I do stand slightly corrected, as I just found out by reading the code a bit more that Virtualmin does in fact call webmin::request_letsencrypt_cert which in turn uses the LetsEncrypt code through Webmin itself (which then does use certbot if it is available).
…But in order to get to that point in the code of Virtualmin, the certificate issuer is checked first, which means it will fail for newer certificates… this also means that it will not try to renew the certificate using certbot (through webmin::request_letsencrypt_cert), because the code to do that will be skipped
If I’m mistaken, feel free to tell me whatever I’m not understanding correctly. I am eager to learn more about how Virtualmin works behind the scenes.
@synio what os and version you have this issue on? I run debian 10 which I’ve upgraded from debian 9 and certbot still working, I had no issues at all. (also running gpl)
This is starting to happen for me too on all of my servers. Auto-renew is failing and I discover this, thankfully, by the expiring soon emails from Let’s Encrypt. Manual renew works without problem. Running CentOS Linux 3.10.0-1160.15.2.el7.x86_64 on x86_64; VirtualMin 6.14; WebMin 1.962. Do have certbot installed, version 1.11.0-1.el7.
Hey Joe, thanks for the news that a fix is coming. Do you happen to have any updates here? I’m asking because we have hundreds of sites across hundreds of Vmin-enabled servers and… a very noisy Nagios server warning us about expiring SSL certificates! We’d sure like to know what to expect re: the 6.15 release and whether we’re going to need to mitigate across all of those servers before then. Thanks again!
Goodness, I sure hope the new version is imminent, as we’d certainly prefer that 100x over making that quick and simple change to the code across hundreds of servers.
I dont know if its related, but the CA root is also missing on many of my servers. The browser works OK, but some people when using services that connect to the website are failing saying there is a authority issue with the cert. I have to manually upload the Lets Encrypt root cert for each site. I dont know what sites its failing without doing a SSL check on all sites.
Today was the first time I noticed this. One of my primary virtual servers expired 0 days ago and I just gave a whirl at Virtualmin → Server Configuration → SSL Certificate: Let’s Encrypt [Request Certificate] and all is well for that one untill the update happens.
Good to have an update coming, I also have issues in several domains that doesnt renew , i do manual update with them, but some other autorenew fine… maybe is because of path where I have certs located? Because I know the path is default for some, but nondefault for others…
For anyone having issues with certificates expiring, you can run the following command on the server to get a list of certificates sorted by expiry date.
virtualmin list-certs-expiry --all-domains
You can then manually request a renewal via Server Configuration / SSL Certificate / Let’s Encrypt on any vhost with a certificate expiring soon.
Much quicker than checking them all manually until 6.15 is released with the fix, if you don’t want to patch it before then.
noticed the same in a virtual server. apache vhost had SSLCertificate /home/domain/ssl.cert instead of /home/domain/ssl.combined … don’t know if it applies to every virtual server yet, but it should be the default for all…
I can confirm this just hit one of my servers as well. I set the renewal period to 2 months and it expired. Manually updating the certificate worked. I have patched code as suggested after manually renewing certs.
, i do manual update with them, but some other autorenew fine… maybe is because of path where I have certs located? Because I know the path is default for some, but nondefault for others…