Restarting webminFails: Moving a virtual server from sub-server to main server status does not update the usermin-ssl files

This one is a biggie in with 6 bugs in 1 report:

Result was webmin outage for half hour (and usermin for 1 hour) after upgrade of a server's virtualmin...

Ok, let's go through:

1) the command /etc/init.d/webmin start command gives NO ERRORs, while (fortunately) the command /etc/init.d/webmin restart gave finally the error which prevented the start of webmin:

Failed to open SSL key /home/oldmainclient/domains/domainnamethatisnowamaindomain.com/ssl.key at /usr/share/webmin/miniserv.pl line 3843.

Bug #1: start command should be as verbose as the restart command in case of error

2) such a missing file should not prevent restarting webmin imho !

Bug #2: the whole webmin can be down because of 1 missing non-essential file

3) the original bug that bombed days later now, is that the domainnamethatisnowamaindomain.com has been changed from sub-server of oldmainclient to become a main server as that domain got transfered to the oldmainclient's client, thus we moved from sub-server to main-level server. However, that sub-server had a dedicated IP and SSL certificates, that we had setup in Webmin->Usermin Config->SSL Encryption-> Add a new IP-specific SSL key.

Bug #3: when moving a server from sub-server to main-server, the usermin SSL certificates file paths are not updated (and maybe webmin's too, didn't check as we didn't set an IP-specifc key there ?)

To solve issue, we created just the folder:

/home/oldmainclient/domains/domainnamethatisnowamaindomain.com/

then copied from

/home/domainnamethatisnowamaindomain/ssl.*

to

/home/oldmainclient/domains/domainnamethatisnowamaindomain.com/

and restart worked!

4) the same issue of not updating IP-specific SSL keys is there in webmin too, but it doesn't prevent webmin to start at least.

5) webmin restart does not start usermin, when both were down.

5) webmin restart is a bit verbose, telling by default normal things:

Starting Webmin server in /usr/share/webmin
Pre-loaded virtual-server/virtual-server-lib-funcs.pl in virtual_server
Pre-loaded virtual-server/feature-unix.pl in virtual_server
Pre-loaded virtual-server/feature-dir.pl in virtual_server
Pre-loaded virtual-server/feature-dns.pl in virtual_server
Pre-loaded virtual-server/feature-mail.pl in virtual_server
Pre-loaded virtual-server/feature-web.pl in virtual_server
Pre-loaded virtual-server/feature-webalizer.pl in virtual_server
Pre-loaded virtual-server/feature-ssl.pl in virtual_server
Pre-loaded virtual-server/feature-logrotate.pl in virtual_server
Pre-loaded virtual-server/feature-mysql.pl in virtual_server
Pre-loaded virtual-server/feature-postgres.pl in virtual_server
Pre-loaded virtual-server/feature-ftp.pl in virtual_server
Pre-loaded virtual-server/feature-spam.pl in virtual_server
Pre-loaded virtual-server/feature-virus.pl in virtual_server
Pre-loaded virtual-server/feature-status.pl in virtual_server
Pre-loaded virtual-server/feature-webmin.pl in virtual_server
Pre-loaded virtual-server/feature-virt.pl in virtual_server
Pre-loaded virtual-server/feature-virt6.pl in virtual_server
Pre-loaded WebminCore

No urgency to reply, as we managed to fix configs and restart.

Status: 
Active

Comments

Thanks for the bug report .. taking a look at this now.

By the way, how did you configure Webmin to use that domain's SSL cert in the first place?

By setting the path of the SSL key and of the SSL cert, as they appear in the domain itself.

e.g.:

/home/oldmainclient/domains/domainnamethatisnowamaindomain.com/ssl.key

and

/home/oldmainclient/domains/domainnamethatisnowamaindomain.com/ssl.cert

in webmin -> usermin config (and webmin config same) -> SSL certs -> add new IP-specific cert

When I did that, there was no real link possible between virtualmin's SSL Webserver feature with automatic ssl.key handling, and adding those to usermin and webmin.

However, as webmin and mail. domain-aliases and webmail. apache redirects are programmed, it would be quite logical that virtualmin automatically handles same SSL certs (using same files) for usermin and webmin for the domain.

SSL certs are already painful by themselves, but here, we have to add them 3 times: for webserver, for webmin and for usermin.... Improvements welcome ;-)

Ok, that would explain it - the simpler and recommended way to set the SSL cert in this situation is at Manage SSL Certifcate -> Copy to Webmin. This makes a copy under /etc/webmin which is preserved even if a domain is renamed, moved or deleted.

You are correct about there being no good indication of what is going wrong in this case though, so in the next release I will add more useful diagnostics to STDERR. What actually happens is that SSL mode gets silently disabled, which likely means that your browser will be unable to connect with an https: URL.

Don't think that "Manage SSL Certifcate -> Copy to Webmin" is the correct way. ;-)

"Manage SSL Certifcate -> Copy to Webmin" does copy to the main cert of webmin... if i'm right.

  • it's a copy of the webserver cert of 1 domain.

Here it's different:

We have multiple customers each with a dedicated IP address (not shared) and a virtual server with SSL enabled and cert.

The customer wanted to use usermin webmail (and webmin too) with https on HIS domain.

Specially that webmail.hisdomain.com was auto-redirected to https://hisdomain.com:20000 (and not to main-server address, which is good) but was issuing a cert-warning in his users' browsers. Thus we added an IP-specific cert (not copy, but using same file, so that when webserver cert is renewed, the usermin and webmin ones are also renewed, using the DONOTCOPY principle).

So actually, better would be:

when activating a SSL certificate on a virtual server with dedicated IP address, that virtualmin automatically adds a record using same files (no copy) to usermin IP-specific certs for that same address (and to webmin too). And when removing it or moving the server, usermin and webmin IP-SPECIFIC certs paths follow too...

  • that webmin in no cases doesn't start for just a missing cert (webmin didn't start at all, nor usermin, NO miniserv/webmin processes at all were there...): easy to reproduce: rename the ssl.key file and try restart of webmin, you'll see ;-)

Hope that helps in fixing :)

Ok, that explains it ...

Did you make use of the "Configure Webmin to use same SSL cert for IP?" option in the server template?