Got new certificate from my Org but Webmin still unsecure. Why?

SYSTEM INFORMATION
Browser Edge & Chrome
Webmin version 2.013
Server OS AIX V7.2

My organization requires we use certificates generated by our security dept.
We got it, put it in place and filled out the SSL Cert page. Saved with no error.
But the browsers still show as “INSECURE”
What are we missing?
PLEASE ADVISE

HERE IS WHAT CERT LOOKS LIKE FROM BROWSER VIEW.

Issued to
Common Name (CN) clocert.unch.unc.edu
Organization (O) UNC Health
Organizational Unit (OU)

Issued By

Common Name (CN) UNCHCS-Issuing-CA2
Organization (O)
Organizational Unit (OU)

Validity Period

Issued On Wednesday, September 20, 2023 at 2:47:42 PM
Expires On Friday, September 19, 2025 at 2:47:42 PM

Fingerprints

SHA-256 Fingerprint
5D 2D 6A 5B B4 15 D7 44 73 33 30 A2 95 9E 02 2D 65 20 43 E8 F8 A5 B2 6C AF 7C 87 68 35 52 E5 16

SHA-1 Fingerprint
CD 3E EC 71 11 09 B4 5A 75 39 0F E8 23 A6 8B B2 C7 6A 63 A4

Thanks
Aletha
alethad@unch.unc.edu

Hello, Aletha!

You should try closing and then reopening your current tab by using the following hotkeys – Ctrl + W and then Ctrl + Shift + T (Meta + W and then Meta + ⇧ + T in macOS), which will first close the existing tab and then reopen it, establishing a new session with the server, which will fetch a new/updated SSL certificate (if it was really updated as you suggest).

If that doesn’t help (though it usually does if the SSL certificate was updated), try using an incognito tab. If you still encounter issues, then either the SSL certificate might not have been installed correctly, or your browser might not recognize the Certificate Authority (CA) that issued it.

My organization requires we use certificates generated by our security dept.

That sounds like self-signed certificate to me still.

Hi Ilia!
Long time no hear. :slight_smile:

I did send the contents of the certificate in my post and it looks like Webmin does see it. Which we’re not sure what part it’s having an issue with.

Those instructions did not work so I guess maybe we’re not sure how to install our new certificate.
Can you please tell us the procedure or send the steps. I have poured thru the documentation but do not know what we did wrong.

Thank you for your time.
Aletha

Also we are not using Virtualmin, Just Webmin.

If the certificate was issued by your organization (rather than through a CA that is recognized by all browsers), you’d need your browser configured to accept certs signed by your organization CA as trusted. That’s not a Webmin problem, and presumably your organization provides documentation for setting that up.

This one:

It is common for large organizations to have their own CA, so this isn’t surprising. But, it’s not really something we’re able to solve, as it’s a browser/client issue.

Here’s the first search result I found, though I haven’t vetted it for accuracy:

But, it’s very likely your organization provides documentation for this (and it may be automated in some way), since it is large enough to have its own CA.

I noticed the cert is good for two years – another sign that its an internal cert as now, all commercial certs are only good for one year :smile:

I take it this is a new server, or at least your first attempt of using webmin to set up a HTTPS site? That is, if this is an older existing server and website, how was the older cert installed?

Plus is this really AIX ? at some levels AIX is greatly different than many linux distros :slight_smile:

My one co-worker who had lots of AIX experience retired two years ago, so around my office I have no one to ask for AIX advice, sorry.

Question – your post title is – Webmin is still unsecure — is your issue today about a website on AIX using https and port 443, or connecting to webmin itself on port 10000?

Webmin and TLS certificates are not greatly different on AIX.

As far as I can tell, the solution is the same no matter what OS the Webmin server is running, because the problem is in the browser, not Webmin or the server.

Thanks Joe. No my organization does not have any instructions to give us so thanks for the link.
I do see the Root CA in my Edge browser. I’ll check the others but I’m sure it’s more than likely there.

Thanks Verne. Yes I have migrated to a new server and this is the first time I’ve had to configure HTTPS as well. It is now required by our Security dept.
And yes this is really AIX but I don’t think that’s a factor.
This is an issue connecting to port 10000.
I’ll keep dinking around with it.
Appreciate it.

I am really old-school and use the cmd line a lot.

I manually edit (on RedHat Linux) /etc/webmin/miniserv.conf and put items in there like:

keyfile=/etc/pki/tls/private/wvnet.key
certfile=/etc/pki/tls/certs/wvnet.crt
extracas=/etc/pki/tls/certs/wvnet_bundle.crt

(these are for our commercial cert) and restart the webmin miniserv process to reload the config. There probably is a panel in Webmin to adjust these as well, or to upload your cert in Webmin and the miniserv.conf modifications are done automatically (I think you said you did it that way).

Hi Verne,
I’m a little old school too.
I think we’re going to try to have another cert generated with an Alternate name. Saw there may be an issue with Chrome newer than V58 that wants/needs an Alternate Name.
If I can get one of the browsers to work I’ll be happy. :slight_smile:

Thanks for the input.
Have a great one.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.