How to get A+ grade for your SSL websites (Let’s Encrypt key) on Virtualmin !

This guide is based on Virtualmin installed on a brand new dedicated server with a public IP adress and using Ubuntu 16.04 64 bits as OS.

Be careful that this guide is up to date at time it has been written (things evolve quickly in SSL domains and new leaks discovered regularly !).

First thing to do is to activate and setup correctly SSL in Apache2. For that we’ll need first to enable the mod_headers module.
Webmin -> Servers -> Apache Webserver -> Global Configuration -> Edit config files and you’ll select to edit the ssl.load file that should contain that:
# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
Add that extra line under:
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
and save the file.

Now that module is activated we are going to setup Apache2 for serving SSL in a correct and secure way.
Webmin -> Servers -> Apache Webserver -> Global Configuration -> Edit config files and you’ll select this time the ssl.conf file.
For these modifications you have to be careful and check before modifications if the directive you want to edit exists already or not ! If it exists already amend it as indicated below. If it doesn’t exist you can add it 😉
First we define the only cypher allowed with that directive:
SSLCipherSuite EECDH+AESGCM:AES256+EECDH:DES-CBC3-SHA
then we’ll need these:
SSLHonorCipherOrder on
to force Apache2 to use cypher in the correct sequence
Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”
these are best settings for SSL and prevent multiple leaks
SSLProtocol ALL -SSLv2 -SSLv3
We don’t want these obsolete and unsafe protocols !

We are now done with general Apache2 settings for SSL. Now we are going to check settings for each virtual server.
First thing for each virtual server you want in SSL, you need to add some records in the DNS zone of the domain name in this way:
yourdomainname. IN CAA 0 issue “letsencrypt.org”
yourdomainname. IN CAA 0 issuewild “;”
I have setup the Virtualmin defaut configuration for new virtual with DNS to include these two lines by default ! If you don’t use SSL, no harm at all with these records that’ll just be useless !
You can now generate the SSL certificates with Let’s Encrypt feature in Virtualmin for your virtual server. Once done, you can check the Apache2 config file for the virtual server to be sure it includes well these lines:
SSLEngine on
SSLCertificateFile /home/orn6hon4i5ph/domains/mydomain/ssl.cert
SSLCertificateKeyFile /home/orn6hon4i5ph/domains/mydomain/ssl.key
SSLCACertificateFile /home/orn6hon4i5ph/domains/mydomain/ssl.ca
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
I would strongly advise also to let the automatic redirect created by Virtualmin when you activate SSL on a virtual server.
You can now go on that website SSL Labst Test, fill your virtual server URL and you should get result as below:

Hope it helps and if you have questions, or ideas to improve, you’re welcome !

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.