temporary usage:
yum-config-manager --disable pgdg10
or
subscription-manager repos --disable=pgdg10
5. Configure the failing repository to be skipped, if it is unavailable.
Note that yum will try to contact the repo. when it runs most commands,
so will have to try and fail each time (and thus. yum will be be much
slower). If it is a very temporary problem though, this is often a nice
compromise:
yum-config-manager --save --setopt=pgdg10.skip_if_unavailable=true
failure: repodata/repomd.xml from pgdg10: [Errno 256] No more mirrors to try.
https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 404 - Not Found
Think I might come back to this server in a few weeks - can we move these posts to a new thread please? (I’ll post about the original topic in the next post)
I ended up trying it on another server and this works - thank you!
Coming back to this thread following further info from another thread.
@Ilia, could you please confirm that we just need the sss.combined file as per your post in this thread please?
I am asking because after @Joe’s comment in the other thread and looking through Postfix and Dovecot it appears we need to manually create the following entries as well?
1) Webmin > Servers > Postfix > Certificate Mapping
domain.com
/home/domain.com/ssl.key,/home/domain.com/ssl.cert,/home/domain.com/ssl.ca
And
.domain.com
/home/domain.com/ssl.key,/home/domain.com/ssl.cert,/home/domain.com/ssl.ca
2) Webmin > Servers > Dovecot > Edit Config Files
Add to the bottom:
local_name *.domain.com {
ssl_cert = </home/domain.com/ssl.combined
ssl_key = </home/domain.com/ssl.key
}
I’d be grateful if someone could please confirm that in order to make sending and receiving secure mail via Dovecot and Postfix work we need to:
- Create entries as per (1) above.
- Add to config file as per (2) above.
- Create an
ssl-combinedfile and copy it to/home/domain.com/
Or would we also need to:
- Create a
ssl.keyfile and copy it to/home/domain.com/ - Create a
ssl.certfile and copy it to/home/domain.com/ - Create a
ssl.cafile and copy it to/home/domain.com/
Ok so there are two ways:
First in answer to the original question:
Note: This is for those not using Virtualmin’s built in letsencrypt script.
You can either
1) Virtualmin > System Settings > Server Templates > SSL Website for Domain
Then choose custom paths and enter the letsencrypt paths for:
- Template for private key path → /etc/letsencrypt/live/${DOM}/privkey.pem
- Template for certificate path → /etc/letsencrypt/live/${DOM}/cert.pem
- Template for CA certificate path → /etc/letsencrypt/live/${DOM}/chain.pem
- Template for combined certificate path → /etc/letsencrypt/live/${DOM}/fullchain.pem
- Template for key and certificates path (<<not sure about this one - is it needed?)
If you’re using your own letsencrypt script, just make sure on domain/account creation you don’t create the certs with that option.
2) Just copy the letsencrypt files to /home/domain.com/ named to what Virtualmin expects
I.e:
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/privkey.pem /home/$DOMAIN/ssl.key'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/cert.pem /home/$DOMAIN/ssl.cert'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/chain.pem /home/$DOMAIN/ssl.ca'
DOMAIN='NAMEHERE.com' sudo -E bash -c 'cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem /home/$DOMAIN/ssl.combined'
Second, how to configure accounts/domains that you have restored from an older server
Do one of the above AND make sure there are entries/mappings in:
1) Webmin > Servers > Postfix > Certificate Mapping
domain.com
/home/domain.com/ssl.key,/home/domain.com/ssl.cert,/home/domain.com/ssl.ca
And
.domain.com
/home/domain.com/ssl.key,/home/domain.com/ssl.cert,/home/domain.com/ssl.ca
2) Webmin > Servers > Dovecot > Edit Config Files (dovecot.conf)
Add to the bottom:
local_name *.domain.com {
ssl_cert = </home/domain.com/ssl.combined
ssl_key = </home/domain.com/ssl.key
}
If anyone things any of this is incorrect please let me know or update this post.
You don’t need to change anything manually for SSL with Let’s Encrypt to work. It will just work with default settings in case Virtualmin was installed using virtualmin-install.sh script.
No, we made sure that all defaults already work for users. You don’t need to do anything.
Hi @Ilia
We need to update the thread title - as per my post above I can’t use Virtualmin’s built in system for it (as I use HAProxy on this server so have a custom script which handles SSL - and I’m fairly sure I won’t be the only one doing that).
Maybe a better title would be “How to configure SSL for Dovecot/Postfix manually or without Virtualmin’s letsencrypt system”