View previous topic :: View next topic |
Author |
Message |
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Thu Apr 05, 2007 12:48 pm Post subject: webmin self signed cert |
|
|
Hello, ok been through process of creating self signed root ssl certs and certs for postfix and apache and wanted to do same for webmin.
On webmin site is says to combine the private key and certificate in with the command:
Code: |
cat key.pem cert.pem >/etc/webmin/miniserv.pem
|
now i don't have key.pem cert.pem but have tried:
Quote: |
cat newkey.pem newcert.pem >/etc/webmin/miniserv.pem
|
this works but i have to enter pass phrase when starting webmin which is not too good, any ideas what i need to do?
I have following files in /etc/ssl/misc
Code: |
new.cert.cert new.cert.key newkey.pem privkey.pem new.cert.csr newcert.pem newreq.pem
|
cheers _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Thu Apr 05, 2007 1:12 pm Post subject: |
|
|
Ok i tried following
Code: |
# openssl rsa -in miniserv.pem -out miniserv.pem
Enter pass phrase for miniserv.pem:
writing RSA key
|
but restarting webmin fails with
Code: |
/etc/init.d/webmin restart
* Stopping Webmin ... [ ok ]
* Starting Webmin ...
Failed to open SSL cert at /usr/libexec/webmin/miniserv.pl line 3520.
|
_________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
jpl888 Guru
Joined: 13 Apr 2005 Posts: 337 Location: Piltown, Co. Kilkenny, Ireland.
|
Posted: Fri Apr 06, 2007 3:04 pm Post subject: |
|
|
When you install Webmin with ssl support it already has a certificate created. You don't need to create another. _________________ John Lewis IT Consultancy and Engineering
http://www.johnlewis.ie |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Mon Apr 09, 2007 3:51 pm Post subject: |
|
|
jpl888 wrote: | When you install Webmin with ssl support it already has a certificate created. You don't need to create another. |
Prefer to create my own, then i know that it is safe plus if other users login they see familiar cert.
PS found out how to do it. _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
GNUtoo Veteran
Joined: 05 May 2005 Posts: 1919
|
Posted: Mon Apr 09, 2007 10:07 pm Post subject: |
|
|
you can also alternatively do port forwarding with openssh in order to connect to webmin |
|
Back to top |
|
|
jpl888 Guru
Joined: 13 Apr 2005 Posts: 337 Location: Piltown, Co. Kilkenny, Ireland.
|
Posted: Tue Apr 10, 2007 9:10 am Post subject: |
|
|
Maybe you could post the solution here to help other like-minded admins. _________________ John Lewis IT Consultancy and Engineering
http://www.johnlewis.ie |
|
Back to top |
|
|
GNUtoo Veteran
Joined: 05 May 2005 Posts: 1919
|
Posted: Tue Apr 10, 2007 10:23 am Post subject: |
|
|
jpl888 wrote: | Maybe you could post the solution here to help other like-minded admins. |
Code: | ssh -L port_of_webmin:127.0.0.1:port_of_webmin youruser@yourbox |
|
|
Back to top |
|
|
jpl888 Guru
Joined: 13 Apr 2005 Posts: 337 Location: Piltown, Co. Kilkenny, Ireland.
|
Posted: Tue Apr 10, 2007 10:28 am Post subject: |
|
|
Quote: | jpl888 wrote:
Maybe you could post the solution here to help other like-minded admins.
Code:
ssh -L port_of_webmin:127.0.0.1:port_of_webmin youruser@yourbox |
I actually meant for creating the Webmin cert but thanks anyway _________________ John Lewis IT Consultancy and Engineering
http://www.johnlewis.ie |
|
Back to top |
|
|
carpman Advocate
Joined: 20 Jun 2002 Posts: 2202 Location: London - UK
|
Posted: Tue Apr 10, 2007 2:25 pm Post subject: |
|
|
Hello, ok here is how i did webmin self signed cert, was going to put it in a little howto about self signed certs but will include it here so other can find it easier.
This assumes you have already created root ssl cert.
-------------------------
You may or may not use webmin, if you do you will know that it has its own server and you can use via https, thing is it has it own cert. Not sure how secure this is but i am happier using self signed cert.
First off we will backup the webmin cert:
Code: |
mv /etc/webmin/miniserv.pem /etc/webmin/miniserv.pem-orig
|
now we will create new self signed cert by doing following:
Code: |
Creating a key for signing
Make a non-passphrase version
Then create the signing request
Combine the passphraseless key with the certificate to make a file that Webmin likes:
Copy to webmin
|
To do this enter following commands: (Note the days setting, 365 is for a years, for 10ys make it 3650
cd /etc/ssl/misc
Code: |
openssl genrsa -des3 -out webmin.key 1024
openssl rsa -in webmin.key -out webmin.pem
openssl req -new -key webmin.key -out webmin.csr
openssl x509 -req -days 365 -in webmin.csr -signkey webmin.key -out webmin.crt
cat webmin.crt >> webmin.pem
cp webmin.pem /etc/webmin/miniserv.pem
/etc/init.d/webmin restart
|
That is it. _________________ Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb |
|
Back to top |
|
|
neofutur n00b
Joined: 18 Jun 2006 Posts: 21 Location: France
|
Posted: Sun Oct 26, 2014 9:02 pm Post subject: even worst for IDRAC than for webmin |
|
|
jpl888 wrote: | When you install Webmin with ssl support it already has a certificate created. You don't need to create another. |
7 years later, yes you do need to create yourself a different certificate for each of your webmin ( or IDRAC or whatever you run on more than one IP address ) servers, or firefox will be badly unhappy if so many ips have the same exact default webmin ( or IDRAC ) certificate.
( unhappy firefox meaning something like that : http://imgur.com/czen665 . you wont even be asked for the traditional "security exception" question ! )
firefox message :
Quote: | Secure Connection Failed
An error occurred during a connection to XXXX:10000. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Shoot again
|
I repeat, you cant even add an exception, you re just ****ed until you downgrade to firefox 31 or manually delete the cert8.db file
Ok most people have only one webmin ( or one IDRAC access ) and wont see the problem, but, some do.
So you have to get a different certificate for each of your webmin, they cant all have the same default one ( and thats what changed, you could until a few years or months ago ).
concerning webmin :
I recently needed to do that for a few webmin servers and finally found an easy way for non openssl genrsa savvy people.
You can regenerate yourself your self-signed certificate in webmin itself -> webmin configuration ->SSL Encryption-> Self-Signed Certificate ->fill the form -> check "Use new key immediately"? and click create now
then restart webmin
If at first nothing is working because http redirects you to ( still non working )https, you can edit miniserv.conf first to allow you non ssl access
ssl=0
ssl_redirect=0
allowing you to login on the http:// url ( non https )
( if you have password problems, change it with : /usr/libexec/webmin/changepass.pl /etc/webmin root newwebminpassword )
then generate your new key , command line or in webmin
and restart webmin
after you setup your new certificate and everything is working great on https:// , better put them back to :
ssl=1
ssl_redirect=1
#<troll>( if you consider ssl is still useful after all the recent holes </troll>
But I cant do that for the IDRAC consoles provided by my datacenter ( online.net ) and they dont seem to care too much about that even if it could be a real security issue.
edit: offtopic bonus reading http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
edit2: idea : it would be great if the ebuild automatically generated a new self signed cert when first installed or new emerge --config
edit3: lol its more or less a firefox 33 featurebug : http://superuser.com/questions/826232/how-to-bypass-the-secure-connection-failed-warning-in-firefox-33
edit4: same problem for accessing DELL IDRAC6 default certificate I ll have to use an old insecure browser grrrr
edit5 : link to the firefox bugreport, please add rantings : https://bugzilla.mozilla.org/show_bug.cgi?id=435013 _________________ http://bitcoin.gw.gd-http://ww7.pe-http://waisse.org |
|
Back to top |
|
|
|