I run a webserver with virtualmin behind a proxy, and push the automatically generated letsencrypt certificates from the webserver to the proxy. I used to push the auto generated “ssl.combined” file (which combines the domain certificate together with the root and intermediate certs). Since august however, this “ssl.combined” is not updated anymore when a certificate is renewed. Only the ssl.cert and ssl.key files are updated.
This is an issue because it causes a mismatch between the key and pem file on the proxy causing the apache to fail when loading the configuration. When only the ssl.cert file is used as pem file on the proxy, this causes the certificate chain to be incomplete lowering the ssl-labs score.
I think I can find a way arround the issue by scripting the generation of the “ssl.combined” file, however I wonder why it stopped being generated. I do not recall any settings changes as everything was stable and working fine. I do however update software versions regularly, maybe that is the cause?
I searched the webs for an answer, but could not locate anyone having the same issue.
How can I figure out the cause of this issue?
From the letsencrypt log I can see that all necessary files are created under
/etc/letsencrypt/live/
namely: cert.pem, chain.pem, fullchain.pem, privkey.pem
they are simlinks to the correct files in another directory.
However what I cannot see is how a copy of these files should be created in the users directory under the names ssl.cert, ssl.combined, ssl.everything and ssl.key.
Looking at the System Settings ⇾ Server Templates: Edit Server Template / SSL website for domain page. It shows the certificates are generated in: /etc/ssl/virtualmin/${ID}/
looking at the results of the grep command, these was only one record that pointed to the home directory of a virtual server. all the other records point to the location as defined in the system settings. After renewing the certificate for that server, it’s record was also updated to /etc/ssl/virtualmin/${ID}/
So it looks a bit like the generation location in system settings was updated at some point. I can however not understand why the ssl.cert and ssl.key file in the users home dir are still updated and not the others???
So to recap: renewing a certificate is successful, the certs are generated but the original ssl.combined and ssl.everything files in the user’s home dir are not updated as they used to. Where is the part that copies the certs to the users home directory. Because the files in the home dir are owned by the user. all the other files mentioned above are owned by root.
I have scripts running under the users name to push the files to the proxy, they cannot access the files owned by root