Letsencrypt is due out soon

SeeBenClick · November 4, 2015, 2:46am

I got on a Letsencrypt preview account. I’m using a Virtualmin GPL on Ubuntu 14 server. The server was just recently installed and is operating as a standard web server.

I’ve installed the latest letsencrypt-auto using the suggested git commands from the beta email. Sign up for the beta to get the git install command and certificate creation notes or wait for the official release, probably in a few weeks.

So far it appears that for this to work in Virtualmin/Ubuntu 14:

Python needs an upgrade to 2.7.9 or newer.
I didn’t get the letsencrypt-auto automatic command to work with the Virtualmin. I may have just been reading the directions incorrectly. I believe in a Virtualmin environment you probably just want to do the certificate creation and manually link to the correct files.
Certificates will be 90 days but that is not really a problem because renewing can be automated.
Wildcard domains certificates are not likely going to happen.
Multi-domains certificates are working.

In my test I noticed the latest Virtualmin doesn’t use (in my setup) the apache keyword SSLCertificateChainFile that is suggested with the Letsencrypt. Virtualmin uses SSLCACertificateFile that is not referenced by Letsencrypt setup notes. Merely doing a ln without editing the apache domain config probably isn’t going to work if the right directive isn’t in use. However, I did a ln to the letsencrypt chain and used the SSLCACertificateFile without getting a browser error. Perhaps somebody can clear up why that wasn’t throwing a browser error.

I installed python 2.7.9 as root and so far no noticeable breaking of the system yet but I didn’t look too hard at the logs.

After the client is installed and python updated I proceeded to:

stop apache to use the port with the letsencrypt client
./letsencrypt-auto certonly -t --agree-tos --email admin@mydom.com --domains www.mydom.com -d mydom.com
link up the new certs

ln -s /etc/letsencrypt/live/www.mydom.com/cert.pem /home/username/domains/mydom.com/ssl.cert

ln -s /etc/letsencrypt/live/www.mydom.com/privkey.pem /home/username/domains/mydom.com/ssl.key

ln -s /etc/letsencrypt/live/www.mydom.com/chain.pem /home/username/domains/mydom.com/ssl.ca

start apache

Browsers I tried worked without complaining. SSLLABS SSL testing didn’t have any complaints after I fixed up my apache cipher security, eventually giving an A score. So it appears to work as expected.

There may be a problem with root owned certificates in virtualmin domain directories. The virtualmin panel says it can copy an existing domain certificate and appears to when I tell it to. It doesn’t let me download the certificate in the web panel. I don’t know yet if it is doable to just change the user permissions on the letsencrypt certificates in /etc/letsencrypt. From what I have read you’ll want to leave these in place to be able to easily update, come renewal time. That is why I linked, instead of copied the certificates.

My question is, have you been able to run the automated install, linking generated certs in locations where virtualmin expects to find them for the control panel, or is there a Virtualmin patch that looks to /etc/letsencrypt for certs per domain, or do you have an even better way to approach this?

Eric · November 4, 2015, 3:25am

Howdy,

Thanks for letting us know how you got things working!

We do intend on supporting letsencrypt.

We’ve been waiting on scripts we can download and test on our systems here… it sounds like that’s available for folks in the beta program. We’ll look into that a bit more.

However, we don’t intend on making folks install package versions that don’t come with their distro, such as Python.

We’ll need to look into all that a bit more, but what we may end up doing is using their API, and developing our own client, if possible.

Then, we could just build the support into Virtualmin itself, and have all Virtualmin installations automatically support it without needing additional software.

Thanks again for the update, I’m going to go do some reading

-Eric

PaliGap · November 4, 2015, 8:47am

Thanks SeeBenClick. And great news andreychek that VirtualMin is going to be getting into this!

Joe · November 5, 2015, 7:22pm

I did a little research based on some conversations in IRC, and it looks like they’ve recently checked in changes to the Let’s Encrypt repo to support older Python versions. Eric is going to test that today. It may be that we still end up implementing our own client (Jamie did so for prior things like this, like the dynamic DNS support and some of the cloud storage providers), we’ll have to experiment to know.

Eric · November 5, 2015, 10:10pm

I did some testing, and was able to install the letsencrypt client on a stock CentOS 7 and Ubuntu 12.04 system.

I then used a command such as this one to generate an SSL certificate for a domain I had on the server:

./letsencrypt-auto certonly --text -d foo.com --renew-by-default --agree-dev-preview --agree-tos --webroot-path /home/foo/public_html/ --authenticator webroot

With that, it generates an SSL certificate without any prompts (and without modifying Apache).

Jamie and I discussed all this today, and went over how the process works.

I believe for compatibility across all the platforms that Webmin supports, that Jamie is interested in incorporating a client into Webmin/Virtualmin itself, though he’s currently in the process of reviewing all that.

We are highly interested in supporting letsencrypt! It’s in Jamie’s capable hands now, we’ll see what sort of thing he comes up with

-Eric

SeeBenClick · November 6, 2015, 12:23am

I think that you’ll want to build into your script command extra -d options for each domain in the certificate, the signing server, and the admin email so you don’t have to depend much on the cli settings file.

A single domain server is going to need at least three -d options in a single cert for domain.tld, www.domain.tld, and servername.domain.tld (for the web panel). You may want to default to this, to keep the copy cert to webmin option as easy as possible.

Order is significant. The resulting multiple domain cert is the first -d listed in the command line in my test.

It would be a nice touch to keep track of renewal dates and run the renew command at the specified 60 to 90 days, and then email the admin upon renew completion/failure.

wheeler · November 16, 2015, 5:10pm

Hi All,

Just wanted to say I can’t wait to see support for this in Virtualmin. Let’s Encrypt is going to enter public Beta on December 3rd.

It would be amazing if Virtualmin could handle renewals automatically at 60 days (or perhaps a custom intervl) too. So you can simple check a ‘use Let’s Encrypt’ checkbox for each domain and everything to happen automatically.

Could this be used for the service based certificates too? e.g. (Usermin, Webamil, IMAP, POP3 etc)

ctqui · December 3, 2015, 6:58pm

Let’s Encrypt start public beta today.
https://letsencrypt.org/2015/12/03/entering-public-beta.html

astlor · December 3, 2015, 9:34pm

Let’s hope we hear back soon with an ETA for beta support!

Kintaro · December 4, 2015, 8:54am

I can’t wait to see it supported by Virtualmin!

Some plugin info here:
https://letsencrypt.readthedocs.org/en/latest/contributing.html#dev-plugin
https://github.com/letsencrypt/letsencrypt/wiki/Plugins

wheeler · December 4, 2015, 11:41am

I have this working. Native support in Virtualmin would be nice but until then renewals can be done via cron jobs.

Instructions below tested on CentOS 7.1. You’ll need to replace domain.com with your domain, and you@youremail.com with your email.

WARNING: I’m not 100% sure on the permissions for the private key file as it looks like letssncrypt creates is world-readable - so be careful on a shared server. Any input on how this can be secured (or if its OK as is) would be appreciated.

Install Let’s Encrypt

As root:

cd /root/ && git clone https://github.com/letsencrypt/letsencrypt

Setup Cronjob

(edit /var/spool/cron/root or run crontab -e)

15 6 1 * * cd /root/letsencrypt/ && ./letsencrypt-auto certonly --email you@youremail.com --agree-tos --webroot --renew-by-default -w /home/domain.com/public_html/ -d www.domain.com -d domain.com

(The above will renew the cert on the 1st of each month at 6.15 am). Let’s Encrypt Certs are valid for 90 days).

Manually run cron command above to create first cert
Link Certificates

(You may need to delete the existing ssl.cert, ssl.key and ca.cert if they exist)

ln -s /etc/letsencrypt/live/www.domain.com/cert.pem /home/domain.com/ssl.cert

ln -s /etc/letsencrypt/live/www.domain.com/chain.pem /home/domain.com/ca.cert

ln -s /etc/letsencrypt/live/www.domain.com/privkey.pem /home/domain.com/ssl.key

Make sure you have the following in your Apache Conf

SLEngine on

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

SSLCertificateFile /home/domain.com/ssl.cert

SSLCertificateKeyFile /home/domain.com/ssl.key

SSLCACertificateFile /home/domain.com/ca.cert

Restart Apache

service httpd restart

Eric · December 4, 2015, 3:21pm

Howdy,

We just talked about this yesterday at our meeting – we’re quite excited about letsencrypt support.

Jamie tells us that things are on track for letsencrypt support in the next Virtualmin release.

The next Virtualmin release is a big one with lots of new things – and it has a new website revamp coming as well, which is the main part we’re waiting on at the moment. Joe it will be out soon!

-Eric

Kintaro · December 4, 2015, 9:27pm

Great to here that!

p.s. the forum will be a Xenforo? If yes, it could be awesome with their Resource Manager addon.

fuerst · December 4, 2015, 9:30pm

No need to symlink the cert files to the virtual servers directory. Just change the Apache Virtual Host config as following after running letsencrypt-auto:


SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.tld/chain.pem

Notes:

Check any .htaccess file inside your public_html/ directory. It may block or redirect authentification access for the Letsencrypt server and therefor prevent creation of the certificate. Sign for this is the Error: The client lacks sufficient authorization.
Use https://mozilla.github.io/server-side-tls/ssl-config-generator/ to harden your SSL config.

ivanbg · December 5, 2015, 8:32am

Great news!

Thank you very much for your work!

jochem · December 6, 2015, 8:39pm

https://www.virtualmin.com/node/38853

sschueller · December 10, 2015, 1:08pm

I found this script https://github.com/lukas2511/letsencrypt.sh which makes it very simple and has no dependancies other than curl and openssl.

You just add an alias to apache or nginx for the verification and place everything into /etc/letsencrypt.sh/ for example. Then create the config.sh and domain.txt. You can also set a cron which will auto renew the certs when they are about to expire.

At the moment I just symlink from the server dirs into where the certificates get created.

jaldeguer · December 10, 2015, 6:22pm

Exciting news! Can’t wait to see the new virtualmin big release and support for letsencrypt.

jazzman · December 11, 2015, 11:41pm

Thank you!

Would you have an estimation of this next major release date? Do we have to wait days, weeks, months?
It’s really important for my timeline.

Tsikura · December 14, 2015, 12:07pm

Great to see a service like letsencrypt helping us people out lol.