Cannot access ssl websites

GeoffatMM · February 28, 2022, 8:53am

SYSTEM INFORMATION
OS type and version	REQUIRED
Virtualmin version	REQUIRED

Ubuntu Linux 20.04.4
Virtualmin 6.17-3
Webmin 1.984

I am building a new server and have set up webmin and virtualmin on an ubuntu platform.

hostname is electra.xsxtc.uk
I have set up two virtual servers xsxtc.uk and xtcinxs.site. I have successfully installed phpmyadmin and Wordpress scripts on both. The first is the primary long term server, the second will eventually disappear and I am using it for comparative testing at the moment.

I have also installed ssl certificates on both servers for domain.tld and subdomains www, electra, ns1 and ns2 (as long term I want the main server to be my Nameservers). These are now propagated and respond to dig.

I have several issues which I will post one at a time.

The first is a problem accessing my websites using https. I have had to disable

Redirect all requests to SSL site

in order to be able to open the site in an http browser. If I use https instead of http the browser hangs and nothing is returned.

However if I enter https://domain.tld:10000 on either site it opens the virtualmin password challenge on the secured site. I cannot log in at the moment but I will come to that later.

The only current way of accessing my virtualmin panel is to go direct to the IP address 77.68.100.23. Using https is fine and I can log in as root. If I use an http access it gives a warning and offers to redirect to https://electra.xsxtc.uk:10000/ which it opens but then as I stated above I cannot login, either with root or the server owner.

Can anyone explain what is happening and how to overcome it please?

Geoff

GeoffatMM · February 28, 2022, 11:37am

Done some more testing. Although firewalld has the https service open, it appears it is not.

Ran some tests on the open ports and got these results:

gjj@JCP-Macbook-Air ~ % nc -zvw10 77.68.100.23 22
Connection to 77.68.100.23 port 22 [tcp/ssh] succeeded!
gjj@JCP-Macbook-Air ~ % nc -zvw10 77.68.100.23 443
nc: connectx to 77.68.100.23 port 443 (tcp) failed: Operation timed out

So port 22 is open and confirms that the server is responding to the nc command but port 443 (https) times out.

Have reset the firewall and rebooted the server but no change.

Any solutions?

GeoffatMM · February 28, 2022, 11:49am

Well, it is not working for web serving. Again, if I try https://xsxtc.uk:10000 I get through to virtualmin (and can now log in as root as I fixed the issue).

unborn · February 28, 2022, 12:18pm

@GeoffatMM you need to enable ssl functionality for domain xsxtc.uk - right now it looks to me that ssl for that domain is disabled. ssl for domain:10000 is different stuff.

GeoffatMM · February 28, 2022, 1:19pm

Well I would like to check but for some reason, every time I reboot the server something happens to the passwords. I now have no ssh or webmin access.

My experience is the more I try to correct issues the deeper the mess becomes so I am cutting out now and going to rebuild the server yet again. I shall go back to Debian 10 and see if I can get the install.sh script to work.

GeoffatMM · February 28, 2022, 1:21pm

Bizarre! Now the passwords are working again. Let’s just assume I typed it wrong 10 times!

stefan1959 · February 28, 2022, 8:49pm

Fail2ban i presume?

GeoffatMM · March 1, 2022, 7:11am

Hi George, Hi Stefan,

George

I have Apache website enabled ticked for the virtual server.

With Redirect all requests to SSL site set to Yes the site appears to be redirecting properly as it hangs. If I set it to No I can access the site through http.

Are there other ssl settings I need to look at? Looking through the ssl options, it defaults to HTTP/1.1, The access log does not appear to have any issues and the error log has only two entries as follows:

[Mon Feb 28 13:26:24.329597 2022] [ssl:warn] [pid 959:tid 139669041032256] AH01906: xsxtc.uk:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Feb 28 23:56:06.367776 2022] [core:error] [pid 30802:tid 139668762842880] [client 45.146.165.37:39200] AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1

Under User and Group CGI Programs are set to Unix user and Group 1004 (server admin user).

Under SSL Options, all ssl and tsl versions have been ticked (to test if it made any difference).

Under Directive the SSL Engine is set to On.

Stefan

I am not familiar with fail2ban. I have done nothing to it and this is a vanilla installation.

Looking at it, there is a list of Log Filters but nothing is ticked. Likewise for Match Actions.

Filter Action Jails has the following enabled:

ssh
webmin-auth
proftpd (which I am not using)
postfix-rbl (?)
qmail-rbl (?)
postfix-sasl (?)
ssh

I have looked at but done nothing with the config options.

If I try to restart the server (and this happened somewhere else but cannot for the moment remember where) I get a red message on the page " Error: 302 - Moved Temporarily — restart.cgi"

If I stop the fail2ban server it makes no difference.

Summary

The only thing I can see that may be an issue is the CGI warning but that is beyond my capabilities!

Geoff

stefan1959 · March 1, 2022, 7:44am

Fail2ban config is in Webmin-Networking-Fail2Ban Intrusion Detector. Too many failed connection it will create a ban via FirewallD on the connection for a period of time.

Steve

GeoffatMM · March 1, 2022, 7:49am

OK thanks Steve.

I think that has happened when I was trying to login in to Virtualmin from the http site (xsxtc.uk:10000). But that should not prevent the ssl site opening should it?

stefan1959 · March 1, 2022, 8:11am

No, never had a issue with site opening. Check firewallD, just make sure https or 443 is open.
This site says its closed.

GeoffatMM · March 1, 2022, 9:51pm

Stefan

My second post raised this. Firewalld says the port is open (service https) but my nc query said it was closed. I reset it and rebooted but it made no difference. Firewalld does not appear to be doing what it says it is. How do I overcome it?

Geoff

GeoffatMM · March 1, 2022, 9:54pm

When I reset it, save it to my ethernet device and try to apply the configuration I get this error again (now Remember where I saw it).

Error: 302 - Moved Temporarily — restart.cgi

So something appears to be happening with the CGI setup?

G

GeoffatMM · March 1, 2022, 10:40pm

OK I have solved the problem!

I rang ionos my new vps supplier and they have set up a firewall on their side between my server and the internet so whilst port 443 was open in webmin it was blocked on their firewall for my IP address. Just tested some other “open” ports and they too are all blocked!

They do it to close off port 25 from abuse but it seems a sledgehammer to crack a nut to me. so basically I have to replicate any service I want to run in webmin in their firewall first. I have asked them to remove it and just leave port 25 blocked and am waiting to see if the will do so or not.

Sorry to have wasted your time.

This can be considered closed.

Geoff

Joe · March 1, 2022, 11:46pm

Virtualmin is not using the same web server as your websites. There is no useful information provided by Webmin/Virtualmin working. It can work or not work wholly independently of your websites working or not working and for entirely different reasons.

I know this is solved, but I wanted to clarify for any future person looking at this thread.

GeoffatMM · March 2, 2022, 9:59pm

Hi Joe,

Is this because the websites (virtual servers under Virtualmin) run on the apache server whilst Virtualmin runs an independent server (tht is not listed in the dashboard servers?

Geoff

Joe · March 2, 2022, 10:08pm

It’s not listed because if you can see the dashboard, Virtualmin is obviously up.

Virtualmin is a module of Webmin, which runs in its own dedicated app server called miniserv.pl.

system · March 10, 2022, 10:09pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.