Virtualmin is applying incorrect SSL apache config

[dtwist]

It seems that Virtualmin is mis-configuring apache directives WRT SSL cert chains. Without modifying apache config as I describe below, the SSL labs test shows that apache is not providing intermediate certs. Updating per the config shown below corrects this issue.

Virtualmin currently sets the following certificate directives, regardless of the version of apache installed:

SSLCertificateFile /home/virtualserver/ssl.cert
SSLCertificateKeyFile /home/virtualserver/ssl.key
SSLCACertificateFile /home/virtualserver/ssl.ca

There are two potential configurations to apply (that I am aware of), depending on the apache version.

In both cases, Virtualmin is adding the "SSLCACertificateFile" directive, which isn't harming anything, but also is probably not needed, since this directive is used for Client Authentication.

Apache 2.4.8 or newer The directive "SSLCertificateFile" can supply both the server and intermediate certs, and should be using the ssl.combined file that webmin builds (concatenated server cert and CA chain)

SSLCertificateFile /home/virtualserver/ssl.combined
SSLCertificateKeyFile /home/virtualserver/ssl.key

Apache versions below 2.4.8 (e.g. CentOS 7) Apache versions older than 2.4.8 don't support combined certs in the "SSLCertificateFile" directive. Instead it requires you specify the server certificate for that dirctive (ssl.crt), and use "SSLCertificateChainFile" to supply CA certs (ssl.ca).

SSLCertificateFile /home/virtualserver/ssl.cert
SSLCertificateChainFile /home/virtualserver/ssl.ca
SSLCertificateKeyFile /home/virtualserver/ssl.key

I used Apache documentation and the Mozilla SSL config generator to come to these conclusions.

There is also a good discussion on the common misuse of SSLCACertificateFile here.

[edit] note: In addition to setting the directives, there are other subroutines that look for specific directives, and those would need updating too: sub backup_ssl sub restore_ssl sub break_ssl_linkage

Distro: CentOS Version: 7.9.2009

[jcameron]

Virtualmin has been using these directives for a long while now - are you seeing errors in a browser with the config it generates?

[dtwist]

Jamie, thanks for the quick reply.

Browsers are not showing errors, but that is an indication of how forgiving browsers are of mis-configured servers rather than whether the apache config is being configured as intended.

The following site has been updated as I describe above: https://jadeorchard.com/

This one is still using the default Virtualmin-applied directives on the same server. https://flatballfilm.com/

You can run both through all the following tools to validate SSL configs—each report that no intermediate certificates are provided for the default Virtualmin-applied directives, and all report that they are with the updated directives:

https://www.ssllabs.com/ssltest/ https://www.immuniweb.com/ssl/ https://www.thesslstore.com/ssltools/ssl-checker.php https://gf.dev/tls-scanner

[chris001]

For what it's worth, I noticed the same https cert bug, I didn't report it with the above details; instead, I reported an issue with getting low scores on SSLLabs, and Webmin/Virtualmin should be fixed to get an A score by default on security tightness on all TLS/SSL tests (smtp, IMAP, HTTPS, FTP, ssh, etc).

[jcameron]

So in this case, the intermediate certificate comes from Let's Encrypt.

If SSLCACertificateFile isn't being used, and Webmin isn't configuring Apache to use a certificate file that contains the intermediate cert as well, how does the browser validate the cert at all without access to the intermediate?

[swelljoe]

Let's Encrypt is recognized by most modern browsers, even without the chain cert. So, a site working with a modern browser doesn't necessarily indicate the config is right (I haven't read the docs to know one way or the other, but just because it "works for me" in this case is not proof that it's right).

[jcameron]

Good point .. I think I'll switch to using the combined SSL cert file (that contains the CA cert as well) for Apache.

[dtwist]

@jcameron See my original report above. The combined cert is what should be used for Apache 2.4.8 and up, but won’t work with earlier versions. For those you need to provide the CA chain using SSLCertificateChainFile. The links in my report will take you to relevant Apache docs.

[jcameron]

So I did some tests, and under Apache 2.4.6 the CA cert set with the SSLCACertificateFile directive is correctly presented to the browser. Even though the docs say that this directive is used for client authentication, I see no difference in what's presented for SSLCACertificateFile versus SSLCertificateChainFile

[chris001]

@dtwist Could you post screen shots and URLs of websites that fail the online SSL verification. And some URLs/screenshots that pass.

[jcameron]

FYI, in the next Virtualmin release, Apache versions 2.4.8 and above will be configured to use a combined SSH certificate file.

[dtwist]

@chris001 Sure, This is on a CentOS7 install:

The following site has been updated to use SSLCertificateChainFile instead of SSLCACertificateFile: https://www.ssllabs.com/ssltest/analyze.html?d=jadeorchard.com&latest

This one is still using the default Virtualmin-applied directives on the same server. https://www.ssllabs.com/ssltest/analyze.html?d=flatballfilm.com&latest