Paul Rinear's picture
Paul Rinear - Sat, 2019/08/10 - 15:47

It does not appear the Webmin makes any changes at all to 0000-default.conf file when editing the default website. I cannot figure out where it makes changes at all.

I had to manually edit the configuration file to make SSI work. The Document Options settings under Webmin for the default appear to have no effect.

Is this some sort of permission issue or a bug?

Forum: 
Support
Tags: 
apache webmin
Jeremy Davis's picture

Jeremy Davis - Mon, 2019/08/12 - 04:37

That's for posting regarding this. TBH, I prefer to edit the Apache config files directly myself, so aren't super familiar with Webmin in that regard.

However, I would expect it to work as designed. The only thing that occurs to me is that (same as manually editing the files directly) Apache needs to be restarted for config changes to be applied. Although obviously if you're using Webmin, you can use that to restart Apache too.

The only thing that occurs to me is that because by default we use a consolidated certificate for all TurnKey https services (i.e. Webmin, Webshell and Apache) we have removed the default certificate config location from the individual Apache sites, to a common location (IIRC it's now in ssl.conf).

So unless you are hosting on multiple domains, you may actually be better off replacing the default cert in /etc/ssl/private. Assuming that it matches the format of the current cert, it should also work for Webmin and Webshell too then.

It's perhaps also worth adding that unless you need/wish to use a 3rd party TLS cert (and assuming that you already have a domain set up), TurnKey has built in support for automagically getting free Let's Encrypt cert via the Confconsole - Let's Encrypt plugin.

Regardless, thanks for reporting. When I get a chance I'll investigate a little closer, but to make sure it doesn't get forgotten, I've opened an issue on our tracker.

Jeremy Davis's picture

Jeremy Davis - Tue, 2019/08/13 - 01:26

Paul replied via email, but unfortunately, it wasn't auto-posted.

Thanks for the reply, however this has nothing to do with a certificate. Also, the Apache server was restarted after the changes. The crux of the issue is, where does Webmin write the changes when modifying the default Apache configuration? I don;t see them written to any file and feel this is a bug.
Jeremy Davis's picture

Jeremy Davis - Tue, 2019/08/13 - 02:08

Whilst much of my response wasn't directly responding to your note re Webmin, I was trying the share info about how I would manage certs on my TurnKey LAMP server. Apologies if you found it irrelevant or side-stepping your feedback.

So I thought the best thing to do was to fire up a v15.1 LAMP appliance and check myself.

First thing I did was log in via SSH and generate a test certificate and key and placed them in a new directory, /etc/test-cert/ (cert.pem & cert.key). By default TurnKey includes etckeeper, which saves config changes in the /etc directory into version control. So I manually committed those changes. I then logged into Webmin and entered the Apache server config area. I double checked /etckeeper and noted that Webmin had written a few files (for internal use I assume) so I committed those too.

Then, in Webmin, I went into the Apache "Existing virtual host" config page, selected the third one down; the entry for "*.443". I.e. this one:


Handles the name-based server on address *.
Address Any
Port 443 Server Name localhost
Document Root /var/www/

I then selected "SSL options". I changed both "Certificate/private key file" and "Private key file" from default, to "/etc/test-cert/cert.pem" and "/etc/test-cert/cert.key" respectively. I then clicked "Save".

I then went back to my SSH session and ran a git diff on /etc and this is the result that I got:

root@lamp /etc# git diff
diff --git a/apache2/sites-available/000-default.conf b/apache2/sites-available/000-default.conf
index 85818d0..e0e2ab6 100644
--- a/apache2/sites-available/000-default.conf
+++ b/apache2/sites-available/000-default.conf
@@ -9,6 +9,8 @@ ServerName localhost
         SSLEngine on
         ServerAdmin webmaster@localhost
         DocumentRoot /var/www/
+SSLCertificateFile /etc/test-cert/cert.pem
+SSLCertificateKeyFile /etc/test-cert/cert.key
</VirtualHost>
 
 <Directory /var/www/>

As you can see above, it appears that Webmin has indeed edited the /etc/apache2/sites-available/000-default.conf file and added the "SSLCertificateFile" and "SSLCertificateKeyFile" directives below:

SSLCertificateFile /etc/test-cert/cert.pem
SSLCertificateKeyFile /etc/test-cert/cert.key

For reference, here's the full contents of /etc/apache2/sites-available/000-default.conf after editing in Webmin:

root@lamp /etc# cat apache2/sites-available/000-default.conf
ServerName localhost

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/
SSLCertificateFile /etc/test-cert/cert.pem
SSLCertificateKeyFile /etc/test-cert/cert.key
</VirtualHost>

<Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
Require all granted
</Directory>

The updated conf isn't formatted as nicely as it could be, but otherwise, it appears to be working as it should?!

If you think I missed something, or you can exactly explain how to reproduce your issue, please post back. For now, I'm going to close the issue that I opened yesterday, but if you can give more info on how I can reproduce it, then I'll reopen it.

Add new comment