I have Virtualmin installed on Ubuntu 16.04.1 with nginx in place of Apache. I activated LetsEncrypt SSL a few months ago, with auto renewal set to 2 months. A few days back, I received a renewal reminder from LetsEncrypt so I logged into Virtualmin and saw that my certificate shows its last renewal date as 2.4 months ago. Thus, it seems the auto update did not work. I was able to trigger a manual update though.
I looked into the Scheduled Cron Jobs and can’t find anything relating to LE inside there. Is there anything wrong with my configuration that doesn’t allow LE to autorenew?
I agree - automatic renewals of Letsencrypt webmin certificates are failing for me, although individual virtualmin domains are working. Since I’ve configured postfix etc. to use the webmin certificate, those are failing as well. It would be better if server certificates were set in some central place that is autorenewed and then used by webmin, postfix, dovecot etc.
Renewals seem to be controlled from conf files in /etc/letsencrypt/renewal somehow. I don’t see any entry there for webmin though. Also there seem to be lots of duplicate files competing with each other. There’s no obvious CRON entry that corresponds to these so I’m not sure how they’re invoked.
There’s a commented out line at the top of each conf file that says
renew_before_expiry = 30 days
but I’m not sure where the actual setting is stored. The renewal period can be configured from the user interface but you have to know that Letsencrypt certificates expire in 90 days (?) in order to set that effectively. I think the correct setting is 2 months. It’s all a bit of a mess, frankly. But it’s way better than the old way.
My problem was solved by upgrading to version 5.99 of Virtualmin. I used apt-get to install virtualmin initially, so this should have been automatic, but for some reason the sources didn’t get added and apt-get didn’t know there was a new version. I could have been that the sources were added to the actual sources.list file, which tends to get overwritten, rather than to a sources file in sources.list.d.
In any case, once I got to 5.99 it just worked.
Also make sure that you can actually browse to a challenge file in the .well-known/acme-challenge/ directory where you cert is supposed to be without any special permissions. If you can’t do that, lets encrypt can’t renew. Drupal, for example, blocks this.
You could also run pre/post command on certificate renewal to, for example, update certificates for other services, like Prosody or any other.
Check Virtualmin Configuration/Actions upon server and user creation. There will be a field to add pre/post commands. Just create a shell script which will contain:
if [ "$VIRTUALSERVER_ACTION" = "SSL_DOMAIN" ]; then
#run your code here
fi
All variables are exported and can be used in the script.