Yep I’m always there to disrupt things I actually thought it was really intuitive and clear to understand.
It would be useful if there was a Virtualmin-manageable way of requesting certs independent of a site/account and then being able to deploy them to specific services. I accept that’s almost exactly how the old system used to work, so not really a solution
In a perfect world, hiding that more advanced functionality behind an opt-in would have been perfect. At the moment I’m not sure how I’m going to migrate my server running on the older build without breaking things due to the different certs in place across services.
Unfortunately adding yet more SANs to a main cert and making (further) use of SNI won’t work, because on that server I have entirely separate ventures with their own certs (a mixture of LE and paid multi-SAN certs). Also sometimes not desirable from an infosec perspective - or just a procedural perspective. Personally I prefer potential miscrents to get as little info as possible of other services or subdomains from a cert as possible. Arguably that’s becoming slightly less relevant due to crt.sh, censys, shodan etc, but I like to give away as little as possible in one go.
As an alternative, I wouldn’t mind if some of the LE request/update management logic and web UI functionality was duplicated on the specific Webmin management pages for Postfix, Dovecot, ProFTPd etc. That adds a little to the code maintenance overhead so hopefully there’d be a way to transclude as much as possible without fresh code.
Doing it this way might become more onerous with more than a dozen sites to look after, so perhaps basic cert management features come with GPL and more advanced centralised management comes with a Pro licence?