Guys,
Not sure why I'm struggling with this but I can't seem to get a purchased ssl certificate (RapidSSL) successfully installed into webmin.
Rather than use the self-signed certificate, and all the headache that goes along with that and Microsoft's latest IE security updates we just want to install a "recognized" cert and will redirect everyone to the server name for port 10000 and 20000.
In Webmin Configuration -> SSL Encryption I generated a CSR, purchased and uploaded the cert and CA. When viewing the "Current Certificate" it shows the purchased cert correctly.
On the SSL Setting page:
Private key file = /etc/webmin/miniserv.pem
Certificate file = /etc/webmin/miniserv.cert
Additional certificate files = /etc/webmin/miniserv.chain
When I try to change the Private Key File to /etc/webmin/miniserv.cert (the purchased certificate) it throws the error:
Failed to save SSL options : The SSL private key file /etc/webmin/miniserv.cert does not exist or does not contain a PEM format key
What am I doing wrong?
Thanks! -- Craig
Comments
Submitted by andreychek on Tue, 10/23/2012 - 20:48 Comment #1
Howdy -- normally, when you're setting up a new SSL Cert -- I'd recommend enabling the "SSL" feature for a given domain in Edit Virtual Server -> Enabled Features.
Then, you can go into Manage SSL Certificate, where you can create the CSR, as well as copy the SSL cert to various services running on your server. That's the simplest way of setting up a SSL certificate.
However, working within the area you're using now -- you wouldn't want to change the Private Key -- what they sent you is a new "Certificate file". You'd want to replace the current Certificate with the new SSL certificate that they sent you.
Whenever you generated a CSR, it generated a new private key at the same time -- you'd want to make sure you're using the private key that Webmin generated for you.
Submitted by isdahlc on Tue, 10/23/2012 - 20:54 Pro Licensee Comment #2
Andreycheck,
This isn't for a hosted domain, its for the webmin installation itself. We want to setup website redirects so that http://webmail.domain.tld redirects to server.domain.tld:10000 (or 20000 for Usermin). Does that make sense?
-- Craig
Submitted by andreychek on Tue, 10/23/2012 - 21:51 Comment #3
Yup, I completely understand! The setup you're working on is a good one, and is how we'd recommend setting things up if you can afford a commercial SSL certificate.
As far as how to get all that to work -- you could edit the SSL Certificate File in the Webmin area as mentioned above. The SSL certificate you were sent would replace the existing Certificate File -- and you'd just need to make sure the key that Webmin regenerated recently is what's being used there now.
That said, and for future reference -- if you're looking to add an SSL cert into Webmin, we'd usually suggest setting up a domain in Virtualmin for that, and managing the SSL via it.
The advantage of that, is that whatever domain folks use to access Webmin -- that also tends to be what's used for accessing Usermin, Postfix, and Dovecot.
Virtualmin makes it simple to secure those other services with that same SSL certificate, by offering a means to copy the SSL cert to other services.
Submitted by isdahlc on Tue, 10/23/2012 - 22:23 Pro Licensee Comment #4
Ahh, I think I understand. Instead of using the server name of id1007.xyz.domain.tld I should just setup a domain in virtualmin mailX.domain.tld (or whatever) and manage the cert there... That way I can also use it to manage webmin, pop and smtp. Thanks for the help! -- Craig
Submitted by andreychek on Tue, 10/23/2012 - 22:46 Comment #5
Yeah, with a system using "id1007.xyz.domain.tld" as the hostname -- you can use a name such as "secure.domain.tld" for the SSL cert (or whatever other name you prefer -- but that's a nice generic one that makes sense for all services).
If you create a Virtual Server (or an alias) named secure.domain.tld, and generate your SSL cert within it -- you could then click the "Copy to N" buttons in Server Configuration -> Manage SSL Certificate, which will setup that secure.domain.tld SSL certificate within your various services.
You could then have your customers access secure.domain.tld for all the services you mentioned -- Virtualmin, Usermin, IMAP, and SMTP.
If you have any questions on any of that, please feel free to let us know!
Submitted by isdahlc on Tue, 10/23/2012 - 22:50 Pro Licensee Comment #6
Andreycheck, where does webmin store the private key that was generated? That's what's confusing me. I thought it was the .pem file but when I use that I get the error I posted in my original post.
Submitted by andreychek on Tue, 10/23/2012 - 23:01 Comment #7
I'm not entirely certain, unfortunately... I've never tried to generate an SSL cert via Webmin :-) If that's not working for you, we may need to get Jamie's input on that.
That said, I'd be curious about two things... one, what does this output:
ls /etc/webmin/miniserv*
And also -- the error you mentioned above says this:
"The SSL private key file /etc/webmin/miniserv.cert"
That doesn't sound correct though -- it's talking about the private key, but the file it's pointing to is the SSL certificate.
Are you pretty sure that the SSL cert and private key fields are pointing to the correct files?
Submitted by isdahlc on Wed, 10/24/2012 - 00:16 Pro Licensee Comment #8
OK, so I thought I would just re-issue the certificate to make sure I had everything correct.
Generated CSR, new private key (/etc/webmin/miniserv.newkey).
Received new cert and CA
Installed cert and CA through webmin panel
That put in place the cert, CA and .pem file (renamed from .newkey)
After this change when I try to access this server via cloudmin I receive
Error - Missing Content-Type Headeras an error message and thewebminservice shows as down.When I try to access this server on port 10000 I receive the following error:
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Thoughts on how to straighten this out?
Submitted by andreychek on Wed, 10/24/2012 - 14:29 Comment #9
I haven't run into that particular error before, though a little Googling shows some other Firefox users who have run into that. Which Firefox version are you using?
Out of curiosity, if you use a browser other than Firefox, do you see a similar error?
Is there any chance you could provide the URL to your Webmin install so that I can try and reproduce that error?
Submitted by isdahlc on Thu, 11/15/2012 - 13:49 Pro Licensee Comment #10
Closing this out just in case someone else runs into the same issue.
I ended up create the domain I wanted to use in VM then purchased a certificate for that domain. Once registered I just clicked the "copy to Webmin" and "copy to Usermin" buttons. I changed the template to use the new domain for both webmin (e.g. admin.domain.tld) and usermin (e.g. webmail.domain.tld) requests and also updated all the redirects in the httpd.conf file. Works like a charm!
Thanks!
-- Craig
Submitted by JamieCameron on Thu, 11/15/2012 - 14:29 Comment #11
Ok, sounds like this is fixed then.
Submitted by Issues on Thu, 11/29/2012 - 14:46 Comment #12
Automatically closed -- issue fixed for 2 weeks with no activity.