The “niang mydomain org” computer is registered on noip and webforwarded from my domainname like you can see.
“web forwarding” is quite different from a CNAME. But, if you’re happy with it, fine, do that.
What if I don’t have a Webserver and do request a certificate?
It seems, Webmin looks after a folder to store it, but there’s no one, since I’ve not installed Apache on this computer. It’s the one I’ve set as webforward (has been change to CNAME for the test - I can see no difference for now)
I try to request a certification for this host only.
What should I enter for “Website root directory for validation file” in that case?
It asks for a virtual host that hasn’t been found when I tried to get a certificate with Let’s encrypt.
You’d have to validate some other way, if you want Let’s Encrypt certificates. I’m hesitant to suggest DNS validation, as DNS is already proving challenging. But, that’s pretty much the options you have if you must have Let’s Encrypt certs: Run a web server (at least while doing the validation) and make sure port 80 is forwarded to the host, or do some kind of DNS validation.
If I were you and I couldn’t make a web server available on port 80 every couple months for Let’s Encrypt validation (it doesn’t have to be Apache, that’s just what Webmin knows how to automate), I would probably do DNS validation and get a wildcard certificate for your domain, and then copy that to all of the other hosts (this is the only time a wildcard makes sense…I normally discourage their use). This requires DNS validation, however, which is harder to do. Virtualmin can do it for domains it is hosting, as long as it is managing DNS (either locally or in a supported cloud DNS service), but that isn’t you. And, since you have to have dynamic DNS support, and that’s a lot more complicated to setup (though it can be done on Webmin servers), I’m very hesitant to suggest that either. You would need to do DNS validation outside of Webmin or Virtualmin, and use certbot directly with some manual TXT record creation at your DNS provider.
You’re trying to do uncommon things, basically. You may find it’s easier to use self-signed certs that expire rarely (like every couple years) and just teach those to your browser. You’re the only one managing these systems, right? Nobody else is logging in, right? You do not need a proper cert for that.
And, when I say this is uncommon, BTW, I don’t mean “managing devices on dynamic IPs behind NATting routers”…that’s common. It’s just commonly done differently from how you’re doing it. I manage a fleet of a few hundred such devices in my real job, and we use a VPN to solve this problem. Which I have suggested to you a few times along the way, but you’ve ruled it out, so I’m trying to continue helping you on the path you’re on, but it’s got a lot of complexity and a lot of things have to be right for it to work that just don’t come up when everything is on a VPN (then all they need is working internet access).
You would need to do DNS validation outside of Webmin or Virtualmin, and use certbot directly with some manual TXT record creation at your DNS provider.
What is exactly the way to create this TXT record ?
You may find it’s easier to use self-signed certs that expire rarely (like every couple years) and just teach those to your browser.
You’re the only one managing these systems, right? Nobody else is logging in, right?
Right ! But from any computer on the web that is part of my domain, like my mobile.
(The owner/user of the distant computer would be able to access it localy with his own Linux user account without root access - presentation of the application so they know what I’m using to maintain their computer distantly,)
You do not need a proper cert for that.
How ? I do not understand, why do I not need it ?
I manage a fleet of a few hundred such devices in my real job, and we use a VPN to solve this problem. Which I have suggested to you a few times along the way, but you’ve ruled it out, so I’m trying to continue helping you on the path you’re on, but it’s got a lot of complexity and a lot of things have to be right for it to work that just don’t come up when everything is on a VPN (then all they need is working internet access).
True enough !
I only want the setup that would be the easiest to apply. I did try to set up a VPN server, but this seems very complicated. There are more files for encryption and I messed up with these because I didn’t understand their respective purposes.
VPN server case
For the procedures to configure a VPN server, I did try to follow those steps, but couldn’t set up the LAN part already, so I imagine it would be overcomplicated to me, if I have to make it work over different networks on WAN.
I did try this since I’m on Ubuntu Server 22.04 https://ubuntu.com/server/docs/service-openvpn
I thought it would be easier to set up once I got my server online with à fixed IP, and that the domain name would help me to find the computers easier on the web, but I was wrong. It’s very complicated for each step I take and gets worse after every achievement.
Webserver case
I did achieve the setup of a (Apache) web server, but you told me Webmin doesn’t need it since it’s self hosted, but now you’re saying I need it to encrypt the host it’s running on - Why not explain this while my Apache server was running ? I deleted it, because I thought I wouldn’t need it.
What should request an encryption? Not Webmin, but the webhost where Webmin is running on. So I do need a web server after all if I do not want to have to set up a VPN server.
If I do it, I would be able to use à virtualhost to set up each client, wouldn’t it ? How do I link a virtualhost to a Webmin session in that case?
Would every host running Webmin need a webserver, or can it be linked to a virtualhost on my own web server?
As a matter of fact I would rather pay Webmin than having to pay my ISP more to give no support and inconvenience to apply any setup with their NAT router. I’ve increased my ISP subscription (Pro subscription + fixed IP) in order to be able to make this server specifically in order to use Webmin over it to do this maintenance of all hosts I’ve install a Linux distro on (debian based). At least you try to help, which isn’t my provider’s case, they just try to sell.
I can’t respond easily to that. Post your follow up here, please.
I’ve installed Apache 2 and it’s up and running with a valid certifcate for my domain.
I can I add my server, to begin with, so I can access Webmin on SSL without entering the port by giving in the url: pc1.mydomain.xxx
I’ve also Squid proxyserver installed and running.
I’ve followed the setps here, but it doesn’t work:
I got stuck on the creation of the file like described here:
- Create a
VirtualHostblock with the following directives to the Apache configuration, and restart Apache afterwards. Remember to replaceVirtualHostIP address,ServerNameand SSL certificates paths with your own:
<VirtualHost 1.2.3.4:443>
ServerName webmin.example.com
# Enable the usage of the SSL/TLS protocol engines
SSLEngine on
SSLProxyEngine on
# Point to files with SSL certificates for virtual host
SSLCertificateFile /etc/ssl/domains/example.com/ssl.combined
SSLCertificateKeyFile /etc/ssl/domains/example.com/ssl.key
# Use only secure version of the TLS protocol (TLSv1.3)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
# Disables the remote server certificate checks
# (only needed for self-signed certificates)
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# Disable proxying for all /.well-known requests. It will
# only be useful, if a domain has "DocumentRoot" defined
ProxyPass /.well-known !
# Proxying both HTTP and websockets at the same time,
# where the websockets URL's are not websocket-only
# or not known in advance
ProxyPass / https://localhost:10000/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "wss://localhost:10000/$1" [P,L]
</VirtualHost>
Why are you introducing new tools when you don’t have any of the others working? This is chaotic. You need to take things one step at a time.
Besides that, Squid has no useful role in solving the problems you are trying to solve, as I understand them. Stop making new problems for yourself, I can’t keep up.
You know, I’m just trying to make sence of all what’s been told to me.
There are points that suggested the proxy was a good idea, like the fact I’m behind this ISP NAT router, wherefor other people on #network IRC did advice me this.
They also told me Webmin isn’t secure over WAN.
But I think it’s a matter of settings, how secure it will be.
The proxy isn’t yet configured to do anything special. It’s just running in background for know, because I was indeed busy with trying Webmin with Apache certification.
I can reinstall so many times I want to get where I want, so if you’ve anithing to suggest I try it your way.
Also, I can’t just wait doing nothing because I do not know how. So you’ve an idea of what I did while I was waiting an answer or advice on how to for my own configuration, not an example that doesn’t match with my settings at all (the nat router and these distant computer that have to make part of my network). When I look to the webistes where I’ve been sent, it’s like I need to start from scratch. It’s not like I would like to take years to do it.
I would rather get to the point, but people request from me I ask to pay someone to do it in that case.
Ok, thanks … What else could I say …
They kinda lied. There are about a million Webmin hosts on the internet. We have a public security history: https://webmin.com/security/
But, Squid it not necessary for that. You already have Apache in the mix (Apache is also a web proxy), so don’t add more stuff. But, a proxy won’t solve anything if it isn’t accessible to the internet, which, according to your description of the problem it won’t be. You have a NAT router in front of these devices; so you need to forward ports to get to your computers behind it.
It sounds like you’re getting advice from a variety of people, and many of those people have no clue what they’re talking about.
The simplest solution continues to be a VPN. The harder solution without a VPN, I have also described above. You need to forward ports, you probably don’t need Apache (though if you insist on having certificates from Let’s Encrypt, you have to validate them somehow and a web server is one such way).
You’re saying this validition will also taking place with the VPN ?
I will be able to access these computers without entering the port on their respective url pointing there hostname.mydomain.xxx ?
I’ve not yet installed any other software on this installation of ubuntu server.
So, where do I start?
With these steps : Quick Start - WireGuard
Could you tell me what I should be attend for my configuration in these instructions ?
Is this of any use to me?
[WireGuard] contrib examples
Can I simple uninstall squid since I do not need it ?
What validation? You exchange keys, there is no trust needed beyond that initial key exchange. There is nothing to validate; just copy the keys to the computers that need to talk to each other.
Yes, that’s a reasonable place to start. And, to be clear, that’s all you need. You don’t need Apache to use a VPN, you don’t need Squid, you don’t need a proxy of any sort, you don’t need LDAP (you never needed LDAP), and…if you prefer Webmin to not be accessible on the internet, you’re in luck, because a VPN is not accessible on the Internet.
Just follow the quick start guide and make one of the computers you want to communicate with work. You keep making this so much more complicated than it needs to be. Please just make the basic requirements work and stop adding more work for yourself and more chaos for me to figure out.
Your situation is not complicated, so stop making it complicated. Your situation is this:
You want to talk to Webmin running on a computer that is not directly on the internet. That’s it. It doesn’t need a proxy, it doesn’t need a directory service, it doesn’t need a web server (other than Webmin itself, which includes a web server of its own). Get your computer connecting to the computer you want to talk to via a VPN, and you’re done. There are no other steps.
You do not need a Let’s Encrypt certificate to talk to a trusted computer over a VPN; just tell your browser to accept the self-signed certificate.
I’ve made a clean install, and installed Webmin after upgrading all packages.
Now I get the same error as posted here: Webmin does not start: Only Reference pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= r | Virtualmin
I’ve found how out I could my user account into miniserv.users
and did webmin passwd myusername and entered the password.
But after restarting Webmin:
https://termbin.com/2dnkr
You don’t need to do that on a Linux system, and should not do that. Webmin authenticates with system users.
Login with root or any sudo user with ALL privileges (like the first user on an Ubuntu system).
That looks like Webmin is running fine. Looks like you tried to login with a non-existent user or bad password, though.
I followed all this procedure, but it didn’t resolve anything:
I think it’s related with the Github keys from my account, the Ubuntu server did download this time during the install. I didn’t know what it would do when it asked to download these keys from Github.
I presume I will have to start over and decline when this download is prompted to solve this.
Same thing after reinstalling without the download of these keys from my Github account.
What the hell are you talking about? Github? What does github have to do with anything?
This is beginning to feel like a prank, where you’re trying to see how long you can keep me answering increasingly bizarre questions.
I install Webmin from a bash script I made and that worked fine until know.
Here’s the code that installs Webmin:
5) echo 'Webmin installation';
wget -O /etc/apt/keyrings/jcameron-key.key https://download.webmin.com/jcameron-key.asc;
gpg --no-default-keyring --keyring jcameron-key.gpg --import /etc/apt/keyrings/jcameron-key.key
gpg --no-default-keyring --keyring jcameron-key.gpg --export > tmp.gpg && mv tmp.gpg jcameron-key.gpg;
mv ./jcameron-key.gpg /etc/apt/trusted.gpg.d/;
echo 'deb https://download.webmin.com/download/repository sarge contrib' >> /etc/apt/sources.list;
apt-get update | dialog --progressbox 30 100;
apt-get install -y apt-transport-https webmin;
I’ve a clean install of Ubuntu server 22.04
I try to install Webmin on it and I get this with the command systemctl status webmin
perl[694]: pam_unix(webmin:auth):authentification failure: logname= uuid=0 euid=0 tty= rhost= user=root
I still have no idea what “github keys” has to do with anything. But, don’t try to explain it. Just don’t follow weird advice on the internet. You should not use changepass.pl unless you are intentionally using Webmin passwords. Most people should not be using Webmin passwords. You should be using system passwords, which presumably you already know…if you were able to login via ssh to install Webmin, obviously know the password for some admin level account.
Do you get a login page when you browse to port 10000 of the system where you installed Webmin? What error do you get when you try to login?