Failed to create SSL context : Invalid argument at /usr/libexec/webmin/miniserv.pl line 4383

Linulex · December 26, 2019, 8:34pm

The server is centos 7 (latest) with webmin 1.930 and plesk onyx. Webmin is used for reading logs, server updates and general server maintenance

After upgrading to plesk 18.0.21 (plesk obsidian), webmin won’t start anymore with ssl enabled, ssl disabled works fine. The log gives the error:

I did add to both Library search path and Extra Perl library paths
/usr/lib64/perl5
/usr/lib64/perl5/vendor_perl
/usr/lib64/perl5/vendor_perl/Net
/usr/lib64/perl5/vendor_perl/Net/SSLeay.pm

net::ssleay is installed, the certificate is ok, selinux is disabled. Plesk doesn’t do anything with perl so it would surprise me if the plesk update would have changed the perl path, but something was changed

The perl path is ok (as far as i can tell). What should it be and how can i test that? how do i test if webmin can use ssleay?

any suggestion would be welcome

Kind regards
Jan

Ilia · December 26, 2019, 10:00pm

Hi,

Try to comment out ssl_cipher_list option in /etc/webmin/miniserv.conf, for avoiding forcing the ciphers, and restart Webmin by running /etc/webmin/restart command.

Linulex · December 27, 2019, 9:15am

Hello,

Thank you for the suggestion, but that option is not in the config. I have tried every possible config option by now and am 93.3% sure that something somewhere is preventing webmin from using Net::SSLeay, but i cant figure out what is doing that.

regards
Jan

Ilia · December 27, 2019, 9:19am

I would just start from debugging SSL connection first.

Ilia · December 27, 2019, 9:21am

For example:

openssl s_client -connect www.mywebmin.com:10000 -prexit

Ilia · December 27, 2019, 10:40am

It’s always useful to look at the changelogs as well.

https://docs.plesk.com/release-notes/onyx/change-log/#ssl-it-1.0.1

Linulex · December 27, 2019, 10:41am

thank you for the sugestion, but thats not it. I have tested ssl on the server on various ports (imap, pop3, nginx, plesk) and that is working fine. On port 10000 there is nothing to test because that is just the problem: webmin wont start with ssl enabled. I will only start without ssl. It says
SSL-Session:
Protocol : TLSv1.2
but no certificate and always the same error: webmin can’t access/find/use Net::SSLeay

Invalid argument at /usr/libexec/webmin/miniserv.pl line 4383.

line 4383 trough 4386 =

local $ssl_ctx;
eval { $ssl_ctx = Net::SSLeay::new_x_ctx() };
$ssl_ctx ||= Net::SSLeay::CTX_new();
$ssl_ctx || die "Failed to create SSL context : $!";

I even tried adding

use Net::SSLeay;
eval Net::SSLeay::new_x_ctx();

at the top of /usr/libexec/webmin/miniserv.pl but always the same:

ssl=0 = start ok
ssl=1 = error on line 4386 and not starting

My idea was that if i explicitly add SSLeay and it cant find it, then the miniserv would not start, but it starts fine ( but only without ssl)

regards
Jan

Linulex · December 27, 2019, 10:42am

ssl-it extension is not installed on this server.

regards
Jan

Ilia · December 27, 2019, 10:49am

…and running the following doesn’t fix it, I suppose:

yum reintall perl-Net-SSLeay

Ilia · December 27, 2019, 10:58am

Okay, can you check your /etc/webmin/miniserv.conf file and add the following at the end of it and then restart Webmin:

ssl=1
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
cipher_list_def=0
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AES$

Linulex · December 27, 2019, 11:07am

nope,

I tried:
perl-Net-SSLeay-1.55-6.el7.x86_64.rpm (default centos 7)
and all city-fan repo
perl-Net-SSLeay-1.84-1.0.cf.rhel7.x86_64.rpm
perl-Net-SSLeay-1.85-1.0.cf.rhel7.x86_64.rpm
perl-Net-SSLeay-1.88-2.1.cf.rhel7.x86_64.rpm

At the moment 1.85-1.0.cf.rhel7 is installed. This version works fine on other servers still with plesk onyx.

But with

use Net::SSLeay;
eval Net::SSLeay::new_x_ctx();

Added to /usr/libexec/webmin/miniserv.pl the error gets

Failed to create SSL context : No such file or directory at /usr/libexec/webmin/miniserv.pl line 4386.

Now only i need to do is figure out what file or directory it is looking for. Cant be Net::SSLeay else it would stop at the start.

none of the logs in /var/webmin say what file or directiry that is missing either

regards
Jan

Linulex · December 27, 2019, 11:14am

Yep, all in there, exept the cipher_list? i added that, but still the same:

Failed to create SSL context : No such file or directory at /usr/libexec/webmin/miniserv.pl line 4386

use Net::SSLeay;
eval Net::SSLeay::new_x_ctx();

are still at the top of /usr/libexec/webmin/miniserv.pl

at the moment i am checking and double checking if alle the files named in the config a) exist and b) are accessable by webmin.

regards
Jan

Ilia · December 27, 2019, 11:17am

Don’t check. We have almost ready to release Webmin 1.940.

Try (it’s safe):

yum update http://download.webmin.com/devel/rpm/webmin-1.940-1.noarch.rpm

Linulex · December 27, 2019, 11:32am

hello,

Nope still the same, only the line number has changed now

Failed to create SSL context : Invalid argument at /usr/libexec/webmin/miniserv.pl line 4381.

and i still have no idea what file he is looking for. I have changed every file in the .conf to 777, including dhparams.pem, but still nothing.

Regards
Jan

Ilia · December 27, 2019, 11:40am

Okay, I see.

Can I have a look at your complete /etc/webmin/miniserv.conf file?

Moreover, does it contain any keyfile, certfile and extracas options? If so, did you try to remove them?

Linulex · December 27, 2019, 11:57am

This is my miniserv.conf file:

port=10000
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ppath=
ssl=0
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
listen=10000
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=600
syslog=1
session=1
premodules=WebminCore
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=virtual-server-theme
passdelay=1
cipher_list_def=1
pam_end=
pam_conv=
blockuser_time=
blocklock=
session_ip=
blockuser_failures=
no_pam=0
logouttime=
utmp=
logouttimes=
extracas=
no_tls1_2=
ssl_redirect=0
dhparams_file=/etc/webmin/dhparams.pem
nolog=.*xhr.*
perllib=
certfile=/etc/webmin/miniserv.pem
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AES$
root=/usr/libexec/webmin
mimetypes=/usr/libexec/webmin/mime.types
server=MiniServ/1.940

I have tried varies cert files: the Plesk one, a real from Commodo, a self-signed, a Plesk Let’s Encrypt and a Webmin generated Let’s Encrypt.

When I remove keyfile=/etc/webmin/miniserv.pem and dhparams_file=/etc/webmin/dhparams.pem then I get no startup error, but it won’t work due to no certificate.

I have also tried adding /etc/webmin to the Program search path

Ilia · December 27, 2019, 12:40pm

Okay, I see - give it a try with this /etc/webmin/miniserv.conf:

port=10000
addtype_cgi=internal/cgi
realm=Webmin Server
logfile=/var/webmin/miniserv.log
errorlog=/var/webmin/miniserv.error
pidfile=/var/webmin/miniserv.pid
logtime=168
ssl=1
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1
ssl_honorcipherorder=1
no_sslcompression=1
env_WEBMIN_CONFIG=/etc/webmin
env_WEBMIN_VAR=/var/webmin
atboot=1
logout=/etc/webmin/logout-flag
listen=10000
denyfile=\.pl$
log=1
blockhost_failures=5
blockhost_time=60
syslog=1
ipv6=1
session=1
premodules=WebminCore
userfile=/etc/webmin/miniserv.users
keyfile=/etc/webmin/miniserv.pem
passwd_file=/etc/shadow
passwd_uindex=0
passwd_pindex=1
passwd_cindex=2
passwd_mindex=4
passwd_mode=0
preroot=authentic-theme
passdelay=1
login_script=/etc/webmin/login.pl
logout_script=/etc/webmin/logout.pl
cipher_list_def=0
failed_script=/etc/webmin/failed.pl
preload=
eval_package=1
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
root=/usr/libexec/webmin
mimetypes=/usr/libexec/webmin/mime.types
server=MiniServ/1.940
error_handler_403=403.cgi
error_handler_404=404.cgi
error_handler_401=401.cgi
nolog=.*xhr.*
logouttimes=
extracas=
certfile=
no_tls1_2=
ssl_redirect=0

… and add/replace this in your /etc/webmin/config file:

theme=authentic-theme

Then kill and start Webmin over again:

pkill -9 miniserv
/etc/webmin/start

Linulex · December 27, 2019, 1:23pm

Hello,

Still the same:
Failed to create SSL context : Invalid argument at /usr/libexec/webmin/miniserv.pl line 4381.

btw: i dont like the authentic theme, thats why i use the virtual server theme. I already tried all 4 installed themes, even the “old webmin theme”.

regards
Jan

Ilia · December 27, 2019, 1:46pm

Odd, as you said that you use Webmin to read logs, right? Isn’t reading/searching logs much easier and better with this look/output:

Are we talking about the same theme? If so, why exactly you don’t like it, could you share your feelings please?

Still the same:…

The last idea that, I could propose is to change my last proposed /etc/webmin/miniserv.conf and delete ssl_cipher_list and change/set cipher_list_def=1.

Ilia · December 27, 2019, 1:52pm

I would like to get tarball of your /usr/lib64/perl5/vendor_perl/ directory.