| SYSTEM INFORMATION |
|------------------------------|-------------------------------|
| OS type and version | FreeBSD 13.2 |
| Webmin version | 2.105 |
Currently to create an SSL Certificate you need to be using the Apache module to prove control of a domain via challenge and response. However via a custom certbot config file which can be specified with the command line, you can maintain a custom web root path pointing directly to Webmin. This way if this custom config file is kept in sync with the correct settings from the Webmin web server’s config file if running as its own web server.
Then the Certbot can directly work on the Webmin’s web root path for the appropriate challenge and response, directory and files. All while displaying the appropriate messages and form options. So the Apache module wouldn’t be required, as people can possibly be using some other web server software including using doing full stack development and production use of NodeJS, Bootstrap etc.
Can this possibly be used to improve the Webmin control panel for the future (if possible within this version series)?
If it’s not possible within this version series or at all I don’t mind. But just recon on trying to reduce the extra software required to obtain an valid SSL Certificate for Webmin.
This would only work if Apache isn’t running, because otherwise it will be listening on port 80 and so Webmin (or certbot) cannot use the same port. And Let’s Encrypt only allows SSL cert validation on port 80 as far as I know.
I suppose we could do that on systems where Apache isn’t installed, by making Webmin listen on port 80 temporarily. But that’s a pretty rare case, and definitely not true for Virtualmin installs…
When using webmin on it’s own I never have a web server installed as the server use is not to serve web content, in most cases data is transferred from the server via sockets, that is managed by the software I wrote, so in this case to obtain a certificate for the server host name would be useful
What is the use case for needing a Let’s Encrypt cert for Webmin? I know it is more browser friendly, but is it worth the effort of the staff to add this for fringe usage?
certbot has a web server built-in for the standalone mode. Webmin wouldn’t need to listen on 80, if certbot is available. Standalone mode can’t work if another web server is on port 80, but, in the case where there is no web server…not a problem.
A quick work-around on systems without a webserver on port 80 would just be to install Apache. Webmin will use it automatically with a default install when requesting a cert …
@Jamie, I don’t think we should rely on Apache, if in particular certbot can handle it on its own by itself. Not everyone uses Apache, we just cannot do it (i.e. install Apache).
The most common method for obtaining a certificate without a web server is to use the standalone plugin of Certbot, to spin up a temporary web server to respond to the ACME challenges from Let’s Encrypt.
The problem is that we would have to re-bind Webmin to port 80, disable SSL redirect (perhaps do something else), and then revert it all back, when done … I’m not confident that it’s going to be a very smooth process.
Besides, I don’t understand why not just use certbot certonly --standalone as the primary and straight forward solution?