CentOS 6.10 (yeah, another issue I’ve got to solve) with 6.15 Pro Virtualmin and 1.973 Webmin
I’m having email issues with all the advances Apple has pulled off in the last few years.
I’ve thought about setting up Lets Encrypt certs, but I keep seeing problems with this and LE keeps changing things. I’ve also thought about biting the bullet and buying some regular SSL cert so I only have to deal with it once every year or two.
At the moment this is about email (clients don’t really need SSL on their sites). I did have a self signed cert that was working fine until my wife and a friend upgraded their iphones (to ios 14) and it broke their email.
At first I thought I could solve the problem by bringing in the expiration date (below 800 days, it was 2030+) of my current self signed cert, but the problem is bigger than that.
So, whats the best way out? Can this be done with a self signed cert and Apple’s ios 14 anymore? Or, do I need to move to a 3rd party SSL. If I need to move, am I going to have problems with keeping up with LE, or should I bite the bullet and buy some cert?
To suport people who access the server for email only, you need just one SSL certificate - i.e. for the hostname.
You have framed several questions and these cannot be answered with any degree of certainty without actually applying a freshly minted certificate. Only when this is done will you know for certain if your CentOS 6.1 system supports those versions of the SSL protocol that iOS 14 requires. Fortunately, there is a way for you to manually generate a SSL certificate from Let’s Encrypt (via sslforfree) and manually apply that certificate to Webmin / Virtualmin.
If email on iOS 14 then works, we could think of a way to a automate Let’s Encrypt certificate renewal every two months on your ancient system.
So I suggest the next step would be to manually generate a let’s encrypt certificate via https://www.sslforfree.com/
CentOS 6 makes it hard to reliably use Let’s Encrypt. Certbot won’t run there in any reasonably easy way, and never will, since it’s been EOL for quite a while. The ACME Tiny client we ship in Webmin should be able to do the job currently, I think, (as long as you don’t try to use wildcards, or try to do anything that requires DNS validation, since that is not supported by ACME Tiny) but that is not guaranteed to keep working. In fact, I would assume it will definitely stop working next time Let’s Encrypt changes their API.
You should prioritize solving your EOL OS problem over everything else, most likely. You have a lot more problems than just TLS certs right now.
Self-signed certs are never the answer for non-technical users. If you can’t upgrade to an OS version that makes using Let’s Encrypt easy, just buy a cheap cert and be done with the problem for a year…by then, hopefully you’ll be running a supported OS.