User Tools
Table of Contents
Let's Encrypt Free SSL Certificates
See also Using LetsEncrypt SSL Certificates with Zimbra
Home Page: https://letsencrypt.org/certificates/
Documentation: https://certbot.eff.org/all-instructions/
Webmin: https://doxfer.webmin.com/Webmin/Let's_Encrypt
DNS
CAA records authorize SSL certificate issuance by certain certificate authorities.
For Virtualmin managed domains, manually enter something like:
hostname.domain.tld. IN CAA 0 issue "letsencrypt.org"
SSL Certificate Testing
Test Your Certs: https://www.digicert.com/help/
- Free new service with goal of 100% HTTPS for web traffic
- By the non-profit Internet Security Research Group (ISRG)
- Trusted by most all browsers
- Currently due to cross-signing by IdenTrust
- Let’s Encrypt Authority X3 (issuer)
- DST Root CA X3 (IdenTrust cross-signing CA chain certificate)
- SAN certificates
- Add multiple Subject Alternative Names
Microsoft Windows
Certify the Web
win-acme
Home: https://github.com/PKISharp/win-acme/wiki/Basic-usage
How to Run: https://github.com/PKISharp/win-acme/wiki/How-to-Run
This is a simple CLI tool that automates a great deal while allowing for numerous configurations.
This script is still under heavy development.
Microsoft Exchange
Exchange 2016 HowTo: https://www.netometer.com/video/tutorials/How-to-Install-LetsEncrypt-Certificate-in-Exchange-Server/
Exchange 2016 HowTo: https://mediarealm.com.au/articles/lets-encrypt-microsoft-exchange-installation/
Apache
Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!
ServerAlias
If you need to add a SAN (Subject Alternative Name) to a LetsEncrypt cert, you first have to make the web server serve that SAN. One way is to add a ServerAlias to the site's Apache configuration file:
Virtualmin → <vserver> → Services → Configure Website → Edit Directives
or edit /etc/apache2/sites-available/yourdomain.tld.conf, adding:
ServerAlias desiredalias.yourdomain.tld
With LetsEncrypt, it's currently difficult to add the SAN and redirect it to a folder. Here we just redirect it
Ubuntu 16.04
Apache
This will install Apache if not already installed.
https://certbot.eff.org/lets-encrypt/ubuntuxenial-apache
apt-get update && apt-get -y install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update && apt-get -y install python-certbot-apache
Renewal
certbot renew --dry-run
Virtualmin
Make sure the site works as desired before attempting to acquire a LetsEncrypt cert!
Virtualmin supports Let's Encrypt SSL certificates for hosted virtual servers.
- Edit the desired virtual server
- Enable SSL
- Request a Let's Encrypt certificate
Virtualmin → <domain> → Edit Virtual Server → Apache SSL website → Enable → Save
Virtualmin → <domain> → Server Configuration → Manage SSL Certificate → Let's Encrypt
mail.domain.tld
Webmin
DNS
https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation
https://certbot.eff.org/docs/using.html#manual
Add this for testing:
--staging
apt install certbot certbot -d hostname.yourdomain.tld --manual --preferred-challenges dns certonly certbot renew --dry-run certbot certificates
HTTP
Documentation: https://doxfer.webmin.com/Webmin/Let's_Encrypt
More Info: http://webmin.com/ssl.html
Webmin also supports Let's Encrypt SSL certificates.
Webmin → Webmin → Webmin Configuration → SSL Encryption → Let's Encrypt
Log Rotation
Certbot has its own log rotation.
/etc/logrotate.d/letsencrypt
/var/log/letsencrypt/letsencrypt.log {
daily
rotate 0
firstaction
/usr/bin/find /var/log/letsencrypt/ -name "letsencrypt.log.*" -mtime +100 -delete
endscript
nocreate
missingok
notifempty
}
Test:
ll /var/log/letsencrypt/ #before logrotate -f /etc/logrotate.d/letsencrypt ll /var/log/letsencrypt/ #after
Troubleshooting
Remove scheduled task and registry key (HKEY_LOCAL_MACHINE\Software\letsencrypt-win-simple), then perform an iisreset as an administrator.
Increase verbosity:
--verbose
