How to reuse the SSL certificate installed on the webmin port 10000

34 posts / 0 new
Last post
#1 Fri, 07/08/2011 - 08:29
-eclipse-

How to reuse the SSL certificate installed on the webmin port 10000

Hi Eric

Is it possible to use the same certificate we are currently using on https://servername.domain.tld:10000/ on the https://servername.domain.tld/ site?

I have installed the management scripts on this site, such as phpmyadmin and so on and would like to have it secured by SSL.

I have enabled the SSL feature on the servername.domain.tld virtual site. But how do I tell the system to use the same SSL certificate, is it even possible?

I also wants to have the :20000 secured by the same SSL certificate because it is still the same FQDN.

Looking forward to hear from you.

  • Tim
Fri, 07/08/2011 - 09:00
-eclipse-

Hi Eric

I went to the manage certificate area for the virtual site and uploaded the private key and the certificate file I used to the https://servername.domain.tld:10000/ setup, and I can now see that the certificate have been installed. But when I visit https://servername.domain.tld/ I still get an SSL error and the localhost.domain self signed certificate are listed.

What about the "ssl options" under services -> configure website?

  • Tim
Fri, 07/08/2011 - 09:33
andreychek

Yeah, you should be able to do that.

It shouldn't be more difficult than going into Server Configuration -> Manage SSL Certificate -> New Certificate, and putting the SSL certificate and key into the fields on that screen.

When you're done -- click the "Current Certificate" tab.

When you're on that screen -- what does "Web server hostname" show? If it says "localhost" still, that suggests it may not think it's using the correct certificate. You may want to double-check what it is you uploaded.

If instead, it shows the right domain, but you aren't seeing that when browsing to your site -- you may just need to restart Apache to get it to recognize your new cert.

-Eric

Fri, 07/08/2011 - 09:41
-eclipse-

Hi Eric

When I look into the "Current Certificate" i see the servername.domain.tld certificate. I just tried to restart the httpd service /etc/rc.d/init.d/httpd restart

But I still see the localhost.localdomain certificate when I visit the site https://servername.domain.tld ??

  • Tim
Fri, 07/08/2011 - 13:54
andreychek

Hmm, did the IP address for "servername.domain.tld " recently change?

If so, you may have the old IP address still cached in your DNS. It may take a day or so for the new IP address to be visible.

Do you have another computer using a different ISP (or different DNS servers), you could always test it using that.

-Eric

Sat, 07/09/2011 - 05:48
-eclipse-

Hi Eric

The server has the same IP address, I haven't changed that at all. The webmin interface still works with the SSL but not without port 10000?? https://glowlinweb001.itoverblik.dk:10000/ https://glowlinweb001.itoverblik.dk/

Do you think I have to restart the whole server??

  • Tim
Sat, 07/09/2011 - 10:52
andreychek

That's correct -- you'll always need to include port 10000 in the URL when accessing Webmin.

As far as your domains go -- the two domains you mentioned above don't resolve for me... are those the correct names?

-Eric

Sat, 07/09/2011 - 13:47
-eclipse-

Hi Eric

Sorry, I did a typo :/

https://glolinweb001.itoverblik.dk:10000/ https://glolinweb001.itoverblik.dk/

The SSL certificate have been created to use the FQDN glolinweb001.itoverblik.dk and I would like to use it on both sites, so that I can encrypt the other sites related to this FQDN, such as https://glolinweb001.itoverblik.dk/phpmyadmin/ and so on.

  • Tim
Mon, 07/11/2011 - 12:53
andreychek

I'm seeing the same thing you are, that browsing to that URL shows the wrong certificate.

One thing before we really start digging under the hood -- let's try kicking Apache, just to be super-sure that's not the problem.

You can do that by running "/etc/init.d/apache2 restart" on Debian/Ubuntu, or "/etc/init.d/httpd restart" on CentOS.

-Eric

Mon, 07/11/2011 - 15:43
-eclipse-

Hi Eric

I did a total restart of the server. It still shows the localhost.localdomain??

It is kind of strange. I have attached a picture of the default site SSL setup.

  • Tim
Tue, 07/19/2011 - 14:51
-eclipse-

Hi Eric

Do you go on summer vacation?

  • Tim
Thu, 07/21/2011 - 12:49
andreychek

Sorry for the delay -- I'm not sure what's going wrong with your setup there. It sounds like what Virtualmin is seeing isn't in sync with what Apache has setup.

One of the next steps may be to verify that what's listed in the Apache VirtualHost block is indeed pointing to the correct SSL certificate.

If you like, I can log in and take a look at that for you though.

If you'd like me to do that, what you can do is enable Remote Support using the Virtualmin Support module. Or, just email your login details to eric@virtualmin.com.

Thanks!

-Eric

Fri, 07/22/2011 - 04:53
-eclipse-

Hi Eric

I have enable the support option within Virtualmin.

  • Tim
Fri, 07/22/2011 - 10:07
andreychek

I don't seem to be able to access SSH on your server, the connection hangs -- is that currently enabled, and not being blocked by a firewall?

-Eric

Fri, 07/22/2011 - 11:26
-eclipse-

Hi Eric

What IP are you coming from this time?

  • Tim
Fri, 07/22/2011 - 11:28
andreychek

The IP I use is "207.192.73.169".

-Eric

Fri, 07/22/2011 - 11:30
-eclipse-

Hi Eric

Know you have access from that ip.

  • Tim
Fri, 07/22/2011 - 12:06
-eclipse-

Hi Eric

You just killed the apache service :)

  • Tim
Fri, 07/22/2011 - 12:14
andreychek

Yeah, it looks like some separate SSL definitions are conflicting with what's defined for "glolinweb001.itoverblik.dk".

As I went to fix them, some odd configuration problems prevented Apache from starting again. It should have only been down a few seconds though :-)

It's going to take some tinkering to get it fixed, so I can't guarantee it won't happen again -- or longer next time. But, I'll wait until it's a little later in the day to work on it :-)

Have a good one!

-Eric

Fri, 07/22/2011 - 13:52
-eclipse-

Hi Eric

No problem, the reason why I noticed it was because I was showing the benefits of Virtualmin to one of my friends :) You can begin working again, it is already late Friday so that wont intervene with anyone.

  • Tim
Fri, 07/22/2011 - 19:58
andreychek

Howdy,

Okay, I believe it's working now!

Outside of an Apache restart, there shouldn't have been any additional downtime.

Can you take a look and see if that's working as you'd expect? Thanks!

-Eric

Sat, 07/23/2011 - 05:28
-eclipse-

Hi Eric

It seems to work more accurate know :) What did you do to get it working?

Secondly, it doesn't look like the intermediate SSL certificate are visible? I checked it with this tool : http://www.sslshopper.com/ssl-checker.html#hostname=glolinweb001.itoverb...

If it did there will come this "SSL validation" next to the URL in the browser, just like this page we have https://mysqladm.itoverblik.dk/

I used the below procedure (my own) to get the SSL certificate working on the virtualmin GUI page.

Setup SSL for admin GUI Log on to putty
    openssl genrsa -out key.pem 2048
    openssl req -new -key key.pem -out req.pem
Insert the SSL certificate in the cert.pem file
    nano cert.pem
Combine the Private key and SSL certificate file
    cat key.pem cert.pem temp.pem
Add the Intermediate and ROOT certificate to the temp.pem file
    nano temp.pem
Use the template below
    -----BEGIN RSA PRIVATE KEY-----
    (Your Private Key: your_req.pem)
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    (Your Primary SSL certificate: cert.pem)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Intermediate certificate: DigiCertCA.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Root certificate: http://www.rapidssl.com/legal/)
    -----END CERTIFICATE----- 
Overwrite the existing selfsigned SSL certificate in the webmin folder
    cp temp.pem /etc/webmin/miniserv.pem
Re-start webmin (making sure it is in SSL mode) to use the new key.
    /etc/init.d/webmin restart

Could I use the same PEM file to the virtual site glolinweb001.itoverblik.dk?

Thanks for your help so far it is much appreciated.

  • Tim
Sat, 07/23/2011 - 05:41
-eclipse-

Hi Eric

I managed to install the CA intermediate certificate by doing the following.

Go to Virtualmin -> Select the virtual site -> Server Configuration -> Manage SSL Certificate -> CA Certificate I then pasted the CA Intermediate certificate in the text box

I know get a successfully SSL chain validation. http://www.sslshopper.com/ssl-checker.html#hostname=glolinweb001.itoverb...

But I still can't see the SSL image next to the URL in my browser, strangely enough. It shows for about 1 second and then disappear just like I am getting redirected somehow?

Secondly, can I force the page to be SSL on the virtual site so that the non SSL viewing of the page is not possible?

  • Tim
Sun, 07/24/2011 - 18:32
andreychek

Howdy,

Well, I think the problem there is that some of the images and links within your site appear to still be using "http" rather than "https".

You'd either want to change those links to all use "https", or just use relative links.

As far as redirecting http users to https -- you can do that by creating a .htaccess file in your public_html directory, and entering something along the lines of this in there:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
Mon, 07/25/2011 - 09:09
-eclipse-

Hi Eric

Off course why the SSL image was not displayed correctly, I should have know that myself :/ May I ask what you did to get it working the other day (Friday night). So that I know what to change when I am going to install server the new server glolinweb002.

Secondly, I will try the above .htaccess :)

Thanks for your help.

  • Tim
Mon, 07/25/2011 - 09:17
-eclipse-

Hi Eric

The htaccess file works as intended :)

  • Tim
Mon, 07/25/2011 - 10:01
andreychek

It seemed that the settings in /etc/httpd/conf.d/ssl.conf were overriding those for your VirtualHost.

Specifically, the self-signed SSL certificate setup there was being used, rather than the commercial cert you purchased.

I tried commenting out the SSLCertificateFile and SSLCertificateKeyFile lines in the ssl.conf in the hopes that it would then use the ones in your VirtualHost config, but that's when Apache bombed out, as you saw :-)

I'm sure there's a better way to do this, but rather than subject your users to any additional downtime, what I did is point SSLCertificateFile and SSLCertificateKeyFile in the ssl.conf to point to your new SSL certificate.

-Eric

Sat, 10/22/2011 - 12:27
-eclipse-

Hi Eric

I just noticed that the :20000 site is using the self signed certificate as the webmin site on port :10000 did.

How should I activate my own certificate on the usermin site?? Will it be the the same way as you did for my webmin site?

Looking forward to hear from you.

  • Tim
Sat, 10/22/2011 - 13:10
andreychek

You can use your own cert by going into Server Configuration -> Manage SSL Certificates, and click the "Copy to Usermin" button.

-Eric

Fri, 10/28/2011 - 09:05
-eclipse-

Hi Eric

I may be blind, I can't find the above MENU location as described :/

  • Tim
Fri, 10/28/2011 - 10:08
andreychek

Well, let's back up a bit... without re-reading this entire thread, I'm going to review some things quick :-)

For using SSL -- the easiest way to get that working for your entire server is to first enable SSL in a specific Virtual Server.

You can do that in Edit Virtual Server -> Enable Features, and enable the "SSL" feature there.

Once you do that, you should then have a Server Configuration -> Manage SSL Certificate option for that particular Virtual Server.

You can then add/modify/delete your SSL cert for that Virtual Server from there. But, you can also access some buttons on that screen which allow you to copy that SSL Cert into Webmin, Usermin, Dovecot, and Postfix.

Will that do what you're after?

-Eric

Fri, 10/28/2011 - 11:24
-eclipse-

Hi Eric

I succeeded to export / import the certificate for the main site / servername glolinweb001.itoverblik.dk to the webmin on port 20000

When I visit webmail.ito-hosting.info (test site) I get redirected to http://ito-hosting.info:20000/

But how do I ensure that I get redirected to https://glolinweb001.itoverblik.dk:20000/ instead of https://ito-hosting.info:20000/ so that the SSL certificate is the same as the primary server name / virtual server.

How do I ensure that webmail.domain.tld get's redirected to https://glolinweb001.itoverblik.dk:20000/

  • Tim
Fri, 10/28/2011 - 14:32
andreychek

Take a look at System Settings -> Server Templates -> Default -> Apache Website -- there's options in there you can use to set where the webmail and admin aliases redirect to.

-Eric

Sun, 10/30/2011 - 06:13
-eclipse-

Hi Eric

Thanks for the input, I should have told my self that the solution was in the Apache settings :)

  • Tim
Topic locked