You are here

Installing Free SSL on Webmin-Virtualmin VPS

Webmin logo

This is my guide for installing a free StartSSL SSL certificate on a VPS running Webmin and Virtualmin. I've used Chrome browser for the initial sign up and then tested moving the certificate to Opera and Firefox. Other browsers might work but I haven't tested them.

Note: Updated with how to renew SSL certificates.

Note: See Update at bottom for simpler solution.

0. Prerequisites

  1. Chrome browser
  2. A Domain Name you own
  3. Access to postmaster@, hostmaster@, or webmaster@ said domain
  4. WinSCP or another SFTP program

1. Sign up with StartSSL

  1. Go to StartSSL and click the sign-up for free link. For the free certificate you have to be an individual, not a company, as they say on the registration page.
  2. Fill in your details, click continue and wait for the verification code to turn up in your email. Copy the verification code to the form box and click continue.
  3. The next steps are StartSSL generating a private key and then generating certifcate to install in Chrome. You should see a message from Chrome confirming certificate installed.

2. Backup StartSSL Login Certificate

Note that this certificate is your only sign in method. There is no password and no way to get in without this certificate. Point Chrome on this one PC to StartSSL and you are logged in.

Hence the next step is to follow StartSSL's FAQ and backup this certificate. Important - say yes on the screen to include the private key and then on the next screen tick include certificates in the path. Do NOT tick delete private key or export extended properties.

Test this works by importing into Opera. In Perferences, Advanced tab, Security, click Manage Certificates button. Then click import and point to the file saved from Chrome. Note you will need to change the import type to PKCS#12 or *.* . After importing, point Opera to StartSSL and then click the control panel button to login. Opera should ask permission to supply the certificate you just installed. Say yes and you should be logged in.

Or test by importing into Firefox. In Tools, Options, Advanced, Certificates, click view certificates and select Your Certificates tab. Click Import and point it to the file saved from Chrome. After importing point Firefox to StartSSL and then click the control panel button to login. Firefox should ask permission to supply the certificate you just installed. Say yes and should be logged in.

Optionally you might want to consider deleting the certifcate from all your browsers and only installing it when you need to for additional security in case your PC is stolen.

3. Validate Domain Ownership

  1. Point Chrome to StartSSL and then click the control panel button to login.
  2. Select Validations Wizard tab and Domain Name Validation. Click continue.
  3. Enter the bare domain name and click continue
  4. Select one of the email address options and click continue
  5. When you have received the email, enter the code from the email and click continue

You should now be validated for that domain

4. Create Domain Certificate

  1. Preparation - In a suitable directory, create 3 blank text files, domain-encrypted.key, domain.key, domain.crt (where domain is your domain name). Open these in your favorite plain ascii text editor.
  2. Point Chrome at StartSSL and go to control panel. Open Tool Box, Decrypt Private Key in another tab of the browser as you'll need that later.
  3. Select Certificates Wizard, certificate target as Web Server, then click continue.
  4. Enter a password for this domain and click continue.
  5. Copy the private key and paste it into file domain-encrypted.key and save the file.
  6. Switch to tool box, and paste the same key into decrypt window. Enter your password for this domain and click Decrypt.
  7. Copy decrypted key, paste into file domain.key and save the file.
  8. Switch back to Certificates Wizard tab and click continue. Select correct domain from drop down list and click continue.
  9. Add www to domain and click continue.
  10. Check all is correct and then click continue.
  11. At this point you might get the certificate displayed, in which jump down to step n. Or you might get extra checking, in which case you'll have to wait until you get sent a certificate is ready email.
  12. When the certificate ready email arrives switch to toolbox tab and click Retrieve Certificate.
  13. Select the right certificate from the dropdown list and click continue
  14. Copy the certificate text, paste into file domain.crt and save the file.

5. Grab StartSSL Certificates

If you didn't have to wait then right click and save the intermediate and root certificates from the links on the bottom of the last page of the Certificate Wizard. Otherwise switch to toolbox and click StartCom CA Certificates. Right click and save certificates:

  • StartCom Root CA (PEM encoded) = ca.pem
  • Class 1 Intermediate Server CA = sub.class1.server.ca.pem

Logout out of StartSSL.

6. Install Domain Certificate

  1. Using WinSCP upload these 4 files, ca.pem, sub.class1.server.ca.pem, domain.key and domain.crt (where domain is your domain name) to a directory on the VPS, e.g. /root/ssl .
  2. Point a browser to https://new-ip-number:10000 where new-ip-number is the IP number of your VPS and login.
  3. Go to Webmin->Webmin Configuration->SSL Encryption and enter:
  4. Enable SSL if available? = Yes
    Private key file = {path}/domain.key
    Certificate file = {path}/domain.crt
    Additional certificate files = {path}/ca.pem
    {path}/sub.class1.server.ca.pem

  5. And finally click save.

Note that in "Additional certificate files" each file must be on a separate line. Or alternately you can merge ca.perm and sub.class1.server.ca.pem in a text editor, just copy all the lines for each file one after another into a new file i.e. startSSL_chained_file.pem or use the cat command. When setting up SSL for virtual servers there is only the option for a single file so there you have to use a merged file.

Repeat the above for Webmin->Usermin Configuration->SSL Encryption.

7. SSL with Cloudflare

As I mentioned in my first blog on VPS/Webmin/Virtualmin, VPS Websites using free Webmin-Virtualmin, I use the free version of CloudFlare CDN (Content Delivery Network). Cloudflare has recently allowed SSL on all accounts even the free ones. You might have noticed this site is now https, as are my others on this VPS, but this is not through Cloudflare as they are having problems are the moment (Oct 2014) and everything is taking ages. Instead I have set all my Cloudflare web sites to paused which means I'm just using Cloudflare DNS. Cloudflare DNS used to rank quite fast but that too has fallen off somewhat since they offered free SSL. Looking at my history with cloudflare showed that it was only saving me about 10% of traffic, if that, on my http sites. So not a big deal if I do away with CDN. I can't see any speed difference without cloudflare which I suspect is down to it not doing much and my Digital Ocean VPS being fast (unlike my old shared hosting).

8. Renewing SSL certificates

This is an update as it been a year since I wrote this blog and I now need to update my certificates as they only last a year. StartSSL should send you a reminder email 2 weeks before the certificate(s) expire. Only when you have this email can you renew so if you have multiple certificates created at different times you will only be able to renew those with 2 weeks to go.

The process is the same as applying originally. In fact it is more accurate to call it generating replacement certificates rather than renewing. The first step is generate a replacement client certificate for chrome browser. This will be the first to expire of course. To do this:

  1. Go to StartSSL in chrome and login in to control panel.
  2. Select "Validations Wizard" tab and choose "email address validation". Click continue.
  3. Enter the email address you use for StartSSL and when you have the code paste this in, and click continue.
  4. Next select "Certificates Wizard" tab and choose "S/MIME and Authentication Certificate". Click continue.
  5. Click continue to have StartSSL generate a private key and a certificate which will be installed in chrome.

This has done the same as section 1, "Sign up with StartSSL". You now have a new client certificate valid for another year. So go back to section 2, "Backup StartSSL Login Certificate" and back it up. Follow section 3, section 4 and section 5 to create replacement files and then use WinSCP to replace the exisiting certificate files (.key, .crt, .pem) on your server, similar to as described in section 6 but without the need to alter settings in webmin/usermin or in the virtual servers.

Updated Solution for SSL

Since writing this guide Let's Encrypt has come into being. This offers free SSL certificates that automatically renew and have support built into to webmin and virtualmin. All that is needed to enable SSL now is to go the webmin SSL page and click the Let's Encrypt button. I would suggest setting the automatic renewal to 1 month as Let's Encrypt certificates only last 90 days. Same for virtualmin, go to the SSL settings page and click Let's Encrypt button. Note if you are using Drupal on your website then you also need to edit .htaccess for that site before using clicking the Let's Encrypt button otherwise this will fail. So...

  1. Open .htacess for editting
  2. Find the line RewriteRule "(^|/)\." - [F]
  3. Above this line put RewriteRule "^.well-known/acme-challenge" - [L]

Webmin-Virtualmin How-To Blog Posts

Tags: 

6 Comments

Have you ever had an issue

Have you ever had an issue with StartSSL certificates not being trusted for the domain you got them for, only the subdomains under it?

Nope, but are you sure that

Nope, but are you sure that your top domain shows up as at that IP address.  Is it an issue with shared IPs?  At one time SSL meant you had to be exclusively on that IP.  Now you can have shared IPs but not all browsers will work.

My TLD shows up at the

My TLD shows up at the correct IP address. I have two sites hosted on my VPS but each has their own IP address (both v4 & v6). According to the certificate info window in Chrome & IE it appears it is still using a self signed certificate but I have applied the one from StartSSL. Any other ideas you can provide would be great.

Have you flushed the local

Have you flushed the local cache in chrome and IE?Are you using webmin/virtualmin?  And if I so I guess you have followed the procedure given.  Have you double checked it has taken and the files are correct?  That is you haven't tried to overwrite the original self certs and found that are read only so haven't overwritten.  Actually they are often symbolic links which might amount to same.If you're not using webmin/virtualmin or even if you are then you could poke around in the appache settings as that is where the settings are, seehttps://www.digitalocean.com/community/tutorials/how-to-set-up-apache-wi...And have you restarted appache after changing the cert?

Yep, using Virtualmin/Webmin.

Yep, using Virtualmin/Webmin. I deleted the original self certs and I have cleared the cache. At this point I am ready to give up for now since I'm out of ideas.

So, let me check I have this

So, let me check I have this right.  IE and Chrome on your PC return the self certified cert but say Firefox or another on the same PC return something different?  Or is that are you only trying Chrome and IE?And have you set up the SSL certs in Webmin AND in Virtualmin?  Virtualmin deals with all the virtual web sites. Webmin deals with the top level web site.  Basically if you just had a single site on 1 IP then you'd use webmin/usermin, for multiple sites you use webmin/usermin/virtualmin.In webmin you wantwebmin/edit_ssl.cgiwhich is webmin, webmin configuration, SSL Encryption.  And in virtualmin you wantvirtual-server/cert_form.cgi?dom=<you domain id>which is Virtual Servers, <sub domain>, mange SSL certificates.