Error Failed to reset password : Forgotten password recovery can only be used over an SSL connection unless explicitly allowed

tibberous · October 21, 2025, 1:43am

SYSTEM INFORMATION
OS type and version	Operating System: AlmaLinux 9.6 (Sage Margay)
Webmin version	2.520

I am now completely locked out of Webmin / Virtual min. I have never seen anything so hard to use, not even just straight putty.

Basically, I got Virtualmin setup and created a site but I was getting error 500. After like 8 hours I finally got PHP to work, then found a place in webmin to turn PHP on, and clicked it like an idiot. Somehow it managed to break the entire server WITHOUT changing apache’s conf OR /etc/opt/remi/php85/php-fpm.d/www.conf.
php
Firewalld and SELinux are off. Gemini thought the problem was systemd not honoring www.conf’s listerner / owner settings so it had me move php fpm to tcp. It is bound and running, but can’t connect to apache.

So gemini thought the problem was that it is hitting the SSL layer and not resolving (which makes sense, because apache isn’t logging, and of course there isn’t a way to log to screen). But if it is dying at the socket layer, apache might not even be getting hit.

So I turned off SSL. I got logged out, password is broke, forgot password doesn’t work without SSL… I might as well have just have just clicked a button that said “Break Everything”. No idea why the coders of this didn’t assuming anyone turning off SSL site wide would be DEBUGGING something. The web barely works without SSL anymore, no one just turns it off unless they have good reason…

Does anyone have any idea how to fix this? I’m used to stuff that kind of works the way normal people use it - i.e. LAMP stack on by default. I don’t even get why TCP/IP would connect through SSL to connect to a process on the SAME vps, or why I had to do it when it worked fine the other way before I was dumb enough to click anything in Webmin…

This would be done already if I have just used shell, but I actually want to be able to use Virtualmin to create sites and databases and manage my vhosts. But man, click ANYTHING and everything breaks and you have no idea what was even changed…

I can’t fix it. Gemini can’t fix it. ChatGTP Plus (GTP5) doesn’t know wth is wrong. I don’t even know how to DEBUG it at this point. It is literally just broke unless I reinstall the entire thing, then click the PHP “on” button that broke everything and pray it doesn’t this time…

I would greatly appreciate any help. AI is smart af but it doesn’t really know virtualmin. I need someone who actually uses this thing.

Thanks.

tibberous · October 21, 2025, 1:55am

[root@srv1074425 ~]# /usr/libexec/webmin/changepass.pl /etc/webmin root s3cr3t_L0ck!
Password for Webmin user root updated successfully

And I STILL can’t log in!

I set ssl_enforce=0

It’s like Gemini knows virtualmin, but it intentionally breaks when SSL is off. Why even let it be turned off?? Why display a login box that DOES NOT WORK? It might as well just link to the reinstall guide…

port=10000
root=/usr/libexec/webmin
mimetypes=/usr/libexec/webmin/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ssl=0
no_ssl2=1
no_ssl3=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
listen=10000
denyfile=.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=1
session=1
premodules=WebminCore
server=MiniServ/2.520
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
logclear=1
ssl_hsts=0
ssl_enforce=0
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=authentic-theme
passdelay=1
no_trust_ssl=1
logout_script=/etc/webmin/logout.pl
failed_script=/etc/webmin/failed.pl
login_script=/etc/webmin/login.pl
cipher_list_def=2
sudo=1
error_handler_401=401.cgi
error_handler_403=403.cgi
error_handler_404=404.cgi
sessiononly=/virtual-server/remote.cgi
preload=virtual-server=virtual-server/virtual-server-lib-funcs.pl virtual-server=virtual-server/feature-unix.pl virtual-server=virtual-server/feature-dir.pl virtual-server=virtual-server/feature-dns.pl virtual-server=virtual-server/feature-mail.pl virtual-server=virtual-server/feature-web.pl virtual-server=virtual-server/feature-webalizer.pl virtual-server=virtual-server/feature-ssl.pl virtual-server=virtual-server/feature-logrotate.pl virtual-server=virtual-server/feature-mysql.pl virtual-server=virtual-server/feature-postgres.pl virtual-server=virtual-server/feature-ftp.pl virtual-server=virtual-server/feature-spam.pl virtual-server=virtual-server/feature-virus.pl virtual-server=virtual-server/feature-webmin.pl virtual-server=virtual-server/feature-virt.pl virtual-server=virtual-server/feature-virt6.pl
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
twofactor_provider=totp
websockets_/authentic-theme/ws-555=host=127.0.0.1 port=555 wspath=/ user=root buser=root time=1760967382
logouttimes=
ipcert_trentontompkins.com,.trentontompkins.com=/etc/ssl/virtualmin/176096948933741/ssl.cert
ipkey_trentontompkins.com,.trentontompkins.com=/etc/ssl/virtualmin/176096948933741/ssl.key
no_tls1_2=
no_tls1=
certfile=
extracas=
no_tls1_1=

Joe · October 21, 2025, 3:36am

You really need to slow down.

You’re doing a lot of unusual stuff that can’t possibly do anything good. I’m not feeling great about your odds of fixing a system that you’ve let ChatGPT and Gemini mess up so thoroughly.

So, in answer to your question:

I have no idea. There’s too much in this post. We cannot solve thirty problems. We can only solve one at a time.

I am going to choose to talk about logging into Webmin, and logging into Webmin only, because that’s what’s in your title (kind of, though resetting the password via the web interface is an unusual place to start the conversation about logging into Webmin that you can log into via ssh/terminal).

Just skimming through trying to make sense of things, here’s some thoughts:

PHP has nothing to do with Webmin. It can’t keep you from logging in to Webmin, because Webmin is not a PHP application, it does not run under PHP, it does not depend on PHP.

Webmin does not run under Apache, either. So, poking at Apache to try to log into Webmin doesn’t make any sense.

You generally should not set a Webmin password using the changepass.pl command. That basically creates a new root user, kind of independent of the system root user (at least the password diverges, anyway). Just use the passwd command, if you need to reset your root, or whatever your admin user is, password. Webmin authenticates to the system password database, unless you break that by setting a separate password with changepass.pl.

You should not try to reset password over an insecure browser connection if you have administration access on the terminal or via ssh. Just set your danged password and log in.

Stop letting the lying machines talk you into breaking things, this is crazy.

Joe · October 21, 2025, 3:39am

What the heck are you talking about? The login box does work.

If you know your username and password, you can login, whether SSL is enabled or not. But, you should stop messing around with config files you don’t understand. If you want to modify configuration files directly, you need to learn what the options do. You’re making things so complicated.

jimr1 · October 21, 2025, 7:46am

from your other thread you installed virtualmin over webmin & didn’t use the virtualmin install script to install both. I would reimage your machine/vps with a fresh OS and the follow these instructions

from that goal you will using a system that is configured correctly for all the main services with no intervention from ChatGPT etc

tibberous · October 28, 2025, 2:44pm

I ended up installing AA panel and got it working. Had a weird issue where subdomains don’t work right but otherwise everything works.

Be nice if it supported email aliases, but postfix does, so I had GTP make me a python script to setup them up.

I didn’t know there was a passwd reset command but I’m good now. Thanks guys

Joe · October 28, 2025, 3:33pm

Best of luck with that.

Ilia · October 28, 2025, 6:22pm

You should have simply asked that and ping one of us. We’d resolve your issue in no time; writing lengthy posts is a recipe for being overlooked.

Ilia · October 28, 2025, 6:32pm

Are they building software directly on your production system instead of using standard repository distribution? After taking a quick look, I can see they do, and if so, this is a fundamental architectural flaw, as a production server should never have packages like gcc, make, python dev, etc.

Though good luck with that. If you ever change your mind, let us know. There aren’t any issues with the default Virtualmin install if you use our virtualmin-install.sh script on a clean A-grade system.

Ilia · October 28, 2025, 7:23pm

In fact, that means AI isn’t as intelligent as you hoped.

ID10T · October 28, 2025, 9:29pm

Evidently it was easier to install AA panel. I think we are all better off on this one.

Ilia · October 28, 2025, 11:20pm

I installed that too, but it wasn’t any easier. The Virtualmin installation process is a much easier and smoother experience. And, they compile software on the fly on the production system—pretty crazy.

ID10T · October 29, 2025, 1:48am

Their pro pricing page is amusing. “saving of $3514.87” They include Task Manager twice in the list.