search

virtualmin / virtualmin-gpl

Virtualmin web hosting control panel for Webmin
https://www.virtualmin.com
GNU General Public License v3.0
319 stars 101 forks source link

Virtualmin Doesn't Use Fullchain for SSL with Let's Encrypt? #882

Open trbutler opened 3 months ago

trbutler commented 3 months ago

Some sites (for example Facebook's crawler than reveals social cards) require sites to serve the full chain SSL certificate, not just the site's certificate. However sites I host on Virtualmin that are using Virtualmin's Let's Encrypt functionality run into Facebook/Meta's crawler diagnostics reporting a HTTP 418 error. The error is itself erroneous and a reference to an April Fool's joke, but the cause seems to be the incomplete certificate chain.

Virtualmin seems to set ssl.cert from Let's Encrypt for web sites, rather than the full chain certificate; searching the Virtualmin forums reveals users wanting to switch the default, but not finding a setting to do so. It appears that Virtualmin does always include the fullchain.pem as ssl.combined in the virtual server's SSL certificate folder.

It would be trivial to switch web server template, which would prevent SSL failing validation for picky clients. I've created a post-server modification script that does a substitution if ssl.combined exists, but that seems less ideal than it being fixed upstream.

jcameron commented 3 months ago

You can change this behavior at System Settings -> Virtualmin Configuration -> SSL settings -> Configure Apache to use.

iliajie commented 3 months ago

You can change this behavior at System Settings -> Virtualmin Configuration -> SSL settings -> Configure Apache to use.

If this option affects more than just Apache, should we rename it?

jcameron commented 3 months ago

No it only effects Apache

iliajie commented 3 months ago

What about Nginx?

jcameron commented 3 months ago

No the Nginx module doesn't check this option (but it could)

iliajie commented 3 months ago

Then let's do it, and call it Configure webserver to use it instead?

jcameron commented 3 months ago

I'll look into it ...

jcameron commented 2 months ago

So I checked and Nginx already always uses combined certs, so there's no need to rename this option.

iliajie commented 2 months ago

I’ve looked into it more deeply, and in this case, I don’t think any Apache-related options belong on the Virtualmin Configuration page at all.

I suggest we move the following options under System Settings ⇾ Server Templates / Website for domain:

jcameron commented 2 months ago

Yes I would agree that makes more sense! I'll look into it ....