Let's Encrypt automatic renewal: Uses shared certificate instead

[iliajie]

Hi Jamie!

It seems that I have encountered a know bug, as I remember some users reported it in the past!

A few days ago, I had webmin.dev certificate renewed. First of all, have a look at the screenshots to understand how it's setup:

and builds.webmin.dev, which is sub-server of webmin.dev:

It may seem expected that webmin.dev wasn't renewed because option Automatically renew certificate? is set to No. However, I didn't set it to be disabled!

Eventually, what happened was that webmin.dev hasn't been renewed. Instead sub-server builds.webmin.dev got renewed with only CN name set to builds.webmin.dev. As certificate sharing is enabled (default mode), it also updated parent webmin.dev certificate, which of course fails to work for webmin.dev.

Virtualmin domain config for webmin.dev wasn't updated, i.e. letsencrypt_last and letsencrypt_last_success are set to the old dates, when I was manually renewing it.

Virtualmin domain config for sub-server builds.webmin.dev got letsencrypt_last and letsencrypt_last_successkeys updated.

The SSL details after latest automatic update for both webmin.dev and builds.webmin.dev are as follows:

root@cloud-1:/etc/webmin/virtual-server# virtualmin get-ssl --domain webmin.dev
cert: /etc/ssl/virtualmin/16904623501221493/ssl.cert
key: /etc/ssl/virtualmin/16904623501221493/ssl.key
ca: /etc/ssl/virtualmin/16904623501221493/ssl.ca
type: rsa
cn: builds.webmin.dev
issuer_cn: R3
issuer_o: Let's Encrypt
notafter: Jan 28 10:47:07 2024 GMT
type: Signed by CA
alt: builds.webmin.dev
modulus: 00:e5:a9:75:ae:cc:4b:6c:f5:05:57:a5:b2:d2:1f:9f:dd:87:9d:2f:41:60:6b:46:ff:f6:1c:47:2e:8d:0d:54:75:34:04:22:c5:cf:7a:9b:3f:06:64:e8:20:2b:86:aa:ca:e3:08:05:65:2c:39:10:b1:20:7a:25:59:e1:2f:93:85:67:f2:10:2f:7d:1a:af:6a:ef:7f:4c:2b:40:f0:a8:44:df:03:f1:bb:b2:10:a9:d9:ff:17:cb:33:ec:98:13:b2:f2:02:da:78:c0:e9:b9:0d:23:a0:54:b7:c5:4a:c7:0b:25:60:d7:d8:ac:65:39:e7:37:6d:81:25:1b:0b:56:79:3f:33:e2:f9:a7:30:33:d5:4b:11:ca:e0:bd:a8:eb:c1:da:31:e7:05:28:7d:d5:74:30:d0:8c:de:54:1e:a7:0d:88:8a:0d:4f:55:27:14:41:38:4a:be:d9:6e:86:c0:32:e3:24:9f:a0:63:88:4b:b0:a2:c1:18:ef:21:05:b8:f9:28:89:92:ee:d0:b7:04:77:ae:13:da:93:0f:f8:c7:46:b6:95:04:05:6c:2e:9f:13:98:8b:44:2a:fa:65:46:3c:f6:35:6d:d1:e2:9d:3e:65:12:4b:1d:e4:ed:11:94:78:9b:04:d1:ac:d4:a8:fa:63:bc:da:cc:00:9e:85:d4:09
exponent: 65537

Virtualmin related domain config keys for webmin.dev are as follows:

root@cloud-1:/etc/webmin/virtual-server# grep -E "ssl_|lets"  domains/16904623501221493
letsencrypt_renew=
ssl_key=/etc/ssl/virtualmin/16904623501221493/ssl.key
ssl_cert=/etc/ssl/virtualmin/16904623501221493/ssl.cert
ssl_cert_expiry=1706438827
ssl_everything=/etc/ssl/virtualmin/16904623501221493/ssl.everything
ssl_combined=/etc/ssl/virtualmin/16904623501221493/ssl.combined
letsencrypt_wild=1
auto_letsencrypt=1
ssl_cert_expiry_cache=1698666431
letsencrypt_last_success=1693488652
ssl_pass=
letsencrypt_ctype=
letsencrypt_dname=
letsencrypt_dwild=1
letsencrypt_last=1693488652
ssl_chain=/etc/ssl/virtualmin/16904623501221493/ssl.ca
letsencrypt_size=2048

Virtualmin related domain config keys for builds.webmin.dev are as follows:

root@cloud-1:/etc/webmin/virtual-server# grep -E "ssl_|lets|parent"  domains/16904624411222445
ssl_same=16904623501221493
ssl_chain=/etc/ssl/virtualmin/16904624411222445/ssl.ca
ssl_combined=/etc/ssl/virtualmin/16904623501221493/ssl.combined
ssl_cert_expiry=1706438827
ssl_everything=/etc/ssl/virtualmin/16904623501221493/ssl.everything
ssl_cert=/etc/ssl/virtualmin/16904623501221493/ssl.cert
parent=16904623501221493
letsencrypt_renew=1
ssl_key=/etc/ssl/virtualmin/16904623501221493/ssl.key
auto_letsencrypt=1
letsencrypt_wild=1
ssl_cert_expiry_cache=1698666431
ssl_pass=
ssl_csr=
ssl_newkey=
letsencrypt_last_success=1698666432
letsencrypt_last=1698666432

I hope it helps!

[jcameron]

Looks like it's possible for LE auto-renew to still happen when the cert is shared with another domain .... I'll fix that.