====== Virtualmin SSL Issues ======

See also **[[internet:security:ssl_tls_cert_testing|TLS/SSL Certificate Testing]]**

===== For Webmin Alone =====

[[https://doxfer.webmin.com/Webmin/Let's_Encrypt]]

**Webmin -> Webmin -> Webmin Configuration -> SSL Encryption**

:!: Requires HTTP server or DNS server hosting the domain

===== Install Service Certs =====

<file>
virtualmin install-service-cert --domain yourdomain.com --service webmin
</file>

  * webmin
  * usermin
  * dovecot
  * postfix
  * proftpd

===== Let's Encrypt =====

:!: Beware of rate limiting at Let's Encrypt.  Don't run any more attempts than is absolutely necessary or you may have to wait an hour to try again.

  - **Edit the virtual server** you want to SSL-enable
    - **Enable SSL** feature
      * A self-signed certificate is automatically created and applied
      * You must have an accessible ''index.html'' or ''certbot'' will fail
  - **Configure Let's Encrypt** SSL certificate
    - **Don't add mail.domain.tld**
      - Mail clients will still have to accept the host server's certificate anyway
      - Use ''domain.tld'' or ''www.domain.tld'' as mail server
      - Or just accept the server's cert
    - **List the desired SANs**<file>domain.tld
www.domain.tld
autoconfig.domain.tld
autodiscover.domain.tld</file>
    - Adjust the auto-renewal interval
      * The default (two months) is safe

**Virtualmin -> <domain> -> Server Configuration -> Manage SSL Certificate -> Let’s Encrypt** (tab)

**Request certificate for -> Domain names listed here -> <list of Subject Alternative Names>**

**Months between automatic renewal -> ''2''**

===== Encrypt all Traffic for a Site =====

**Virtualmin -> <domain> -> Services -> Configure Website -> Aliases and Redirects**

**Permanent URL redirects -> From -> ''/'' (slash)**

**Permanent URL redirects -> To -> https://www.yourdomainname.tld**

===== Apply Let’s Encrypt SSL Cert to System Services =====

<note>Most of the time, Virtualmin on newer host operating systems such as (Ubuntu 20.04) supports [[https://en.wikipedia.org/wiki/Server_Name_Indication|SNI]].  SNI presents the SSL certs of client domains based on the calling URI.</note>

<note>If you want SNI to function for a particular virtual server (domain), you must have configured SSL for that virtual server/domain.</note>

:!: The matching domain name must be included in the SSL certificate.

**Virtualmin -> <domain> -> Server Configuration -> Manage SSL Certificate -> Current Certificate (tab) -> Copy to...**

  * Webmin
  * Usermin
  * Postfix
  * Dovecot
  * ProFTPD