Table of Contents

Let's Encrypt Free SSL Certificates

See also Using LetsEncrypt SSL Certificates with Zimbra

Home Page: https://letsencrypt.org/certificates/

Documentation: https://certbot.eff.org/all-instructions/

Webmin: https://doxfer.webmin.com/Webmin/Let's_Encrypt

DNS

CAA records authorize SSL certificate issuance by certain certificate authorities.

For Virtualmin managed domains, manually enter something like:

hostname.domain.tld.	IN	CAA	0 issue "letsencrypt.org"

SSL Certificate Testing

Test Your Certs: https://www.digicert.com/help/

Microsoft Windows

Certify the Web

Home: https://certifytheweb.com/

Single: https://support.centrestack.com/hc/en-us/articles/360010229973-Obtaining-a-Server-Certificate-from-Let-s-Encrypt-Using-Certify-The-Web

Wildcard: https://support.centrestack.com/hc/en-us/articles/360010235053-Obtaining-a-Wildcard-Certificate-from-Let-s-Encrypt-Using-Certify-The-Web

win-acme

Home: https://github.com/PKISharp/win-acme/wiki/Basic-usage

How to Run: https://github.com/PKISharp/win-acme/wiki/How-to-Run

This is a simple CLI tool that automates a great deal while allowing for numerous configurations.

This script is still under heavy development.

Microsoft Exchange

Exchange 2016 HowTo: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/

Exchange 2016 HowTo: https://mediarealm.com.au/articles/lets-encrypt-microsoft-exchange-installation/

Apache

:!: Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!

ServerAlias

If you need to add a SAN (Subject Alternative Name) to a LetsEncrypt cert, you first have to make the web server serve that SAN. One way is to add a ServerAlias to the site's Apache configuration file:

Virtualmin → <vserver> → Services → Configure Website → Edit Directives

or edit /etc/apache2/sites-available/yourdomain.tld.conf, adding:

ServerAlias desiredalias.yourdomain.tld

:!: With LetsEncrypt, it's currently difficult to add the SAN and redirect it to a folder. Here we just redirect it

Ubuntu 16.04

Apache

:!: This will install Apache if not already installed.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache

apt-get update && apt-get -y install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update && apt-get -y install python-certbot-apache

Renewal

certbot renew --dry-run

Virtualmin

:!: Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!

Virtualmin supports Let's Encrypt SSL certificates for hosted virtual servers.

  1. Edit the desired virtual server
    1. Enable SSL
  2. Request a Let's Encrypt certificate

Virtualmin → <domain> → Edit Virtual Server → Apache SSL website → Enable → Save

Virtualmin → <domain> → Server Configuration → Manage SSL Certificate → Let's Encrypt

mail.domain.tld

https://www.virtualmin.com/comment/785483#comment-785483

Webmin

Webmin works well with Apache and HTTP validation. However, you can also use DNS validation if you don't have Apache installed and you don't want to open ports 80 and 443 in the firewall. However, DNS validation is not documented well here, particularly renewals.

DNS

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

https://certbot.eff.org/docs/using.html#manual

:!: Add this for testing:

--staging
apt install certbot

certbot -d hostname.yourdomain.tld --manual --preferred-challenges dns certonly

certbot renew --dry-run

certbot certificates

HTTP

Documentation: https://doxfer.webmin.com/Webmin/Let's_Encrypt

More Info: http://webmin.com/ssl.html

Webmin also supports Let's Encrypt SSL certificates.

Webmin → Webmin → Webmin Configuration → SSL Encryption → Let's Encrypt

Request a Let's Encrypt Cert

Successful

Resultant Webmin SSL Settings

Log Rotation

:!: Certbot has its own log rotation.

/etc/logrotate.d/letsencrypt

/var/log/letsencrypt/letsencrypt.log {
  daily
  rotate 0
  firstaction
    /usr/bin/find /var/log/letsencrypt/ -name "letsencrypt.log.*" -mtime +100 -delete
  endscript
  nocreate
  missingok
  notifempty
}

Test:

ll /var/log/letsencrypt/   #before
logrotate -f /etc/logrotate.d/letsencrypt
ll /var/log/letsencrypt/   #after

Troubleshooting

Remove scheduled task and registry key (HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple), then perform an iisreset as an administrator.

Increase verbosity:

--verbose