Hi. I know how to add lets encrypt certs to the vhosts when there is an apache server and the server has webpages.
The problem is that I have created a mail only server and I have 2 problems:
I cannot add certs the virtualmin web panel. I have one domain used for installing but the: Hostnames for certificate under /webmin/edit_ssl.cgi?xnavigation=1 works only if I use the original domain (the one that came with my VPS), if I add a custom extra domain it fails with Connection refused (yesterday it was 404, don’t know why it changed).
I mail clients can connect but with a SSL warning that I cannot fix, I see “/etc/dovecot/private/dovecot.pem” under /dovecot/edit_ssl.cgi?xnavigation=1 (IMAP and POP3 SSL mode options) but that cert must have been generated during installation, so it should not work with the new domains I am creating.
Can I have multiple domains for accessing the panel? (not crucial)
How can I generate all the needed certs without apache (crucial)
You need a http connection. There is no harm enabling it and not using it.
Maybe someone know how to do a dns method for letsencrypt on virtualmin/webmin, I haven’t seen any.
P.S.
I just look into webmin and it does have the dns option, but not sure how that works with multiple domains.
Hi, thanks. I just tried and got
Detail: {IP}: Fetching http://{domain}/.well-known/acme-challenge/tzVnXZF3YGBeIHb_e31kICZzkULinbT9K8PBaA: Connection refused
I works for the domain the VPS has, why would it not work for my real domain? Of course the domains resolves the correct IP.
Thanks
Thank you for taking the time to get back to me.
If I try the domain without port (80 or any) I get “Unable to connect”, which actually makes sense as there is not apache or web. But I get redirected to https.
If I add the :10000 port, I get a ssl warning, but I get to the virtualmin login page.
The VPS has no firewall at all, apart for what might virtualmin itself have.
Any other suggestion or test?
Thanks!
Your stuck without port 80 and working website with Lets Encrypt I think.
You could buy a cheap cert, I googled cheapssl and got sent to this promotion.
The VPS domain, that is the one used for accessing virtualmin, has ssl, letsencrypt and only listens on the virtualmin ports, 10k and 20k. It makes sense that the port 80 is closed.
I think that virtualmin proposes a way of generating the cert by enabling the port 80 and generating the .well-known/acme-challenge in the home directory.
If that is not working, then, there is no way for virtualmin to have a ssl. And in 3 months, the one installed right now will expire.
Thanks
Virtualmin can validate Let’s Encrypt via web validation or via DNS validation (but only if Virtualmin is managing DNS). Webmin can validate via web validation if you have a web server installed. Webmin can also use certbot in standalone mode which does not need a web server, but nothing can be on port 80 when it runs, but I’m not sure if that version of Webmin is out yet.
In any case of web validation port 80 needs to be open. If you don’t have a web server on that port, I can’t think of any reason you’d need to block it. A port with no service is not a port at risk. You could leave it open so Virtualmin, or Webmin, or certbot, can make a validation request every couple of months. No reason to make it dramatic.
Thanks Joe, it worked.
I started apache and now the certs are being generated ok.
My confusion came from the fact that virtualmin runs without apache, so I thought that the cert generation could use the same approach.
Now, the real problem, how should I create the IMAP certificates? Because the ones I just created are for web access. But my email clients show a warning of invalid certificate
Ok, so I have been reading other post and I come to understand that an SSL cert is valid for all services (mysql, mail, web, etc) and that a cert can be copied to different locations.
When it comes to web pages, in different virtual servers, you will most likely have 1 ssl cert for the main domain and aliases, but you cannot do the same with the mail server.
So, the mail server can only have 1 cert (at least using the web panel, you can do some tweaking with dovecot, but not with postfix?) anyways, I would only use the standard way, that will usually work out of the box without having to do weird stuff.
I’m still looking for the “copy to” button that will allow the cert to be used for mail services but, I will have to choose only one domain for all mail connections, there will not be multiple email domains.
Maybe I can use the webmin configuration ssl cert that i have created using the 3 domains the server has: the one that the vps has by default (with the provider domain) and my 2 domains that I have created in this server.
Pasted on (replacing the snakoil)
Webmin / Servers / Posftix Mail Server / SMTP Authentication and Encryption
Pasted on (replacing the dovecot)
Webmin / Servers / Dovecot / SSL Configuration
Tested with SSL Checker adding the domains AND ports to test.
It works, but (of course) it’s not perfect:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
