You should not share certificates across multiple machines with different domains.
Okay if I shouldn’t. Lots of people tell me what I shouldn’t while I’m searching how to.
An easier way would be to tell what I should do to get it done.
It’s not specifically for your answer, it’s a general feeling while I’m trying to apply what I’m intending to.
So what should I do to have it like this (Webmin is fine to me, since I only do maintenance)?
I don’t know. What are you having problems with?
The full question is:
What is the correct way to have a network of computers I maintain (on different sites/places over all Belgium) with Webmin in SSL while using my domainname as reference for each computer I want to manage?
Example url:
- “pc1 mydomain org”
- “pcwan1 mydomain org”
- “pc2 mydomain org”
- …
And a last example, since I could make a restriction for devices only on my domain to use webmin:
- “mobile mydomain org” (so I can see the other hosts from my mobile trough Webmin - only my mobile will be permitted - Of course I’ll not install Webmin on my mobile, it would only be used as a mobile viewer of the hosts on my domain)
I removed the dots from the url examples, since these are considered as links otherwise.
I still don’t understand what the problem is? There’s nothing wrong with giving every computer its own name in your domain. What are you asking for help with?
I do not have a DNS server.
I edit the A-records on my Easyhost Dashboard to add the IP’s of my hosts.
What if these hosts are behind a NAT ?
Is the only way to do so, to have my own DNS-server running ?
I presume I could make a cron task on each distant PC to ping my server and update the DNS record on my own server if I had a DNS server running.
What if I don’t have the possibility to add a DNS-server, and only use the options available with the services of Easyhost? I can’t point to a LAN IP from there.
Is this the only way to make it work? with a DNS-server?
What if I have distant computers behind a NAT? Will I have to install a DNS-server over there in that case, so it can make a difference between the hosts behind the NAT there?
You can imagine such a thing can’t be done.
What solutions do I have? I assume I do not know enough about servers yet, but any advice on the path I should follow to use Webmin that way is important to me.
That’s a problem independent of DNS. You need to port-forward, or put them on a VPN, so the devices are reachable from outside the network. But, it sounded like you already figured that out above.
I thought you said you were using noip?
You need to use some sort of dynamic DNS product, or host your own DNS server with dynamic DNS configured. There are multiple services that offer this. To use your own domain, you’d probably need to pay for the service. I don’t use these kinds of services (since I run many DNS servers), but I would assume using your own domain names would be a premium service you’d need to pay for.
You could also maybe make CNAMEs pointing to the dynamic names, though. That might work? I’m not sure, but it seems like it would. i.e. you create a CNAME of pc1.domain.tld pointing to whatever-name-they-give-you.dyndns.org or whatever-name-the-give-you.noip.com or whatever) and then you’d be able to go to pc1.domain.tld and behind the scenes that’d get converted to the name that points to the dynamic address.
The “niang mydomain org” computer is registered on noip and webforwarded from my domainname like you can see.
“web forwarding” is quite different from a CNAME. But, if you’re happy with it, fine, do that.
What if I don’t have a Webserver and do request a certificate?
It seems, Webmin looks after a folder to store it, but there’s no one, since I’ve not installed Apache on this computer. It’s the one I’ve set as webforward (has been change to CNAME for the test - I can see no difference for now)
I try to request a certification for this host only.
What should I enter for “Website root directory for validation file” in that case?
It asks for a virtual host that hasn’t been found when I tried to get a certificate with Let’s encrypt.
You’d have to validate some other way, if you want Let’s Encrypt certificates. I’m hesitant to suggest DNS validation, as DNS is already proving challenging. But, that’s pretty much the options you have if you must have Let’s Encrypt certs: Run a web server (at least while doing the validation) and make sure port 80 is forwarded to the host, or do some kind of DNS validation.
If I were you and I couldn’t make a web server available on port 80 every couple months for Let’s Encrypt validation (it doesn’t have to be Apache, that’s just what Webmin knows how to automate), I would probably do DNS validation and get a wildcard certificate for your domain, and then copy that to all of the other hosts (this is the only time a wildcard makes sense…I normally discourage their use). This requires DNS validation, however, which is harder to do. Virtualmin can do it for domains it is hosting, as long as it is managing DNS (either locally or in a supported cloud DNS service), but that isn’t you. And, since you have to have dynamic DNS support, and that’s a lot more complicated to setup (though it can be done on Webmin servers), I’m very hesitant to suggest that either. You would need to do DNS validation outside of Webmin or Virtualmin, and use certbot directly with some manual TXT record creation at your DNS provider.
You’re trying to do uncommon things, basically. You may find it’s easier to use self-signed certs that expire rarely (like every couple years) and just teach those to your browser. You’re the only one managing these systems, right? Nobody else is logging in, right? You do not need a proper cert for that.
And, when I say this is uncommon, BTW, I don’t mean “managing devices on dynamic IPs behind NATting routers”…that’s common. It’s just commonly done differently from how you’re doing it. I manage a fleet of a few hundred such devices in my real job, and we use a VPN to solve this problem. Which I have suggested to you a few times along the way, but you’ve ruled it out, so I’m trying to continue helping you on the path you’re on, but it’s got a lot of complexity and a lot of things have to be right for it to work that just don’t come up when everything is on a VPN (then all they need is working internet access).
You would need to do DNS validation outside of Webmin or Virtualmin, and use certbot directly with some manual TXT record creation at your DNS provider.
What is exactly the way to create this TXT record ?
You may find it’s easier to use self-signed certs that expire rarely (like every couple years) and just teach those to your browser.
You’re the only one managing these systems, right? Nobody else is logging in, right?
Right ! But from any computer on the web that is part of my domain, like my mobile.
(The owner/user of the distant computer would be able to access it localy with his own Linux user account without root access - presentation of the application so they know what I’m using to maintain their computer distantly,)
You do not need a proper cert for that.
How ? I do not understand, why do I not need it ?
I manage a fleet of a few hundred such devices in my real job, and we use a VPN to solve this problem. Which I have suggested to you a few times along the way, but you’ve ruled it out, so I’m trying to continue helping you on the path you’re on, but it’s got a lot of complexity and a lot of things have to be right for it to work that just don’t come up when everything is on a VPN (then all they need is working internet access).
True enough !
I only want the setup that would be the easiest to apply. I did try to set up a VPN server, but this seems very complicated. There are more files for encryption and I messed up with these because I didn’t understand their respective purposes.
VPN server case
For the procedures to configure a VPN server, I did try to follow those steps, but couldn’t set up the LAN part already, so I imagine it would be overcomplicated to me, if I have to make it work over different networks on WAN.
I did try this since I’m on Ubuntu Server 22.04 https://ubuntu.com/server/docs/service-openvpn
I thought it would be easier to set up once I got my server online with à fixed IP, and that the domain name would help me to find the computers easier on the web, but I was wrong. It’s very complicated for each step I take and gets worse after every achievement.
Webserver case
I did achieve the setup of a (Apache) web server, but you told me Webmin doesn’t need it since it’s self hosted, but now you’re saying I need it to encrypt the host it’s running on - Why not explain this while my Apache server was running ? I deleted it, because I thought I wouldn’t need it.
What should request an encryption? Not Webmin, but the webhost where Webmin is running on. So I do need a web server after all if I do not want to have to set up a VPN server.
If I do it, I would be able to use à virtualhost to set up each client, wouldn’t it ? How do I link a virtualhost to a Webmin session in that case?
Would every host running Webmin need a webserver, or can it be linked to a virtualhost on my own web server?
As a matter of fact I would rather pay Webmin than having to pay my ISP more to give no support and inconvenience to apply any setup with their NAT router. I’ve increased my ISP subscription (Pro subscription + fixed IP) in order to be able to make this server specifically in order to use Webmin over it to do this maintenance of all hosts I’ve install a Linux distro on (debian based). At least you try to help, which isn’t my provider’s case, they just try to sell.
I can’t respond easily to that. Post your follow up here, please.
I’ve installed Apache 2 and it’s up and running with a valid certifcate for my domain.
I can I add my server, to begin with, so I can access Webmin on SSL without entering the port by giving in the url: pc1.mydomain.xxx
I’ve also Squid proxyserver installed and running.
I’ve followed the setps here, but it doesn’t work:
I got stuck on the creation of the file like described here:
- Create a
VirtualHostblock with the following directives to the Apache configuration, and restart Apache afterwards. Remember to replaceVirtualHostIP address,ServerNameand SSL certificates paths with your own:
<VirtualHost 1.2.3.4:443>
ServerName webmin.example.com
# Enable the usage of the SSL/TLS protocol engines
SSLEngine on
SSLProxyEngine on
# Point to files with SSL certificates for virtual host
SSLCertificateFile /etc/ssl/domains/example.com/ssl.combined
SSLCertificateKeyFile /etc/ssl/domains/example.com/ssl.key
# Use only secure version of the TLS protocol (TLSv1.3)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
# Disables the remote server certificate checks
# (only needed for self-signed certificates)
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# Disable proxying for all /.well-known requests. It will
# only be useful, if a domain has "DocumentRoot" defined
ProxyPass /.well-known !
# Proxying both HTTP and websockets at the same time,
# where the websockets URL's are not websocket-only
# or not known in advance
ProxyPass / https://localhost:10000/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "wss://localhost:10000/$1" [P,L]
</VirtualHost>
Why are you introducing new tools when you don’t have any of the others working? This is chaotic. You need to take things one step at a time.
Besides that, Squid has no useful role in solving the problems you are trying to solve, as I understand them. Stop making new problems for yourself, I can’t keep up.
You know, I’m just trying to make sence of all what’s been told to me.
There are points that suggested the proxy was a good idea, like the fact I’m behind this ISP NAT router, wherefor other people on #network IRC did advice me this.
They also told me Webmin isn’t secure over WAN.
But I think it’s a matter of settings, how secure it will be.
The proxy isn’t yet configured to do anything special. It’s just running in background for know, because I was indeed busy with trying Webmin with Apache certification.
I can reinstall so many times I want to get where I want, so if you’ve anithing to suggest I try it your way.
Also, I can’t just wait doing nothing because I do not know how. So you’ve an idea of what I did while I was waiting an answer or advice on how to for my own configuration, not an example that doesn’t match with my settings at all (the nat router and these distant computer that have to make part of my network). When I look to the webistes where I’ve been sent, it’s like I need to start from scratch. It’s not like I would like to take years to do it.
I would rather get to the point, but people request from me I ask to pay someone to do it in that case.
Ok, thanks … What else could I say …
They kinda lied. There are about a million Webmin hosts on the internet. We have a public security history: https://webmin.com/security/
But, Squid it not necessary for that. You already have Apache in the mix (Apache is also a web proxy), so don’t add more stuff. But, a proxy won’t solve anything if it isn’t accessible to the internet, which, according to your description of the problem it won’t be. You have a NAT router in front of these devices; so you need to forward ports to get to your computers behind it.
It sounds like you’re getting advice from a variety of people, and many of those people have no clue what they’re talking about.
The simplest solution continues to be a VPN. The harder solution without a VPN, I have also described above. You need to forward ports, you probably don’t need Apache (though if you insist on having certificates from Let’s Encrypt, you have to validate them somehow and a web server is one such way).
You’re saying this validition will also taking place with the VPN ?
I will be able to access these computers without entering the port on their respective url pointing there hostname.mydomain.xxx ?
I’ve not yet installed any other software on this installation of ubuntu server.
So, where do I start?
With these steps : Quick Start - WireGuard
Could you tell me what I should be attend for my configuration in these instructions ?
Is this of any use to me?
[WireGuard] contrib examples
Can I simple uninstall squid since I do not need it ?
What validation? You exchange keys, there is no trust needed beyond that initial key exchange. There is nothing to validate; just copy the keys to the computers that need to talk to each other.
Yes, that’s a reasonable place to start. And, to be clear, that’s all you need. You don’t need Apache to use a VPN, you don’t need Squid, you don’t need a proxy of any sort, you don’t need LDAP (you never needed LDAP), and…if you prefer Webmin to not be accessible on the internet, you’re in luck, because a VPN is not accessible on the Internet.
Just follow the quick start guide and make one of the computers you want to communicate with work. You keep making this so much more complicated than it needs to be. Please just make the basic requirements work and stop adding more work for yourself and more chaos for me to figure out.
Your situation is not complicated, so stop making it complicated. Your situation is this:
You want to talk to Webmin running on a computer that is not directly on the internet. That’s it. It doesn’t need a proxy, it doesn’t need a directory service, it doesn’t need a web server (other than Webmin itself, which includes a web server of its own). Get your computer connecting to the computer you want to talk to via a VPN, and you’re done. There are no other steps.
You do not need a Let’s Encrypt certificate to talk to a trusted computer over a VPN; just tell your browser to accept the self-signed certificate.