soulhacker - Tue, 2020/10/06 - 16:19

Hi,

I met a problem.

I installed the newest Turnkey Linux File Server LXC on Proxmox. And after the installation, all is working well but the webmin page. I cannot access it.

When I check the staus of webmin, it's ok. And the status of stunnel4 is abnormal. It shows it has been masked. Then I run the cmd

'systemctl unmask stunnel4'

to unmask it, then reboot.

This time, the stunnel4 service start successfully. But the webmin service shows an error as follow:

'Oct 06 13:07:46 File-Server systemd[1]: Failed to start Universal SSL tunnel for network daemons (webmin).'

and I cannot make it to work.

How should I do?

Thanks

Forum: 
Support
Tags: 
file server
samba webmin
stunnel

soulhacker - Tue, 2020/10/06 - 17:23

Config for Webmin miniserv.conf:

port=10000

root=/usr/share/webmin

mimetypes=/usr/share/webmin/mime.types

addtype_cgi=internal/cgi

realm=Webmin Server

logfile=/var/webmin/miniserv.log

errorlog=/var/webmin/miniserv.error

pidfile=/var/webmin/miniserv.pid

logtime=168

ssl=

no_ssl2=1

no_ssl3=1

no_tls1=1

no_tls1_1=1

ssl_honorcipherorder=1

no_sslcompression=1

env_WEBMIN_CONFIG=/etc/webmin

env_WEBMIN_VAR=/var/webmin

atboot=0

logout=/etc/webmin/logout-flag

listen=10000

denyfile=\.pl$

log=1

blockhost_failures=5

blockhost_time=60

syslog=1

ipv6=0

session=1

premodules=WebminCore

server=MiniServ/1.941

userfile=/etc/webmin/miniserv.users

keyfile=/etc/webmin/miniserv.pem

passwd_file=/etc/shadow

passwd_uindex=0

passwd_pindex=1

passwd_cindex=2

passwd_mindex=4

passwd_mode=0

passdelay=1

logout_script=/etc/webmin/logout.pl

failed_script=/etc/webmin/failed.pl

cipher_list_def=1

login_script=/etc/webmin/login.pl

sudo=1

inetd_ssl=1

bind=127.0.0.1

sockets=

no_resolv_myname=0

preroot=authentic-theme

soulhacker - Tue, 2020/10/06 - 17:24

config of stunnel4, webmin.conf:

; **************************************************************************

; * Global options                                                         *

; **************************************************************************

 

; A copy of some devices and system files is needed within the chroot jail

; Chroot conflicts with configuration file reload and many other features

; Remember also to update the logrotate configuration.

chroot = /var/lib/stunnel4/

; Chroot jail can be escaped if setuid option is not used

setuid = stunnel4

setgid = stunnel4

 

; PID is created inside the chroot jail

pid = /webmin.pid

 

; Debugging stuff (may useful for troubleshooting)

;debug = 7

;output = /var/log/stunnel4/webmin.log

 

; **************************************************************************

; * Service defaults may also be specified in individual service sections  *

; **************************************************************************

 

; Certificate/key is needed in server mode and optional in client mode

cert = /etc/ssl/private/cert.pem

 

; Authentication stuff needs to be configured to prevent MITM attacks

; It is not enabled by default!

;verify = 2

; Don't forget to c_rehash CApath

; CApath is located inside chroot jail

;CApath = /certs

; It's often easier to use CAfile

;CAfile = /etc/stunnel/certs.pem

; Don't forget to c_rehash CRLpath

; CRLpath is located inside chroot jail

;CRLpath = /crls

; Alternatively CRLfile can be used

;CRLfile = /etc/stunnel/crls.pem

 

; Disable support for insecure SSLv2 protocol

options = NO_SSLv3

 

; Workaround for Eudora bug

;options = DONT_INSERT_EMPTY_FRAGMENTS

 

; These options provide additional security at some performance degradation

;options = SINGLE_ECDH_USE

;options = SINGLE_DH_USE

 

options = CIPHER_SERVER_PREFERENCE

renegotiation = no

 

; secure ciphens added by conf script

ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

 

 

[webmin]

accept  = 12321

connect = 127.0.0.1:10000

TIMEOUTclose = 0

Jeremy Davis's picture

Jeremy Davis - Wed, 2020/10/07 - 01:23

Which version of TurnKey is this? If you're unsure:

turnkey-version

Also, where is it running? Which version of LXC is the LXC host running?

Is it a privileged or unprivileged container?

It'd also be good to know what ports are being listened on:

netstat -tlnp

As well as the service status of the relevant services:

systemctl status webmin
systemctl status stunnel4

soulhacker - Wed, 2020/10/07 - 07:02

Thanks for you reply.

The version of turnkey linux is:

turnkey-fileserver-16.0-buster-amd64

and it's running on Proxmox as a LXC. the LXC is an UNPRIVILEGED Container and the template is:

debian-10-turnkey-fileserver_16.0-1_amd64.tar.gz

The 'netstat -tlnp' cmad shows:

	Active Internet connections (only servers)
	Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
	tcp        0      0 127.0.0.1:12319         0.0.0.0:*               LISTEN      386/shellinaboxd    
	tcp        0      0 0.0.0.0:12320           0.0.0.0:*               LISTEN      266/stunnel4        
	tcp        0      0 0.0.0.0:12321           0.0.0.0:*               LISTEN      263/stunnel4        
	tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      296/smbd            
	tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init              
	tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      271/sshd            
	tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      567/master          
	tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      296/smbd            
	tcp6       0      0 :::139                  :::*                    LISTEN      296/smbd            
	tcp6       0      0 :::111                  :::*                    LISTEN      1/init              
	tcp6       0      0 :::80                   :::*                    LISTEN      308/apache2         
	tcp6       0      0 :::22                   :::*                    LISTEN      271/sshd            
	tcp6       0      0 :::443                  :::*                    LISTEN      308/apache2         
	tcp6       0      0 :::445                  :::*                    LISTEN      296/smbd

The status of Webmin is:

	* webmin.service - Webmin Web based Admin UI
	   Loaded: loaded (/lib/systemd/system/webmin.service; enabled; vendor preset: enabled)
	  Drop-In: /etc/systemd/system/webmin.service.d
	           `-override.conf
	   Active: active (running) since Wed 2020-10-07 03:44:55 UTC; 1s ago
	 Main PID: 873 (miniserv.pl)
	    Tasks: 1 (limit: 4915)
	   Memory: 8.9M
	   CGroup: /system.slice/webmin.service
	           `-873 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

	Oct 07 03:44:55 file-server systemd[1]: webmin.service: Service RestartSec=1s expired, scheduling restart.
	Oct 07 03:44:55 file-server systemd[1]: webmin.service: Scheduled restart job, restart counter is at 126.
	Oct 07 03:44:55 file-server systemd[1]: Stopped Webmin Web based Admin UI.
	Oct 07 03:44:55 file-server systemd[1]: Starting Webmin Web based Admin UI...
	Oct 07 03:44:55 file-server systemd[1]: Started Webmin Web based Admin UI.
	Oct 07 03:44:55 file-server perl[873]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0

The status of stunnel4 is:

	* stunnel4.service
	   Loaded: masked (Reason: Unit stunnel4.service is masked.)
	   Active: inactive (dead)

Like I said, it's masked. I don't know why. But when I unmasked it, the Webmin service cannot start.

Thanks

Jeremy Davis's picture

Jeremy Davis - Wed, 2020/10/07 - 07:26

I'm not sure where your Stunnel config came from, but it looks like v15.x or earlier config. [apologies on that - re looking at your post, I can see that you posted /etc/stunnel/webmin.conf from v16.0]

In v16.x a separate instance of stunnel runs for each service (each instance is created from a template, with the vanilla default purposely masked). The v16.x+ default instances of Stunnel are named stunnel4@webmin & stunnel4@shellinabox respectively. You can check for them via systemctl as per usual:

systemctl status stunnel4@webmin
systemctl status stunnel4@shellinabox

However, having said that, your netstat output suggests that everything is working as it should be?! Note these lines:

	tcp        0      0 0.0.0.0:12320           0.0.0.0:*               LISTEN      266/stunnel4
	tcp        0      0 0.0.0.0:12321           0.0.0.0:*               LISTEN      263/stunnel4

Despite the fact that your Webmin status looks good, I note that it doesn't appear to be running in your netstat output (by default, and as per your config posted earlier, it should be on port 10000).

So my suspicion is that you've hit a known issue with the Webmin service stability. Please try installing the new Webmin package as per the blog post and see if that fixes the issue. Fingers crossed it will...

soulhacker - Wed, 2020/10/07 - 09:12

'systemctl status stunnel4@webmin' shows:

	* stunnel4@webmin.service - Universal SSL tunnel for network daemons (webmin)
	   Loaded: loaded (/lib/systemd/system/stunnel4@.service; enabled; vendor preset: enabled
	   Active: active (running) since Wed 2020-10-07 03:26:07 UTC; 2h 37min ago
	  Process: 252 ExecStart=/usr/bin/stunnel4 /etc/stunnel/webmin.conf (code=exited, status=0/SUCCESS)
	 Main PID: 273 (stunnel4)
	    Tasks: 2 (limit: 4915)
	   Memory: 1.1M
	   CGroup: /system.slice/system-stunnel4.slice/stunnel4@webmin.service
	           `-273 /usr/bin/stunnel4 /etc/stunnel/webmin.conf

	Oct 07 03:34:48 reverse stunnel[273]: LOG3[1]: s_connect: connect 127.0.0.1:10000: Connection refused (111)
	Oct 07 03:34:48 reverse stunnel[273]: LOG3[1]: No more addresses to connect
	Oct 07 03:34:48 reverse stunnel[273]: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
	Oct 07 03:34:48 reverse stunnel[273]: LOG5[2]: Service [webmin] accepted connection from 192.168.1.219:52789
	Oct 07 03:34:48 reverse stunnel[273]: LOG3[2]: SSL_accept: 14094416: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certifi
	Oct 07 03:34:48 reverse stunnel[273]: LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
	Oct 07 03:34:48 reverse stunnel[273]: LOG5[3]: Service [webmin] accepted connection from 192.168.1.219:52790
	Oct 07 03:34:48 reverse stunnel[273]: LOG3[3]: s_connect: connect 127.0.0.1:10000: Connection refused (111)
	Oct 07 03:34:48 reverse stunnel[273]: LOG3[3]: No more addresses to connect
	Oct 07 03:34:48 reverse stunnel[273]: LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

'systemctl status stunnel4@shellinabox' shows:

	* stunnel4@shellinabox.service - Universal SSL tunnel for network daemons (shellinabox)
	   Loaded: loaded (/lib/systemd/system/stunnel4@.service; enabled; vendor preset: enabled)
	   Active: active (running) since Wed 2020-10-07 03:26:07 UTC; 2h 37min ago
	  Process: 256 ExecStart=/usr/bin/stunnel4 /etc/stunnel/shellinabox.conf (code=exited, status=0/SUCCESS)
	 Main PID: 270 (stunnel4)
	    Tasks: 2 (limit: 4915)
	   Memory: 1.5M
	   CGroup: /system.slice/system-stunnel4.slice/stunnel4@shellinabox.service
	           `-270 /usr/bin/stunnel4 /etc/stunnel/shellinabox.conf

	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Running  with OpenSSL 1.1.1d  10 Sep 2019
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRA
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Reading configuration from file /etc/stunnel/shellinabox.conf
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: UTF-8 byte order mark not detected
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: FIPS mode disabled
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Configuration successful
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Binding service [shellinabox] to :::12320: Address already in use (98)
	Oct 07 03:26:07 reverse stunnel[256]: LOG5[ui]: Switched to chroot directory: /var/lib/stunnel4/
	Oct 07 03:26:07 reverse systemd[1]: stunnel4@shellinabox.service: Can't open PID file /var/lib/stunnel4/shellinabox.pid (yet?) after
	Oct 07 03:26:07 reverse systemd[1]: Started Universal SSL tunnel for network daemons (shellinabox).
Jeremy Davis's picture

Jeremy Davis - Wed, 2020/10/07 - 09:24

That shows that port 10000 is refusing the connection. Which suggests that Webmin isn't running.

So my money says that if you install the updated Webmin packages from the TurnKey 'testing' repo (which includes an improved Webmin service file - as per the blog post I linked to previously) that will fix it...

soulhacker - Wed, 2020/10/07 - 09:45

I'll give it a try

Thank you

soulhacker - Wed, 2020/10/07 - 11:55

Really great!

It works like a charm when I upgrade the testing repos.

Thank you sir

Jeremy Davis's picture

Jeremy Davis - Thu, 2020/10/08 - 02:42

Fantastic, thanks for the feedback! :) I hope to move that into the "main" repo sometime soon.

damir's picture

damir - Mon, 2023/02/27 - 23:46
I have same problem and i did: 
apt-get --purge remove webmin
apt-get install webmin
But it is same problem. What is correct text for sources.list?   I have this in dir: /etc/apt/sources.list.d/ 
debian-backports.list.disabled  security.sources.list  sogo-nightly.list sources.list 

turnkey testing.list.disabled  webmin.list
  My turnkey-version: turnkey-lamp-17.1-bullseye-amd64      
Jeremy Davis's picture

Jeremy Davis - Tue, 2023/02/28 - 03:54

Whilst your issue may seem similar to this, I very highly doubt that it's the same issue ~3 years later. And the "workaround" this user used definitely won't apply (we had a newer Webmin version with revised service file and other packaging modifications available in v16.x, we don't have that in v17.x).

So it's best for you to start a new thread (you'll need to sign up - new threads require logged in users) describing the issue you have, what you've done so far to try to fix it and what the current state is. Seeing as your issue appears similar on face value, please consult this thread as a guide to what info is useful to provide. I generally aim to reply to forum posts at least once per day (doesn't always happen - but most week days I do).

Whilst it will take you more time to post a new post with all the info I've asked for, the flipside is that I'll be able to help you quicker if I fully understand the issue that you're hitting and the state of your system.

madner's picture

madner - Tue, 2023/04/25 - 21:05
I'm experiencing the same issue for a mediaserver turnkey on a lxc. If I enable the nesting feature, it works. Were you able to solve it or did you open a specific thread as suggested? 
Jeremy Davis's picture

Jeremy Davis - Thu, 2023/05/04 - 00:46

Yes, nesting needs to be enabled for everything to work as intended.

Add new comment