BJWTech's picture

I was trying to install an internal cert signed by our internal CA. Afterwards I could not get into the webmin page.

How can I reset the webmin install?

 

Thanks!

Forum: 
BJWTech's picture

In /etc/webmin/miniserv.conf file;

...

ssl=0
...

 

That turns it off. So where is the dc1 cert being set and served from?

Jeremy Davis's picture

Webmin and Webshell (aka Shellinabox) are both behind stunnel. That provides the SSL termination and both Webmin and Webshell use only vanilla HTTP (but should only be available locally).

The "master" SSL/TLS cert (that is used for all SSL/TLS connections) can be found at /etc/ssl/private/cert.pem (& /etc/ssl/private/cert.key). Although please note that the cert.pem file includes the key (and the dhparams.pem) as well. I.e.:

# grep 'BEGIN\|END' /etc/ssl/private/cert.pem
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN DH PARAMETERS-----
-----END DH PARAMETERS-----

IIRC Stunnel needs the key in the same file - but the webserver shouldn't. I do recall someone mentioning that stunnel can be configured to use a separate keyfile, but I haven't investigated that yet (was planning to look at that for the next major release).

Also, please note that the permissions for SSL/TLS certs need to be locked down. I.e.:

# ls -l /etc/ssl/private/
total 24
-r-------- 1 root root     1704 Sep 27 20:36 cert.key
-r-------- 1 root root     3210 Sep 27 20:36 cert.pem
-r-------- 1 root root      428 May  7  2022 dhparams.pem
-rw-r----- 1 root ssl-cert 1704 Apr 10  2022 ssl-cert-snakeoil.key

It should be owned by root already, but if not:

chown root:root /etc/ssl/private/{cert.pem,cert.key}

Then you can set those permissions like this:

chmod 400 /etc/ssl/private/{cert.pem,cert.key}

Hopefully that's enough to get you over the line. If you need more info or I haven't adequately answered your question, please feel free to try again.

Jeremy Davis's picture

BJWTech replied by email but it wasn't auto-posted to the forums, so I'm manually posting:

Thank you! I will try again, now that I know how to disable it, if need be. 😄

Add new comment