As a Webmin (not virtualmin) user I have been using self-signed certificates for years and living with the regular complaints from safari about their validity. So I have finally taken the plunge and successfully created Let’sEncrypt certificates linked to a DuckDNS account. I have modified the Ubuntu firewall rules on my server and created port forwarding rules first for port 10000 and later for port 443 on my ISP’s router.
Sadly, when I try to connect, whatever browser I use comes up with a 403 Error. I don’t think that this is a certificate issue and have read that it is more likely a permissions problem. I have root access enabled for miniserv.conf but of the many log files which I create, I cannot find one which highlights the error.
Can anyone point me in the right direction?
For information., I can still access webmin when I use my own VPN (openVPN server on Ubuntu) but this is using the server’s IP address and not the DuckDNS account.
Thank you for the thought. I should have said that the DuckDNS address was pre-existing and is known to work correctly in other places where I use it. Using that address successfully gets through both my ISP and firewall - it’s at the final hurdle of the web browser that the 403 “Error - Access denied” appears.
I am always suspicious of any event code generated by a webserver (Apache or nginx) - I assume if you can log in to the server from elsewhere that the server is functioning fine i.e. Webmin is ok) if you are getting 403 while attempting to log in to hostname:10000 I would try to log in directly to the box (without DuckDNS and check the miniserve log)
Ok you have two tasks the first is registering using certbot. On debian linux
apt-get python3 certbot python3-certbot-apache python3-certbot-nginx
Then certbot certonly -d yourdomain.com Or certbot -d youdomain.com --apache or --nginx
If you have received and installed a certificate it will be installed on your VM.
Then you need to check from your local machine(and not across the ISP whether your ssl certificate works)… XRDP, VNC etc…
The port forwarding, and return networking are a seperate step and probably whats holding you back…
In other words you need to verify the SSL stuff first, before moving on to the networking components.
Webmin is looking at the Apache and NGINX servers in the Webmin modules for the webservers which the former is pre-installed, for NGINX you need to add the module from Jamey’s add-on modules from the webmin website.
If the cert was correctly installed then I don’t understand why any of this stuff was needed?
If the config and cert worked previously were you getting some error AFTER adding the cert and BEFORE doing this?
It sounds like an incorrect forward? Where does the access log say the connection is trying to get to? Are you trying to forward 10000 to 443 or are you using a web server and Webmin’s mini server both?
After some mis-steps I am pretty sure the SSL certificates are correct. For example, using the Digicert Certificate Checker (digicert.com) both the server and intermediate certificates are confirmed correct and correctly installed. (downloaded from Let’s Encrypt after creation with certbot v4) and it looks as though the certbot renewal process will work when it’s called upon.
The port numbers are a bit of a red herring, I think . I started with port 10000 and when I ran into the 403 error, I re-jigged web min to use port 443. The error remains the same in both cases.
My objective is to access the Ubuntu server with webmin by SSL when I’m at a remote location and when I can’t get (for whatever occasional reason) access by VPN. I don’t run Apache or nginx.
Hello, John! A 403 usually means the web server is blocking access—double-check your Nginx or Apache config, especially the directory permissions and Allow/Deny rules.
yes that’s what I cannot understand why change/use miniserve and why use webmin here at all and not use Virtualmin as a single VS having a solid well known webserver?
As virtualmin is a module of webmin that may be a mute point however the mis configuration could be anywhere within the webmin configuration maybe certbot not enough info to draw a conclusion
That’s not what a 403 should be telling you to do.
403 means there’s already a web server answering, but it’s not allowing access to the .well-known path.
I don’t recall the current state of Webmin alone and fetching Let’s Encrypt certs…it used to use Apache, if available, to get the cert, and it would give an error if it was not available. I believe a while back it also got the ability to use certbot in standalone mode, in which case certbot starts its own built-in web server to serve out the verification. I don’t know that Webmin is ever the web server that serves the verification…I don’t think it is (but, maybe it is if certbot isn’t available and Webmin falls back to using the bundled ACME Tiny LE client). And, if it is, you shouldn’t move Webmin to port 443. If it’s acting as the web server it would know to spin up a new miniserv on 80 temporarily if no other option is available (if it can do that at all, I don’t know that it can/does do that, since certbot has a web server and certbot is strongly recommended if you are using Let’s Encrypt).
So: Is certbot installed?
Have you tried to browse to .well-known on your IP to see what is there serving out a 403? Obviously the certbot web server wouldn’t do that. So, maybe you already have a web server there and it is not configured appropriately for this purpose. Only you can know that.
You gotta look at some logs and actually read them, no matter what.
And another thing: Let’s Encrypt is not requesting the verification on port 443. It requests it on port 80 (because port 443 requires a cert, which you won’t have yet in the first LE request case). That doesn’t mean you should move Webmin there.
Thank you for your suggestions. As suggested, I have reverted to port 10000 and found that the allow statement in miniserv.conf was my problem. Removing the Allow statement in its entirety works but adding the xxxxxxx.duckdns.org to the Allow statement does not. If I leave that in, then I get a 403 error with, for example, the IP address of my mobile data service.
The Let’s Encrypt certificates are all working fine.
Is there anything I can add to Allow which would tighten my security or are the LS certificates enough?
