Let's Encrypt Improvement

Jamie/Joe,

It has come to my attention that the Let's Encrypt functionality built into Webmin and Virtualmin could use a much needed improvement.

Scenario #1 - Virtualmin installed with Apache - In this instance, everything works fine as intended since the Acme client can connect and do it's automatic validation without issue.

Scenario #2 - Webmin Installed with No Virtualmin and/or Apache - In this instance, we run into a problem. The only way to validate a certificate is to manually install the Acme client and setup the certificate via the command line.

To deal with this model, you could make use of the DNS validation model, where the Acme client will produce a DNS record that can be installed, then validated against the Acme server accordingly.

This addition would make it possible to install a Webmin Let's Encrypt certificate where the server is for instance running as a dedicated "DNS", "MySQL", or "Email" server.

I hope this suggestion helps in further developing the integration of Let's Encrypt which has been one of the best major additions to Webmin/Virtualmin since the introduction of the new Authentic Theme.

Cheers!

Status: 
Active

Comments

DNS validation is a good idea - even when Apache is installed, a lot of users have proxies or redirects setup in a way that breaks it. I will look into adding this in a future release ..

The next releases of Webmin / Virtualmin will support DNS-based validation for Let's Encrypt.

Status: Active » Fixed
tpnsolutions's picture
Submitted by tpnsolutions on Thu, 02/09/2017 - 15:44

While on the topic of Let's Encrypt, I know that "generate-letsencrypt-cert" creates them, but what if I didn't specify an automatic renewal period, and don't want to use the renewal option from the control panel, is it possible?

Also, I noticed on the website, there's no documentation for the "generate-letsencrypt-cert" option as of yet. Perhaps a browse over the API command catalog might be an order to make sure all the current commands have been cataloged and/or updated.

-Peter

tpnsolutions's picture
Submitted by tpnsolutions on Thu, 02/09/2017 - 15:45

Status: Fixed » Active

I don't quite follow what you are looking to do with the renewal here?

FYI, you can always get help on API commands by running virtualmin generate-letsencrypt-cert --help

tpnsolutions's picture
Submitted by tpnsolutions on Fri, 02/10/2017 - 00:13

Jamie,

Theoretically when you run the command "virtualmin generate-letsencrypt-cert --domain test.com" the certificate would be created with an expiry of 3 months.

In this example, there is NO auto-renewal date. Do you see my point now?

-Peter

Oh I see. In that case, you can add the flag --renew 2 to that command to also setup automatic renewal.