You are here
soulhacker - Tue, 2020/10/06 - 16:19
Hi,
I met a problem.
I installed the newest Turnkey Linux File Server LXC on Proxmox. And after the installation, all is working well but the webmin page. I cannot access it.
When I check the staus of webmin, it's ok. And the status of stunnel4 is abnormal. It shows it has been masked. Then I run the cmd
'systemctl unmask stunnel4'
to unmask it, then reboot.
This time, the stunnel4 service start successfully. But the webmin service shows an error as follow:
'Oct 06 13:07:46 File-Server systemd[1]: Failed to start Universal SSL tunnel for network daemons (webmin).'
and I cannot make it to work.
How should I do?
Thanks
Forum:
Config for Webmin miniserv
Config for Webmin miniserv.conf:
port=10000
root=/usr/share/webmin
mimetypes=/usr/share/webmin/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ssl=
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=0
logout=/etc/webmin/logout-flag
listen=10000
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=0
session=1
premodules=WebminCore
server=MiniServ/1.941
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
passdelay=1
logout_script=/etc/webmin/logout.pl
failed_script=/etc/webmin/failed.pl
cipher_list_def=1
login_script=/etc/webmin/login.pl
sudo=1
inetd_ssl=1
bind=127.0.0.1
sockets=
no_resolv_myname=0
preroot=authentic-theme
config of stunnel4, webmin
config of stunnel4, webmin.conf:
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
chroot = /var/lib/stunnel4/
; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /webmin.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = /var/log/stunnel4/webmin.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/private/cert.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv3
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
options = CIPHER_SERVER_PREFERENCE
renegotiation = no
; secure ciphens added by conf script
ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
[webmin]
accept = 12321
connect = 127.0.0.1:10000
TIMEOUTclose = 0
What version? Where are you running? Privileged/unprivileged?
Which version of TurnKey is this? If you're unsure:
Also, where is it running? Which version of LXC is the LXC host running?
Is it a privileged or unprivileged container?
It'd also be good to know what ports are being listened on:
As well as the service status of the relevant services:
Thanks for you reply.
Thanks for you reply.
The version of turnkey linux is:
and it's running on Proxmox as a LXC. the LXC is an UNPRIVILEGED Container and the template is:
The 'netstat -tlnp' cmad shows:
The status of Webmin is:
The status of stunnel4 is:
Like I said, it's masked. I don't know why. But when I unmasked it, the Webmin service cannot start.
Thanks
On face value; looks like it's working fine...
I'm not sure where your Stunnel config came from, but it looks like v15.x or earlier config.[apologies on that - re looking at your post, I can see that you posted /etc/stunnel/webmin.conf from v16.0]In v16.x a separate instance of stunnel runs for each service (each instance is created from a template, with the vanilla default purposely masked). The v16.x+ default instances of Stunnel are named stunnel4@webmin & stunnel4@shellinabox respectively. You can check for them via systemctl as per usual:
However, having said that, your netstat output suggests that everything is working as it should be?! Note these lines:
Despite the fact that your Webmin status looks good, I note that it doesn't appear to be running in your netstat output (by default, and as per your config posted earlier, it should be on port 10000).
So my suspicion is that you've hit a known issue with the Webmin service stability. Please try installing the new Webmin package as per the blog post and see if that fixes the issue. Fingers crossed it will...
'systemctl status stunnel4
'systemctl status stunnel4@webmin' shows:
'systemctl status stunnel4@shellinabox' shows:
That shows that port 10000 is refusing the connection.
That shows that port 10000 is refusing the connection. Which suggests that Webmin isn't running.
So my money says that if you install the updated Webmin packages from the TurnKey 'testing' repo (which includes an improved Webmin service file - as per the blog post I linked to previously) that will fix it...
I'll give it a try
I'll give it a try
Thank you
Really great!
Really great!
It works like a charm when I upgrade the testing repos.
Thank you sir
Fantastic, thanks for the feedback! :)
Fantastic, thanks for the feedback! :) I hope to move that into the "main" repo sometime soon.
same problem
Sorry I don't really understand what you mean?
Whilst your issue may seem similar to this, I very highly doubt that it's the same issue ~3 years later. And the "workaround" this user used definitely won't apply (we had a newer Webmin version with revised service file and other packaging modifications available in v16.x, we don't have that in v17.x).
So it's best for you to start a new thread (you'll need to sign up - new threads require logged in users) describing the issue you have, what you've done so far to try to fix it and what the current state is. Seeing as your issue appears similar on face value, please consult this thread as a guide to what info is useful to provide. I generally aim to reply to forum posts at least once per day (doesn't always happen - but most week days I do).
Whilst it will take you more time to post a new post with all the info I've asked for, the flipside is that I'll be able to help you quicker if I fully understand the issue that you're hitting and the state of your system.
Same here
Enable nesting...
Yes, nesting needs to be enabled for everything to work as intended.
Add new comment