Unknown CA when adding server with LetsEncrypt certs to Webmin Servers Index.

4 posts / 0 new
Last post
#1 Tue, 01/16/2018 - 12:57
JadedDragoon
JadedDragoon's picture

Unknown CA when adding server with LetsEncrypt certs to Webmin Servers Index.

I've just finished setting up two new VPS with fresh installations of Virtualmin. I'm starting over fresh after my previous hosting provider folded.

I've got the basics set up, now I want to cluster the two servers together using the basic clustering features from Webmin. However, when add one server to the other and check it the Server Status says Failed to connect to my.host.name: Invalid SSL certificate : Certificate is signed by an unknown CA : /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (code 20). Now, I'm aware I can simply uncheck "Check remote SSL certificate?" and it will work. I've done this in the past. However, I'm a bit perplexed on why this is necessary and, from a security standpoint, I'd rather not assume the cert is valid just cause it exists (could have just used a self-signed cert for that).

So what's the problem here and, more importantly, how do I solve it?

EDIT: Hmm, I may actually have found the problem. I just noticed the "File or directory for remote SSL CA certificates" setting in the Webmin Servers Index module config. It's set to only pull certs from /usr/share/ca-certificates. I had assumed /usr/local/share/ca-certificates would be sourced as well and placed the LetsEncrypt ca-cert there... but it seems not. Is moving the ca-cert to a system-managed directory the only option?

EDIT2: Nope, it seems placing the ca cert in /usr/share/ca-certificates does not work either.

Wed, 01/17/2018 - 12:24
tpnsolutions
tpnsolutions's picture

Hi,

Which distribution and version are you using? Also which version of Virtualmin?

Best Regards,
Peter Knowles | TPN Solutions
Email: pknowles@tpnsolutions.com | Skype: tpnassist
Thu, 01/18/2018 - 10:00 (Reply to #2)
JadedDragoon
JadedDragoon's picture

Apologies. It's been a frantic rush to get everything back up and running. I should have included that info to begin with.

Ubuntu 16.04 and Virtualmin GPL 6.02

-J Cliff Armstrong (JadedDragoon)

Tue, 04/23/2019 - 05:41
menathor

Can confirm I'm having the same issue on Centos 7. Running the latest versions of Webmin / Virtualmin on both boxes, all packages fully updated. It's seeing the Let's Encrypt certificate but it's saying it's invalid : "invalid SSL certificate : Certificate is signed by an unknown CA : /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (code 20)".

Any ideas on how to fix this for clustering other than disabling SSL?

Topic locked