Virtualmin virtual-server module version 6.08 released

25 posts / 0 new
Last post
#1 Fri, 10/18/2019 - 00:28
Joe
Joe's picture

Virtualmin virtual-server module version 6.08 released

Howdy all,

We've rolled out version 6.08 of Virtualmin virtual-server module. This release includes some security fixes (domain owners can obtain access they shouldn't have), so upgrading ASAP is recommended.

Changes since 6.07:

  • Fixes for several security issues that could be exploited by domain owners. Thanks to RACK911 Labs for finding and reporting these!
  • Much improved MariaDB 10.x support.
  • Virtual servers to backup can now be selected by reseller.
  • Fixes for Dropbox backup problems.
  • Fixes for FPM port collision problem.

The Dropbox fix also needs a Webmin update to 1.932 (also rolled out today). The updated MariaDB 10.x support means we can finally support Debian 10 and CentOS 8. Debian 10 support should be announced in a day or two (we're testing and it looks good so far), and CentOS 8 soon after.

As always, report bugs!

Cheers,

Joe

Fri, 10/18/2019 - 09:10
Jfro

https://www.virtualmin.com/node/67390

Is this solved to?

Or upcoming update in time?

letsencrypt moved to API v2 in the meanwhile, deprecating API v1. Therefore i will receive this error:

Error registering: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.
Fri, 10/18/2019 - 09:47
andreychek

Those issues are not part of this release -- we hope to have that sorted soon, though the workaround until then is to install certbot, which Virtualmin can use to generate new Let's Encrypt SSL certificates.

-Eric

Fri, 10/18/2019 - 19:00 (Reply to #3)
Jfro

OK maybe you take a look at this solution to. for clone or working together if that is a good one.

https://github.com/Neilpang/acme.sh

It's probably the easiest & smartest shell script to automatically issue & renew the free certificates from Let's Encrypt. they write

Fri, 10/18/2019 - 16:25
OliverF

First time I've gotten that error in virtualmin I think, it said the package couldn't be authenticated, and thus wouldn't be installed.

I had to do it in a terminal, apt-get upgrade.

~# apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be upgraded: webmin-virtual-server 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 1,797 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue [Y/n]? Y WARNING: The following packages cannot be authenticated! webmin-virtual-server Install these packages without verification [y/N]? Y Get:1 http://software.virtualmin.com/gpl/debian/ virtualmin-universal/main webmin-virtual-server all 6.08.gpl [1,797 kB] Fetched 1,797 kB in 0s (21.4 MB/s) (Reading database ... 107172 files and directories currently installed.) Preparing to replace webmin-virtual-server 6.07.gpl (using .../webmin-virtual-server_6.08.gpl_all.deb) ... Unpacking replacement webmin-virtual-server ... Setting up webmin-virtual-server (6.08.gpl) ...

Maybe because I've tested it on a debian Wheezy that's not maintained anymore, no idea.

Still, I report it in case it mattered.

Sat, 10/19/2019 - 12:49 (Reply to #5)
Joe
Joe's picture

The repo metadata should be signed, though apt repos are still occasionally mysterious to me. Try apt-get clean; apt-get update and see if the problem persists.

Edit: Also, get onto a supported version of your OS! You're in danger!

--

Check out the forum guidelines!

Thu, 10/24/2019 - 17:32 (Reply to #6)
OliverF

It's not a constantly running production server, no worries about that. A terminal apt-get --upgrade command allowed to give manually the required [Y] confirmations, so it's also allright. I was simply reporting something that might have been an issue, in case it was particular to the 6.08 version and could mean trouble, that's just it :)

Mon, 10/21/2019 - 02:46
clockover

Hello

Where can we find the new installer for testing on Debian 10 ? :)

Mon, 10/21/2019 - 18:46
djohnson401

I currently have Virtualmin "6.08 Pro" installed and I am getting update notifications for version "6.08.gpl", am I supposed to be getting that update?

Wed, 10/23/2019 - 10:29 (Reply to #9)
andreychek

No, you should not be receiving notices for the GPL version if you're using Pro. You may want to open a support incident so we can look deeper into that... it may mean your repo is pointed at the GPL version rather than Pro version for some reason.

-Eric

Wed, 10/23/2019 - 09:59
Jfro

Take care of this to! https://community.letsencrypt.org/t/acme-v2-scheduled-deprecation-of-una...

We have added support for the POST-as-GET construction for certificates, orders, authorizations and challenges to the ACME v2 API while simultaneously allowing legacy GET requests to these resources. Clients may begin sending POST-as-GET requests to the staging and production V2 API as of October 25th, 2018.

On November 1st, 2019 we will remove support for unauthenticated GETs from the staging V2 API, requiring client support for POST-as-GET.

On November 1st, 2020 (one year later) we will remove support for unauthenticated GETs from the production V2 API.
Fri, 10/25/2019 - 04:35
anandejju

Hi @joe

Where can we find the new installer for testing on Debian 10 ? :)

My Systmem is with following : Operating system Debian Linux 11.0 Webmin version 1.930 Kernel and CPU Linux 5.3.0-1-amd64 on x86_64 Processor information Intel(R) Core(TM) i5 CPU M 450 @ 2.40GHz, 4 cores

Thanks

Anandkumar Ejju

Tue, 10/29/2019 - 11:33
KrisPL

Debian 10 support should be announced in a day or two :)

Thu, 10/31/2019 - 15:40 (Reply to #13)
anandejju

Waiting for Virtualmin for Debian 10 buster .. please let me know where can I download new install.sh for testing.

Anandkumar Ejju

Wed, 11/27/2019 - 17:35
OliverF

Hello,

One month and a half after the release of 6.08, may I politely ask if you know if you have a window of visibility for when we may hope to see a Debian 10 compatible virtualmin release?

I'm certain you and your colleagues have your valid reasons for delaying the announcement and release of a version of Virtualmin that would officially work with Debian 10, I am not questioning this, no doubt there's work going on behind the scene, or maybe you are waiting for a third party to deliver/update/code something. But, well, simply, I am curious, I hope that doesn't come as unwanted pressure to ask for an estimation, if an estimation can be done :)

Mon, 12/02/2019 - 06:52
skelgaard

@joe more than a month since this post about debian 10... any news on this ?

Tue, 12/03/2019 - 04:14
styria

I feel that forum support has changed in the last six months compared to previous years. No status updates ...Does Virtualmin have any problem? Or does it only have to do with Debian 10?

Tue, 12/03/2019 - 04:56
Jfro

You can read this https://www.virtualmin.com/comment/820280#comment-820280

The forum readers should have noticed lot of BUGS/Changes needed with newer versions of some "software"

And ofcourse few Developers.

And Busy with new forum software to.

So alltogether one could / should understand the time needed is...

Tue, 12/03/2019 - 05:11 (Reply to #18)
skelgaard

Thats fine... thats what happends.... but when joe for more than a month ago posted that it would be released in 1 or 2 days, then just radiosilence it is bad... If a new post/reply was made, that there is problems being worked on and therefor things take longer time, we can wait, just hard, when there is no information. Is there an estimate when it will be ready or is there still to much work to give this estimate ?

Tue, 12/03/2019 - 05:29
Jfro

The best TIP i can give: ;)

WAIT AND SEE.

( typing here in forum cost time, especially if it is not clear enough release time ...makes it ... you give the example yourself.. ;)

Tue, 12/10/2019 - 06:49
anahata
anahata's picture

I gave up waiting.
This may not be a popular suggestion, but I switched to Sympl (https://sympl.host) which actually suits me far better.
Benefits:

  • Works with Debian 10
  • Supports Letsencrypt v2 protocol (Letsencrypt don't support the old v1 protocol anymore)
  • (advantage for me at least) based on Bytemark's Symbiosis package, which I've used before but which is no longer supported or developed
  • Modular, robust and uncomplicated so you can understand what's going on (Sympl by name, simple by nature!)
  • Automatic configuration of PHP open_basedir so virtualhosts cannot easily access files they shouldn't (i.e. system files or other vhosts)
  • Automatic security settings for WordPress (protection of wp-content and wp-content/uploads)
  • Responsive tech support from developer

Possible disadvantages:

  • No web interface: you need ssh access
  • No full support yet for DNS (coming later, but I wrote my own shell scripts for creating zone files so I could do self hosted DNS like Virtalmin does)
  • No support for FCGI or PHP-FPM yet (but it's coming)
  • Not tested on Linux distributions other than Debian 9 and 10

Anahata www.treewind.co.uk West Yorkshire, UK

Tue, 12/10/2019 - 07:56 (Reply to #21)
EcchiOli

I'll stick with virtualmin ^^

But it's true, this extended wait delay is half annoying, half worrying.

Worrying: come on, can that be normal, might there be inside trouble and might the future of virtualmin be threatened?!? It also raises the possibility of a "truck factor" issue (you know the metaphor? Imagine a truck hitting a developer, does it, or not, mean a project dies with the truck's victim?). If the team behind a project is too small, personal issues making life difficult for a team member may jeopardize the entire thing, and now, with those 6 months with hardly any communication, I'd wager many of us have started to ask ourselves if it's not something of that sort.

Annoying: it's not like we're with a LTS version, Debian doesn't have that long a lifetime before a version goes obsolete, and we're now already 6 months past the release of Debian 10. The future Debian 10 servers risk to be, comparatively speaking, quite short-lived, it will be a bother.

And yet, a simple, brief thing would magically sort the issue: COMMUNICATION. A simple announcement to tell what's going on and clear doubts. "We're working on fine details that got a lot more complicated than planned. No worries, it will come. No ETA, or an ETA." "The team's gone postal because of unrelated issues, apologies but at least you know". Or "A key team member goes through a very hard time in life, we are sure you will understand resolving his problems come first" - and we'll totally understand, if - IF - we are told.

Tue, 12/10/2019 - 14:45 (Reply to #22)
Nico94

This is so true ... all of it.

Wed, 12/11/2019 - 10:12 (Reply to #23)
Sylice
Sylice's picture

As EcchiOli said, I would very much prefer to stick with VirtualMin. I have spent the past few days extensively researching a few other major options like ISPConfig, Sentora, VestaCP - and all of them are lacking, they don't have important features like iptables management, built-in 2-factor authentication, support for PostgreSQL server management, etc, etc (all features that I use and don't want to have to do via command line or add a bunch of unsupported hacks to build them in).

Communication is definitely a huge issue here ... not sure what is going on, what has happened with Joe or whoever else. I don't know how large the VirtualMin team is or who actually works on it? But if we take a look at the VirtualMin GitHub Repo: https://github.com/virtualmin/virtualmin-gpl/commits/master

List of commits shows "jcameron" (seems to be the guy that also builds WebMin) - so it does not appear that anyone has been hit by any trucks fortunately.

With all that said, I'm making an attempt to hack the current/latest install script to UNOFFICIALLY support Debian 10, based on the assumption that the "test" code they've been using for Buster is already built into their Universal repo - you can follow this here: https://www.virtualmin.com/comment/820559#comment-820559

Tue, 12/17/2019 - 14:39
Topic locked