The way I understand it, as long as I have “www” configured as an “A” record at my external DNS server (as opposed to Virtualmin’s internal one), Letsencrypt should not have any issue.
But the issue with Virtualmin is that:
When running the wizard for the first time on a completely new install, it only successfully pulls a certificate with Letsencrypt for the base domain without the “www”. I would like to also have it for the “www”.
The Letsencrypt magic sauce script which uses file-based authentication is not something you can run manually. If you switch to the Letsencrypt tab in the SSL settings, sure you can manually run a request, but it’s only going to use DNS based authentication, which is always going to fail because there’s no mechanism in Virtualmin to facilitate that.
The SSL setting in Webmin (as opposed to in Virtualmin) is irelevant, because it expects a real virtual server when being asked to pull a certificate… Is that a good idea? - as in removing “www” as a directive from the apache config and setting it up as its own virtual server on port 80 and 443 with the same root as the base virtual server?
This issue has come up here before from time to time, and it seems to have persisted through the years. Yes, I suppose I can just do it without virtualmin once I learn how to use certbot, but I’ll resort to that if no one knows anything or I am told I am doing things wrong, which I am most certainly not.
The hostname of your system should not be a name you are using for websites. It’s the system hostname. This is covered in the installation docs: “The name of the system can be anything you want, but it must be fully qualified and should not match a name you’ll be hosting mail for. For example, if you have domain virtualmin.com you might name the server srv1.virtualmin.com or ns1.virtualmin.com. What name you choose is unimportant, but it must be fully qualified, it must not match a domain you’ll be managing in Virtualmin, and it must resolve, for several mail operations to work correctly.”
This is one of the several reasons the docs tell you not to name your system the same thing as a name you’ll be managing in Virtualmin.
I continue to think this first default domain in Virtualmin is a mistake due to confusion like this, but I haven’t yet convinced Ilia and Jamie of that. (And, it does serve some users who have a hard time with the first few steps of setting up a system and getting an SSL certificate, but I think it automatically does stuff not everyone wants/likes enough of the time and fails enough of the time for new users that it is not worth the cost.)
But, even without this first “automatic” domain, you still should not name your server the same as a domain you’re managing in Virtualmin. Virtualmin manages virtual hosts in all of its services. It is helpful (and occasionally necessary) to have some other name for the system itself.
Edit: I guess now that we have this automatic domain, I need to add that it’s a problem even if you aren’t using the name for mail, because of the problem you’ve found.
Thanks, I greatly appreciate that information – I was completely unaware of it… I wonder if it had something to do with #578 I posted on GitHub. It doesn’t hurt to try… Time to re-deploy Debian 11.
FWIW, someone did post a temporary solution, and I did try to incorporate it into the new letsencrypt-lib.pl, but it had no effect (because I may not have done it correctly). See here:
I managed to get the Letsencrypt request working properly from the interface. I will try to replicate the success again on a different install for a sanity check. More to follow…