“Let’s Encrypt” certificate on sites hosted in Virtualmin Part 1
Let’s Encrypt is a service that provides free X.509 certificats for TLS (Transport Layer Security) for websites for 90 days. One can renew it every 90 days I believe. This basically means, they provide ways to make communications between the website and users (who use the website) more secure. This is done by encrypting the connection using keys and thus leading to private communications.
Let’s Encrypt is a certificate authority service prvided by the Internet Security Research Group (ISRG) mostly sponsored by Electronic Frontier Foundation, the Mozilla Foundation, OVH, Akamai and Cisco Systems. In the words of the ISRG, they are providing the service for free for anyone who owns a domain name as they want to create a more secure and privacy-respecting web.
The process of getting a certificate and renewing it is a completely automated process. They even provide an various easy processes to sign up and get an SSL/TLS certificate for use by the domain, which can be found here.
However, the processes did not work for me, and looking at various forums and blogs, I found some places that helped. One of the examples was from a virtualmin forum. The process in the forum was mostly using bash with texts. The following is the process that worked for me that uses both bash and the virtualmin/webmin GUI.
Worked on : Ubuntu 14.04, Virtualmin 4.18.gpl
For the purposes of the blog. Username : “user”, domain : “mydomain.xyz”, domain user : “domainuser”
Firstly, download the Let’s Encrypt project from the letsencrypt git repo. This can be done by below:
cd /home/user/ && git clone https://github.com/letsencrypt/letsencrypt
The letsencrypt program will be downloaded at /home/user/letsencrypt. Now, create the folder to store the certificates for the domain. It can be created anywhere in the server. For example as below:
Now, to the certificate generation part. It can be performed manually by typing in the codes to generate and store the certificates in the folder created above. Or, a cronjob can be created to generate and store the certificates. This will help in two ways:
- To automate the generation process, and
- To automate the renewal process (a cronjob can run in the provided time which will help in renewal of the certificate, even if it is forgotten)
There are two ways to create a new cronjob. It can be done either through bash or through the webmin control panel.
To set up a cronjob through the GUI of virtualmin/webmin web control panel. In the virtualmin/webmin panel, open the “Webmin” panel by clicking the “Webmin” link, as shown in the picture below.
In the Webmin control panel, go to System -> Scheduled Cron Jobs.
Once there, a new cron job can be added/created by clicking the “Create a new scheduled cron job“, which is normally present at the bottom of the page as shown below.
The picture below is the panel for creating the cron job.
Here, in “Execute cronjob as”, enter the username “root”. As a root user can run a scheduled cron job as required and without any limitations.
In the command, we enter the codes below:
cd /home/user/letsencrypt/ && ./letsencrypt-auto certonly –email [email protected] –agree-tos –webroot –renew-by-default -w /home/domainuser/public_html/ -d www.mydomain.xyz -d mydomain.xyz –authenticator webroot && cp -f /etc/letsencrypt/live/www.mydomain.xyz/cert.pem /home/domainuser/ssl_certs/cert.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/chain.pem /home/domainuser/ssl_certs/chain.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/fullchain.pem /home/domainuser/ssl_certs/fullchain.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/privkey.pem /home/domainuser/ssl_certs/privkey.pem
Replace “[email protected]” with the email address to be associated with the certificate. On, when to execute, select the radio “Times and dates selected below ..”. In Minutes, click on “Selected…” and select any of the numbers present in the list like “1”, in Hours, do the same and select “3” and in Days, do the same and select “1”. However, in Months, select “February”, “April”, “June”, “August”, “October” and “December”. Multiple months are selected so that the cronjob runs every two months, so that the certificate automatically renews every two months (as it is only valid for 90 days). It should be as below:
or, if you want to do it through bash and not follow all the lists as above. You can run the following command.
1 3 1 2,4,6,8,10,12 * cd /home/user/letsencrypt/ && ./letsencrypt-auto certonly –email [email protected] –agree-tos –webroot –renew-by-default -w /home/domainuser/public_html/ -d www.mydomain.xyz -d mydomain.xyz –authenticator webroot && cp -f /etc/letsencrypt/live/www.mydomain.xyz/cert.pem /home/domainuser/ssl_certs/cert.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/chain.pem /home/domainuser/ssl_certs/chain.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/fullchain.pem /home/domainuser/ssl_certs/fullchain.pem && cp -f /etc/letsencrypt/live/www.mydomain.xyz/privkey.pem /home/domainuser/ssl_certs/privkey.pem
Once the cronjob is created, open it be clicking the link to the created cron job. (If the cron job was created using bash, by going to webmin->System->Scheduled Cron Jobs and clicking the link to the created cron job)
In the “Edit Cron Job” page, click on “Run Now”, which is mostly at the bottom of the page.
This will start the process for getting a certificate from Let’s Encrypt. If you get the message as shown below, you have successfully registered to get a SSL/TLS certificate and your certificates can be found at /home/domainuser/ssl_certs.
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.mydomain.xyz/fullchain.pem. Your cert will expire on 2017-05-29. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Continued in Part 2.