On an older version of Virtualmin (Webmin 1.973, Usermin 1.823, Virtualmin 6.08) I can see the individual buttons to copy a loaded certificate to Postfix, Dovecot, Webmin, Usermin, ProFTPd etc.
On a brand new installation (Webmin 1.981, Usermin 1.823, Virtualmin 6.17), I can only see a single button to “set as default services certificate”.
Am I going mad or have those individual certificate copy buttons disappeared? If so, it’s quite a regression. I make use of different certificates on all the main services on my system, many of them Let’s Encrypt auto-renewed and replaced automatically by Webmin/Virtualmin. I’ve not yet found the options elsewhere in Virtualmin, but if the option has moved and I’m just blind then I appreciate all pointers to where those copy buttons live now in the web UI.
Ah good, it’s not just me. I don’t understand why this change was made, I’d expect some sort of opt-in for that “apply to all” setting, a lot of my setup is dependent on different certificates for different services all obtained via LE, so moving to a single button makes it harder to replicate this arrangement on another server. I have a server stuck on the older version of Virtualmin given this constraint.
Dang. I should have known someone would depend on the old, very confusing, way of doing things. The old UI was wildly confusing for new users, so it had to change. I don’t know that it had to change in the way we did it (I never imagined anyone would want to use certs from completely different domains for their “default” service certs).
See here for a very long conversation about why it changed and why it changed to what it is now:
Note that for services that support SNI (most of them on a modern OS), the service will already use the cert for whatever domain someone connects on, if it has a certificate, so this feature mostly only matters if you have an older OS.
We’re still open to changing it again, but it can’t go back to the UI is had before, because it was a constant support issue. We’re trying to make Virtualmin simpler, because the single biggest problem people have with it is that it is confusingly complex. But, we also don’t want to break common use cases…I’m not willing to believe this is a “common” use case (you’re the first I’ve heard of it, I think), but I’m also not quite willing to say “you can’t do that”. I just don’t know the answer.
Yep I’m always there to disrupt things I actually thought it was really intuitive and clear to understand.
It would be useful if there was a Virtualmin-manageable way of requesting certs independent of a site/account and then being able to deploy them to specific services. I accept that’s almost exactly how the old system used to work, so not really a solution
In a perfect world, hiding that more advanced functionality behind an opt-in would have been perfect. At the moment I’m not sure how I’m going to migrate my server running on the older build without breaking things due to the different certs in place across services.
Unfortunately adding yet more SANs to a main cert and making (further) use of SNI won’t work, because on that server I have entirely separate ventures with their own certs (a mixture of LE and paid multi-SAN certs). Also sometimes not desirable from an infosec perspective - or just a procedural perspective. Personally I prefer potential miscrents to get as little info as possible of other services or subdomains from a cert as possible. Arguably that’s becoming slightly less relevant due to crt.sh, censys, shodan etc, but I like to give away as little as possible in one go.
As an alternative, I wouldn’t mind if some of the LE request/update management logic and web UI functionality was duplicated on the specific Webmin management pages for Postfix, Dovecot, ProFTPd etc. That adds a little to the code maintenance overhead so hopefully there’d be a way to transclude as much as possible without fresh code.
Doing it this way might become more onerous with more than a dozen sites to look after, so perhaps basic cert management features come with GPL and more advanced centralised management comes with a Pro licence?
I think the change is for the better as it is far less confusing. The only people confused were the guys used to the old layout. I’m sure new users will find it far better.
Unfortunately, at the moment, it’s less flexible than the previous setup. It’s less intimidating for new users, but more experienced users and those requiring more complex setups will find it less capable than the old version. Hopefully it can evolve to accommodate everyone in time.
I actually thought it was really intuitive and clear to understand.