Virtualmin Doesn't Use Fullchain for SSL with Let's Encrypt? #882
Comments
|
You can change this behavior at System Settings -> Virtualmin Configuration -> SSL settings -> Configure Apache to use. |
If this option affects more than just Apache, should we rename it? |
|
No it only effects Apache |
|
What about Nginx? |
|
No the Nginx module doesn't check this option (but it could) |
|
Then let's do it, and call it Configure webserver to use it instead? |
|
I'll look into it ... |
|
So I checked and Nginx already always uses combined certs, so there's no need to rename this option. |
|
I’ve looked into it more deeply, and in this case, I don’t think any Apache-related options belong on the Virtualmin Configuration page at all. I suggest we move the following options under System Settings ⇾ Server Templates / Website for domain:
|
|
Yes I would agree that makes more sense! I'll look into it .... |
Some sites (for example Facebook's crawler than reveals social cards) require sites to serve the full chain SSL certificate, not just the site's certificate. However sites I host on Virtualmin that are using Virtualmin's Let's Encrypt functionality run into Facebook/Meta's crawler diagnostics reporting a HTTP 418 error. The error is itself erroneous and a reference to an April Fool's joke, but the cause seems to be the incomplete certificate chain.
Virtualmin seems to set
ssl.certfrom Let's Encrypt for web sites, rather than the full chain certificate; searching the Virtualmin forums reveals users wanting to switch the default, but not finding a setting to do so. It appears that Virtualmin does always include the fullchain.pem asssl.combinedin the virtual server's SSL certificate folder.It would be trivial to switch web server template, which would prevent SSL failing validation for picky clients. I've created a post-server modification script that does a substitution if
ssl.combinedexists, but that seems less ideal than it being fixed upstream.The text was updated successfully, but these errors were encountered: