Virtual Servers Validation complains about a SSL certificate file being a symbolic link

virtualmin / virtualmin-gpl

Virtualmin web hosting control panel for Webmin

https://www.virtualmin.com

GNU General Public License v3.0

312 stars 97 forks source link

Virtual Servers Validation complains about a SSL certificate file being a symbolic link #888

Open anrikun opened 3 weeks ago

anrikun commented 3 weeks ago

My virtual server's SSL files are generated is a custom way using Certbot. SSL files are managed by Certbot and made available in /etc/letsencrypt/live/SERVER_NAME as symlinks.

When running Virtual Servers Validation, it complains about:

— Apache SSL website : SSL certificate file /etc/letsencrypt/live/SERVER_NAME/fullchain.pem is a symbolic link

What's the problem with files being symlinks? Why not remove this error?

iliajie commented 3 weeks ago

Hello,

Are you running validation using the Virtualmin UI or CLI? Can you share a screenshot of an actual error?

I've symlinked SSL certificates in the Apache config, and Virtualmin validation doesn’t complain at all.

anrikun commented 3 weeks ago

Hello,

I run validation from UI: Limits and Validation > Validate Virtual Servers > Validate Now (default options) Virtualmin version 7.20.2 on Ubuntu 24.04

Here's a screenshot as requested.

My Apache2 virtual server configuration for SSL contains:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/SERVER_NAME/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/SERVER_NAME/privkey.pem
SSLProtocol +TLSv1.2 +TLSv1.3

virtualmin

iliajie commented 3 weeks ago

What’s the output of this command then?

ls -lsa /etc/letsencrypt/live/SERVER_NAME/fullchain.pem

anrikun commented 3 weeks ago

Here's the ouput: 0 lrwxrwxrwx 1 root root 40 Aug 19 15:20 /etc/letsencrypt/live/SERVER_NAME/fullchain.pem -> ../../archive/SERVER_NAME/fullchain1.pem

iliajie commented 3 weeks ago

Does it work if you set the file directly without using a symlink? Also, do you have SELinux or AppArmor running? If so, check their logs.

I'm asking because I can't reproduce this issue.

anrikun commented 3 weeks ago

Actually the site itself works as expected. It's just Virtualmin Server Validation that complains about the symlink.

When I change the configuration to direct paths, I get a different error on validation:

Apache SSL website : SSL certificate file /etc/letsencrypt/archive/SERVER_NAME/fullchain1.pem could not be parsed

AppArmor is running but I can't find anything in the logs, and even when stopped, the validation error still shows up. SELinux is not present.

EDIT By the way, I've also tried to put the files directly in the virtual server's home directory and the same error as above was returned.

jcameron commented 3 weeks ago

Virtualmin doesn't allow SSL certs referenced in the Apache config to be symlinks, as there's a danger of this causing config breakage if the link destination is removed by a domain owner.

Generally we recommend letting Virtualmin manage the SSL cert and key files, rather than using the paths generated by Let's Encrypt.