After install Certbot I have disabled the Epel repository… Is it the best way to proceed in order to work with EPEL and Virtualmin? I guess, that I will need EPEL to update de Cerbot package, so I am going to need enabling the Repo in the future… Any ideas?
We enable EPEL as part of the Virtualmin installation, and have done so for about 2-3 years. So, yes. It’s safe to do so, unless you’ve enabled other third party repositories that might conflict with EPEL.
There’s probably no reason to disable it after installation of certbot, but you could configure it to exclude any packages that conflict with other repos you have (e.g. if you have enabled some third party repo for MySQL or PHP, you could exclude mysql* or php* in the repo configuration for EPEL). We don’t exclude anything in the default Virtualmin installation, as all of our packages are compatible with EPEL and all EPEL packages are generally safe to coexist alongside the OS standard packages, and there’s a lot of good stuff in there that people often want.
Hi. I’m facing the same issue on Ubuntu 18.04. I’m not as savvy in server management though so would appreciate some guidance. Am I supposed to install certbot manually through SSH?
Doesn’t Ubuntu 18.04 have certbot in the standard universe repo? I’d assumed it did.
Regardless, you don’t need the python-certbot-apache package at all. Virtualmin does the stuff that package does (configures Apache, sets up renewals). You don’t want both fighting over the configuration.
Next version of Webmin coming probably by the weekend brings ACME Tiny back for folks who’re having a hard time getting certbot installed, for whatever reason.
The thing is it used to work just fine. I’ve been using it for years. I think it was the last update that messed something up as OP said. So I’m wary of taking actions myself and would rather like Virtualmin admins to specify if they’re releasing a fix for it or should we install certbot manually.
Edit: What do you mean “…brings ACME Tiny back…”? Did you remove it in the last update? Why so? Please do clarify.
The ACME Tiny version we were shipping no longer worked because the Let’s Encrypt folks deprecated the old protocol. We were in a bit of a rush to resolve that, and assumed based on a quick googling that certbot was more widely available than it actually is, and also that users would be more comfortable installing a new package than is actually the case. That said, a lot of users were already using certbot with Webmin/Virtualmin because ACME Tiny doesn’t support wildcard certificates…we kinda thought we were just following the trend, but it turns out people talking about it were not representative of the mass of users who never post until they have a problem.
Anyway, Jamie has updated the ACME Tiny client in Webmin to the latest version that supports the new Let’s Encrypt protocol (but still does not support wildcards, so certbot is still recommended if you need those). Webmin 1.941 will be released soon with that updated version.
Well I don’t need wildcard certificates so what shipped with webmin was perfectly fine for me. I have used certbot before when I was on a different host with cpanel but never had the need to do it with virtualmin. I could use it in a pinch but I’d rather wait for the update.
One thing I noticed with the new Certbot on my CentOS 7 1908 install was that the Option under Webmin Configuration > SSL Encryption > Let’s Encrypt tab for “Copy new key and certificate to Webmin? * Yes” had no effect in copying the newly renewed cert/key/chain files to the default old install location etc/webmin/letsencrypt-*.pem which did work fine with ACME Tiny before the update.
Had to just change the SSL Setting to point to /etc/letsencrypt/live/ location instead to get Webmin to use the correct current cert. So was that feature to copy new key/cert to Webmin a deprecated feature for Certbot client?
Also when ACME Tiny comes back in 1.941 will there be an option under Module Config to choose which client to use if both are on system? or just manually point to whichever client is preferred? as presently default is Find Automatically and I wonder which client my system might try find if there’s two now.
It will choose certbot over ACME Tiny, if it is available. certbot is better (can do wildcards, for example). ACME Tiny will just be a fallback option.
I’m generally fine with ACME Tiny. I don’t use wildcards, and it’s the primary benefit of certbot.
I don’t know. I think Jamie is prepping 1.941 for release in the next couple of days, but we have a variety of things going on, so I don’t know how much time he has to roll it out.
