Shorter is better I guess?
EDIT: I guess this is one reason they abandoned the expiration notices emails?
1 Like
The IP address certificate is far more interesting for Virtualmin.
We do a crazy and confusing dance where we try to auto-create a Virtual Server in order to fetch a cert for the hostname of the system if it resolves just to avoid the browser error right after installation. Being able to get one for the IP would solve that more reliably. IP-based certs are stupid and a bad idea in almost every case, except this specific one. Having it only last a few days is even better, because I donât want anyone getting in the habit of using the IP (or the hostname) to talk to the systemâŠonce you have Virtual Servers with certs, you can use any of those. With an IP-based cert, we donât even need the user to have working DNS for anything (the system hostname or whatever) for them to be able to log in to Virtualmin the first time without a browser error.
As for having it last just a couple of daysâthat confuses a lot of users. And if the idea is generally bad in the first place, we shouldnât do it at all, even with exceptions. The hostname-based cert works well right now, and currently I donât see a good reason to invest more time in setting up IP-based SSL, especially if it only lasts a few days.
Yet, it could technically serve as a fallback feature if the hostname SSL cert request fails, but itâd be a pretty complex one to implement!
Because I donât want anyone getting in the habit of using the IP (or the hostname) to talk to the system.
The main reason we eventually decided to automate support for hostname SSL is because people were/are actively using themâand will keep using themâregardless of what we (or anyone else) advocate for or think is the ârightâ way. If that werenât the case, this feature wouldnât exist at all.
With an IP-based cert, we donât even need the user to have working DNS for anything (the system hostname or whatever) for them to be able to log in to Virtualmin the first time without a browser error.
I wouldnât mind automating this, but it needs to be clear and confusion-free. If we set up an IP-based cert, it could be for shortened or a standard duration, but with scheduled renewals. Weâd also need to monitor and update it whenever the IP(s) changes. Keep in mind that a host might have four or more IPs, potentially a mix of IPv4 and IPv6, and all of this would need to be automated to make it a practical and smooth feature.
Generally, Iâm not eager to spend time implementing this, but I wouldnât oppose it either. However, removing the existing feature that creates an SSL cert for the hostname wouldnât be wiseâpeople are using it, and trying to change that would have any practical benefits and only cause confusion and frustration.
Talking of improvementsâI just made a small tweakâthe post-install message wonât show the IP:10000 link anymore if the SSL certificate for the hostname was set up successfully. We can bring it back if we ever decide to support IP-based certsâor for example, when the hostname SSL request fails.
@Jamie, also, Iâm considering updating the Virtualmin installer to have Webmin also listen on port 8443 if the hostnameâs nameservers point to Cloudflare. What are your thoughts on this?
1 Like
I didnât actually know that IP based certs existed until now! But I can see how they could be useful for new installs to avoid the complexity of the default hostname. I will take a look to see how complex this would be to implement..
We could just do that for all installs. Whatâs special about port 8443 though?
There is also the cpanel ports that might be useful. Just an idea. I donât know if they are passed through with cloudflare
Cloudflare only proxies for a handful of ports, and 8443 is one of them. 10000 doesnât work for a Cloudflare address.
ZeroSSL has had this feature for years.
Itâs not only about complexity; itâs about what people would do or expect, regardless of any recommendations. Practice has clearly proven it.
Also, getting it to work smoothly for IP addresses isnât easy. Weâd need to handle all public IPs on the systemâwhich could mean dozens of IPv4s and, eventually, IPv6 too (though they donât support IPv6 yet). Plus, weâd have to keep track of any new IPs being added or removed.
And, according to Letâs Encrypt, it will always be a short-lived certsâjust 6 days. ZeroSSL, on the other hand, gives you 90 daysâweâd need to support both and maybe plan for other SSL providers too, each with their own profiles and rules.
I donât see it to be easy if done thoroughly.
If Cloudflare proxying is turned on, it only allows certain portsâmainly standard web ones. So my.hostname.tld:10000 wonât work, but my.hostname.tld:8443 will. Thatâs just because Cloudflare blocks most other ports when proxying.
2 Likes
We obviously wonât use those!
Seems like thereâs no downside to listening on this port then.
1 Like
I think itâs useful only in the case where the admin is connecting to Virtualmin using an IP address. I would agree that this is pretty low priority thoughâŠ
1 Like
8443 is the Plesk port.
| Service name | Ports used by service |
|---|---|
| Administrative interface of Plesk over HTTPS | TCP 8443, UDP 8443 |
regards
Jan
Just a quick point to consider for Virtualmin setups:
Many users start out with Cloudflareâs free plan when setting up their servers. Since the free plan does not support proxying port 8443, Cloudflareâs Free Plan supports portsâsuch as 2096, 2083, or 2087.
1 Like
The free plan of Cloudflare supports port 8080, just like 8443.
Ports 8080 and 8443 are alternative (http-alt and https-alt) portsânot exclusive to Plesk, just ones they wisely chose to use.
If we choose to listen on an additional port, it will be either 8080 or 8443.
Thanks Ilia, as you have stated - should have checked the source of truth 
.
Here are the Cloudflare details :
Network ports compatible with Cloudflareâs proxy
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below.
HTTP ports supported by Cloudflare
80
8080
8880
2052
2082
2086
2095
HTTPS ports supported by Cloudflare
443
2053
2083
2087
2096
8443
Ports supported by Cloudflare, but with caching disabled
2052
2053
2082
2083
2086
2087
2095
2096
8880
8443
2 Likes
cpanel ports are also not official assigned to cpanel
2083 = radsec
8443 = pcsync-https, not https-alt
Plesk has been using ports 8443 from its very beginning in summer 2001
cpanel is more used us the US while plesk is more used in Europe. If you wonât use the cpanel ports then the same reasoning should apply to the plesk ports.
If you plan to use port 8443 only in virtualmin, then go ahead. I doubt that many people will have both plesk and virtualmin on the same server.
But if you also plan to use it in webmin then you will create problems for all the people that use plesk as customer interface and webmin as server configuration tool.
regards
Jan
Yeah, weâd only set Webmin to use port 8443 during the Virtualmin post-install setupâand only if the hostname is using Cloudflare nameservers.
Webmin and virtualmin use the same port as virtualmin is a module of webmin, so just change the webmin port and everything will work
Not sure how this affects the conversation but it is easy to forget. Never really knew the âwhyâ of the range.
The range is meant for possible use in RPC calls, using the current Webmin port (i.e. default 10000) plus up to 100 additional ports.
OK. Partially I didnât want folks to forget there is a range even if it doesnât affect this application of it.