Chris's picture
I had a turnkey core v16.1, with gitlab omnibus running on top. I lost that VM due to a power issue. I tried restoring to a fresh core v16.1 with gitlab (same version I had previously) installed and that restore didn't work. So then I spun up a fresh turnkey gitlab v18, upgraded gitlab to the same version I had, got the login page for gitlab to come up, and then performed the restore from core gitlab v16.1. And it worked wonderfully. Except now I can no longer access webmin (12321) or shell in a box (12320). They both show on the confconsole, with the correct IP address. Any help? I can provide more info if needed. Thank you
Forum: 
Chris's picture

The restore had a different IP address than the current VM, I am guessing this is where the issue lies.
Jeremy Davis's picture

Glad to hear that you've had some progress with your move to a v18.x base, although this issue sounds like a bit of a pain!

I think what's happened is that your restore has pulled in some older config which has overwritten the updated config in v18.x. I'm guessing that what confconsole is showing has come from your old server. I had hoped to automate some v18.x TKLBAM migrations by now, but my todo list grows faster than I can tick things off...

There are a few significant changes in v18.x. Webshell has been replaced by a Webmin "Terminal" module. With the removal of Webshell, we also removed Stunnel (which was doing SSL/TLS termination for both Webshell and Webmin). Webmin is now being served directly via it's own built in mini server. As Webmin is directly web facing now, it's mini server config (/etc/webmin/miniserv.conf) needs quite a few updates.

Initially I was going to guide you how to update your config file manually step by step. However, we have a script that we use to set up the default Webmin config we ship with. Leveraging that seems like a better idea.

First I'll note the steps to be done:

  • backup your existing config (just in case)
  • change to home directory
  • download the script
  • set a variable with a list of desired secure cryptographic ciphers that Webmin's SSL/TLS connections will use
  • add an extra line to the script so it will also add those ciphers to the config file (we do that step elsewhere at build time - hence why it's not already in the script)
  • make the script executable
  • run the script
  • restart webmin

And now the code to copy/paste into your terminal to apply the steps noted above:

cp /etc/webmin/miniserv.conf /etc/webmin/miniserv.conf.bak
cd ~
wget https://raw.githubusercontent.com/turnkeylinux/common/18.x/conf/turnkey.d/webmin-conf
CIPHERS="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
echo "update_or_add ssl_cipher_list $CIPHERS" >> webmin-conf
chmod +x webmin-conf
./webmin-conf
systemctl restart webmin

That should finish pretty quickly. Double check that Webmin is now working via your browser.


If it still isn't working, then please give me the output of the following commands:

turnkey-version
netstat -tlnp
systemctl status webmin
journalctl -u webmin --since="2 minutes ago"

Please share any other info you think might be useful.


If Webmin is working now and all is well, then great! :)

If you are running the latest v18.1 release (released early July) then you should be all good to go and you can skip this next little bit.

If you're running the older v18.0 release, then I have a few other Webmin related improvements for you. Adding a couple of modules and removing one.

apt install webmin-xterm webmin-logviewer -y
apt remove webmin-shell -y

As for the Webshell entry in confconsole. Edit the /etc/confconsole/services.txt file that generates that output. Then remove the whole line noting Webshell and save it.

In future if you want to access a terminal via web UI (like you did before with Webshell) log into Webmin and browse to Tools >> Terminal.

Good luck! :)

I'd love to hear how you go.

Chris's picture

Thank you for your reply, always appreciated. I tired the script but still cannot access webmin. Below are the results of the requested commands.
root@gitlab ~# turnkey-version
turnkey-gitlab-18.0-bookworm-amd64
root@gitlab ~# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:9100          0.0.0.0:*               LISTEN      593/node_exporter
tcp        0      0 127.0.0.1:9121          0.0.0.0:*               LISTEN      588/redis_exporter
tcp        0      0 127.0.0.1:9168          0.0.0.0:*               LISTEN      590/ruby
tcp        0      0 127.0.0.1:9187          0.0.0.0:*               LISTEN      579/postgres_export
tcp        0      0 0.0.0.0:8060            0.0.0.0:*               LISTEN      586/nginx: master p
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1017/master
tcp        0      0 127.0.0.1:12321         0.0.0.0:*               LISTEN      964485/perl
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      589/puma 6.4.0 (uni
tcp        0      0 127.0.0.1:8082          0.0.0.0:*               LISTEN      1205/sidekiq_export
tcp        0      0 127.0.0.1:8092          0.0.0.0:*               LISTEN      1203/sidekiq 7.1.6
tcp        0      0 127.0.0.1:8150          0.0.0.0:*               LISTEN      565/gitlab-kas
tcp        0      0 127.0.0.1:8151          0.0.0.0:*               LISTEN      565/gitlab-kas
tcp        0      0 127.0.0.1:8153          0.0.0.0:*               LISTEN      565/gitlab-kas
tcp        0      0 127.0.0.1:8154          0.0.0.0:*               LISTEN      565/gitlab-kas
tcp        0      0 127.0.0.1:8155          0.0.0.0:*               LISTEN      565/gitlab-kas
tcp        0      0 127.0.0.1:9229          0.0.0.0:*               LISTEN      587/gitlab-workhors
tcp        0      0 127.0.0.1:9236          0.0.0.0:*               LISTEN      690/gitaly
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      586/nginx: master p
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      655/sshd: /usr/sbin
tcp6       0      0 :::22                   :::*                    LISTEN      655/sshd: /usr/sbin
root@gitlab ~# systemctl status webmin
* webmin.service - Webmin server daemon
     Loaded: loaded (/lib/systemd/system/webmin.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-08-30 10:19:30 EDT; 8min ago
    Process: 964431 ExecStart=/usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf (code=exited, status=0/SUCCESS)
   Main PID: 964485 (miniserv.pl)
      Tasks: 1 (limit: 4630)
     Memory: 30.4M
        CPU: 1.124s
     CGroup: /system.slice/webmin.service
             `-964485 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

Aug 30 10:19:26 gitlab systemd[1]: Starting webmin.service - Webmin server daemon...
Aug 30 10:19:27 gitlab perl[964431]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= r>Aug 30 10:19:29 gitlab webmin[964431]: Webmin starting
Aug 30 10:19:30 gitlab systemd[1]: webmin.service: Can't open PID file /var/webmin/miniserv.pid (yet?) after start: No >Aug 30 10:19:30 gitlab systemd[1]: Started webmin.service - Webmin server daemon.
root@gitlab ~# journalctl -u webmin --since="10 minutes ago"
Aug 30 10:36:40 gitlab systemd[1]: Stopping webmin.service - Webmin server daemon...
Aug 30 10:36:40 gitlab systemd[1]: webmin.service: Deactivated successfully.
Aug 30 10:36:40 gitlab systemd[1]: Stopped webmin.service - Webmin server daemon.
Aug 30 10:36:40 gitlab systemd[1]: webmin.service: Consumed 1.163s CPU time.
Aug 30 10:36:40 gitlab systemd[1]: Starting webmin.service - Webmin server daemon...
Aug 30 10:36:41 gitlab perl[977910]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= r>
Aug 30 10:36:43 gitlab webmin[977910]: Webmin starting
Aug 30 10:36:43 gitlab systemd[1]: Started webmin.service - Webmin server daemon.
Jeremy Davis's picture

I can see the issue.

Webmin is listening on the right port - 12321, but only listening on 127.0.0.1 - i.e. localhost.

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
[...]
tcp        0      0 127.0.0.1:12321         0.0.0.0:*               LISTEN      964485/perl

I won't explain what all the output means right now, but note the "Local Address" is '127.0.0.1:12321'. That means Webmin is listening on the right port (12321) but only listening on localhost (127.0.0.1) - so only available within the server, not via an external PC. To be externally accessible a server needs to listen on at least one interface. Often 0.0.0.0 is used - which means all interfaces. So in this case, you want the "Local Address" to be 0.0.0.0:12321.

As an aside, it likely isn't obvious to you that that specific process is Webmin (other than the port) - but Webmin is written in Perl, so between the port and the process being 'perl', I'm sure that's it. FWIW you can also ignore the "Foreign Address" in this case.

Looking closer at the code I gave you to update your Webmin config, I'm not 100% sure why it doesn't include/update that. I'm guessing that by default it listens on 0.0.0.0. Anyway, to make it listen externally, edit the Webmin miniserver config - look for a line like this:

bind=127.0.0.1

Update that to:

bind=0.0.0.0

Then restart Webmin again:

systemctl restart webmin

Then hopefully you should be good.

If it's still not working, give me the output of the last 3 commands I asked for before - i.e. 'netstat -tlnp', 'systemctl status webmin' and 'journalctl -u webmin --since="10 minutes ago"'. It would also be useful to see your full Webmin miniserver config:

cat /etc/webmin/miniserv.conf

Add new comment