I’ve just rolled out version 1.940 of Webmin. This is a pretty big release, with major theme and File Manager changes among other things. The most important to be aware of and most complicated may be the change from using a bundled tiny ACME client for Let’s Encrypt to using the full-blown certbot client, which is large and has a lot of dependencies (we don’t really like doing depending on stuff that has huge dependency chains if they aren’t in the OS standard repos, but in order to get something that supports all the newest protocol features, including wildcard certs, we needed to do so).
For Debian and Ubuntu, certbot is available in the OS standard repositories, and I believe it will be installed automatically when you upgrade.
For CentOS 6, there is currently no good way to get certbot. I’m not sure how we’re going to solve this. I’m looking into building it for CentOS 6, but it depends on a bunch of newer Python features and is likely going to be impossible (at least for me) to build there. We may have to fall back to an updated version of the ACME tiny client we’ve been bundling from the beginning (just updated to actually work with the new LE protocol). But, CentOS 6 reaches end of life in a few months, so hopefully most people have already started moving off of it onto newer distributions.
For CentOS 7, if you’ve installed in the past 2-3 years you’ll have EPEL enabled, which provides certbot and its depdendencies, and certbot will probably be installed automatically when you upgrade (and if not, you can install it using yum). Edit: I was wrong…it does not get installed automatically. RPM/yum doesn’t do smart things with recommended packages (and we can’t make a it a hard dependency because it’d prevent installation anywhere certbot isn’t available). For systems installed more than 2-3 years ago, I’ve added certbot and its dependencies to our repos…I think it’ll Just Work, but let me know if it doesn’t. I may have missed a dependency or messed something else up.
Changes since 1.932:
Removed Webmin’s built-in Let’s Encrypt client, in favor of recommending the official certbot command.
Added support for creating “safe-mode” Webmin users who have access only to modules and permissions that don’t grant root access.
Added support for CAA records in the BIND module.
Postfix maps with more than 100 entries by default are now shown with a search box.
Updated the Authentic Theme to the latest version, which includes numerous improvements to the file manager and overall UI.
Yeah, it’s possible, just not easy. There is a certbot-auto script provided by the Let’s Encrypt folks, but it’s extremely ugly compared to a proper package. But, we’re discussing whether to use it or try to package certbot (and all of its dependencies) for the SCL python27 or python33 package for CentOS 6 (Debin 8 is also in this boat, it turns out…it has a certbot package, but it’s old) or whether to fallback to ACME Tiny. In at least two cases (certbot-auto and ACME Tiny, there won’t be any wildcard support). So…no great options here, but if folks are running very old distros, they’ve already accepted a lot of trade offs and limits, so it may just be something we have to accept.
Edit: Also, as far as I know, if you have a working certbot installation (including the one created by certbot-auto), Webmin will generally find it and try to use it.
We are on Ubuntu 16.04 LTS and 18.04 LTS, and webmin doesn’t list certbot as a dependancy in its package to install it automatically on upgrade, leading to failures for auto-renewals of let’s encrypt certificates.
Which package should we install install now manually same time as upgrading Webmin under Ubuntu 16.04 LTS and 18.04 LTS ? “certbot” ?
I used the built-in Let’s Encrypt client to servce certificates for a Debian 8 installation utilizing nginx hosting several websites.
Renewal do not work anymore since this update and I tried to install certbot.
I installed certbot from the jessie backports which comes with certbot version 0.10.2 which results in the renewal claiming about acme v1. This was expected as >0.28 is needed as far as I know.
I de-installed certbot and tried to certbot-auto as suggested on https://certbot.eff.org/lets-encrypt/debianjessie-nginx (I’m not quite sure about the step 4 there, as I suspect this to write differend certificates in other directories or azeven requesting a single certificat for all of the 33 listed (sub-)domains listed while using sudo /usr/local/bin/certbot-auto certonly --nginx).
However this option does not lead to virtualimin recognizing certbot.
So, the questions are:
Does anyone know an option to update certbot on Debian 8 jessie to a current version? I do not find anything.
Is virtualmin able to handle the certbot-auto option?
Yes, certbot-auto should work. You don’t need the apache or nginx version; Virtualmin will use the standalone mode (I don’t remember if they’re packaged separately with the cert-bot auto install script…they are with the RPM/deb versions). You don’t need to run the commands yourself or setup scheduled renewals or whatever. Virtualmin will do it (assuming it finds the right certbot installation).
An error occurred requesting a new certificate for dev-applimeildev.virage-com.fr from Let's Encrypt : Web-based validation failed : <pre>An unexpected error occurred:
AttributeError: 'module' object has no attribute 'TLSSNI01'
Please see the logfile '/tmp/tmp23asXS/log' for more details.
</pre>
DNS-based validation failed : <pre>An unexpected error occurred:
AttributeError: 'module' object has no attribute 'TLSSNI01'
Please see the logfile '/tmp/tmpJC1Qt3/log' for more details.
</pre>
In log file :
2020-01-09 20:23:15,165:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/letsencrypt", line 9, in <module>
load_entry_point('certbot==1.0.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 14, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1320, in main
plugins = plugins_disco.PluginsRegistry.find_all()
File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 208, in find_all
plugin_ep = PluginEntryPoint(entry_point)
File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 50, in __init__
self.plugin_cls = entry_point.load()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
entry = __import__(self.module_name, globals(),globals(), ['__name__'])
File "build/bdist.linux-x86_64/egg/certbot_apache/entrypoint.py", line 4, in <module>
File "build/bdist.linux-x86_64/egg/certbot_apache/configurator.py", line 32, in <module>
File "build/bdist.linux-x86_64/egg/certbot_apache/http_01.py", line 13, in <module>
File "/usr/lib/python2.7/site-packages/certbot/plugins/common.py", line 445, in __getattr__
return getattr(self._module, attr)
AttributeError: 'module' object has no attribute 'TLSSNI01'
2020-01-09 20:23:15,165:ERROR:certbot._internal.log:An unexpected error occurred:
I finally found time to try this again.
certbot-auto is now installed as described at https://certbot.eff.org/lets-encrypt/debianjessie-other including step 1-3 and executed “sudo /usr/local/bin/certbot-auto certonly --webroot” from step 4 once without entering domains at all.
I tried to run certbot-auto and was able to select nginx and all of my domains were listed.
Nevertheless, Virtualmin 6.08 (Webmin 1.940) claims " The Let’s Encrypt client command letsencrypt or certbot was not found on your system".
Any ideas on that? There seems to be no setting to enter the path to certbot-auto…
Ilia mentioned Webmin 1.941 to fix this. What does this mean and when is this planned?
With only a few days left for the first certificates to expire I’m getting a little bit nervous
You don’t want to runcertbot-auto for your specific web server. It’ll try to insert configuration that Virtualmin is already managing (and maybe break it).
I don’t know why it wouldn’t be detected. It’s supposed to find certbot-auto if it’s somewhere on the path, but you can set the path explicitly in Webmin Configuration->Configuration (click the gear in the left corner of the right frame).
Thanks, Joe! The path was set and not set to “Find automatically”. I was able to renew the certificates!
Strangely I did not remember this setting. And search within webmin did not come up with a result:
“Searching for certbot . . . . found 0 results : No Webmin modules or pages matching certbot were found.”
