Virtualmin overwrites letsencrypt Webmin certificate

5 posts / 0 new
Last post
#1 Thu, 09/19/2019 - 11:19
Patryk

Virtualmin overwrites letsencrypt Webmin certificate

Hei, im on a fresh installed ubuntu 18.04 server distro with nginx as webserver and webmin / virtualmin installed to administrate my own additional domains. I use afraid for my dynamic ip and my domains are updated there with ns1 ns2 .. nameservers. Probably all works fine until I add my first virtual server and letsencrypt to that domain that’s used for the first virtual server. My webmin is installed with domain1.com and letsencrypt to secure sessions I spend on webmin so domain1.com and domain1.com:10000 works fine and are ssl crypted (green). If I add my first virtual server to virtualmin and run letsencrypt to secure the domain associated to the first virtual server ( lets name it domain2.com) then my first domain (domain1.com) that’s used to webmin control panel gets broken and I get this error on firefox: Error code: SSL_ERROR_BAD_CERT_DOMAIN. If I open the certificate for domain1.com then I see domain2.com as CN. To make it more strange, domain1.com:10000 works fine with that cert and CN is domain1.com but if I remove port :10000 and use this domain as is without webmin port, my cert shown the cert from first virtual host. Adding domain3.com domain4.com .. works fine all run on letsencrypt, if I remove domain2.com the domain1.com gets the same error but then from virtual host 2 with domain3.com..

I hope someone understands what I wrote and can help me out please.

Ubuntu 18.04 / ngingx 1.14 latest webmin (root/home/swap) all domains are isp reg. domains. Error code: SSL_ERROR_BAD_CERT_DOMAIN

Thu, 09/19/2019 - 15:56
adamjedgar

When setting up a webserver, your hostname is important. From what you are saying, your hostname is currently set as domain1.com

So when you log into webmin it's via https://domain1.com:10000

This is problematic.

Your hostname should be setup something like server1.domain1.com

Then webmin login would be https://server1.domain1.com:10000

In terms of the ssl certificate changing, it may be that you have got the configuration such that your server is using the domain2.com ssl for webmin (there is a link enabling this under SSL).

Enabling that "use for webmin" for domain2.com SSL in your case would be one way to cause this error.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Fri, 09/20/2019 - 11:41
Patryk

Dear, I did change host to server1.domain1.com that did break my network connection and netplan wont apply at all right now. About webmin ssl config panel, there was nothing modified or copied to webmin out from a virtual server.

EDIT:

Network connection established, i had to clean lo.yaml file that cause connection problems after I changed hostname.. I have no ide why!

Hostname changed to server1.domain1.com.

I did remove certs from letsencrypt by command line to avoid more complications and try to renew certifications with server1.domain1.com using webmins letsencrypt function.

server1.domain1.com is now a subdomain and I try to renew it but im lost with error:

Failed authorization procedure. server1.domain1.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://server1.domain1.com/.well-known/acme-challenge/XPKX_gyh6GjQjycuEK... [MY IP ADDRESS]: "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

"

Nginx - Ubuntu 18.04

Fri, 09/20/2019 - 15:40
adamjedgar

I don't use nginx...so I don't know about that.

The ssl cert is for your virtual servers not server1.domain.com.

Are you trying to get ssl for server1.domain1.com? I don't worry about that, the only person accessing virtualmin dashboard via server1.domain1.com is you...you can use the self signed certificate for that for the time being (virtualmin already sets this up when you first install it (ie your first access is via url "https"...))

Setting up SSL for the server itself is a little more complicated than for virtual servers (ie domains/websites) on said server.

It's only the Virtual servers on it that then need to apply for their own certificates to avoid users seeing the security warnings in their web browsers typically found with self signed certificates...so they should be the only domains you input to let's encrypt (don't add server1.domain.com for certificate applications for any of your virtual servers (hosted domains/websites) or you will get an error for sure.)

I also worry about your having used command line to delete things. You are using a control panel, you really shouldn't use command line unless 100% you know that what you are doing is following a procedure that Virtualmin understands. Once you start messing with default install, things can quickly stuff your virtualmin installation...so be careful. Follow Virtualmin documentation always.

This really should just work on a brand new virtualmin install without any problems. All i ever have to do is install virtualmin, add a virtual server, using domain2 registrar dns point A record at server ipaddress, wait for propogation , go into SSL and apply for letsencrypt certificate for domain2 and it just works (every time). I have not once ever had to worry about server1.domain1.com SSL...even when applying for SSL for domain1.com (if I also want a virtualserver/website on domain1.com), it just works without any problems

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Sat, 09/21/2019 - 14:15
Patryk

Dear, Thank you for your time you spend on this forum to make NOBS like me a bit more smarter! What you wrote has sense and I did spend some more hours to set up a new machine by following your suggestions.

And yes, it works just as it should, without any errors all the way through, its like an sensation!

What I did:

Firstly i set up my hostname used in ubuntu as subdomain server0.domain1.com -> to my ip

Installation: Ubuntu 18.04, Nginx and certbot, Webmin and Virtualmin and all the small adds i just need like (Ondřej Surý Repo) for multiple php versions..

Ubuntu network installation with an static local ip address (192.168.1.100)

I did not touch certbot to secure my servers subdomain jet I just add certbot to the server and run the installation.

As soon everything was installed and ready to touch, I did the postfix setup that just worked like a charm! By using server0.domain1.com:10000

I created an virtual server for domain1.com and run letsencypt that works fine without any problems.

Modifications: I had to add to ProFTPd (proftpd.conf) this line: TLSOptions NoSessionReuseRequired to list files and avoid connection issues like: Failed to retrieve directory listing

Since virtualmin don’t redirect http to https like it should do with nginx as webserver installed, I needed to add a small snippet to my server block for domain1.com

server {
        server_name domain1.com www.domain1.com;
        listen 192.168.1.100:80;
        rewrite ^/(.*) https://www.domain1.com/$1 permanent;
}

Conclusion:

server0.domain1.com stays as is self signed for my backend (webmin) and domain1.com and www.domain1.com got an letsencrypt cert.

Nginx - Ubuntu 18.04