have a look here:
Webmin → Servers → BIND DNS Server
Is poseidon.salford.ac.uk listed here?
Yes. If I search for it with Find zones on the BIND page the hostname is listed (without any prefix)
poseidon.salford.ac.uk
or
salford.ac.uk
the word prefix does not help 
try
- change setting to
yes, but keep visibletono - re-check config
- change setting to
yes, but keep visible - re-check config
see if this fixes it.
It might not like changing from yes to yes, but keep visible
poseidon.salford.ac.ukis listed in the DNS zones and seems correctly configured
I know I don’t completely understand your situation so:
When you installed virtualmin what domain did you use? something.domain.tdl or domain.tdl? It is suggested in the setup guide to use anything.domain.tdl but it has to verify. That is the domain webmin server will run on.
Who is handling your DNS? Outside registrar or Virtualmin?
Does every domain you are trying to get a cert for resolve? Including the one you used to install virtualmin on. This will be the domain (or sub depending on what you did) webmin server runs on. Don’t try to run a site from the domain webmin server runs on.
I have external DNS and set records for serv.domain.tdl
I installed on serv.domain.tdl and made a virtual server for serv.domain.tdl and got a le cert.
If I log in on serv.domain.tdl:10000 the page shows https://serv.domain.tdl:10000/page in the bar
If I log in on domain.tdl:10000 (or any of my other domains:10000) it goes to https://serv.domain.tdl:10000/page
If I go to serv.domain.tdl it goes to a page called: Host default page that is not secure but should never be served
I have a server at domain.tdl with cert. If I go to domain.tdl it goes to https://domain.tdl/page
I think what you have been chasing has probably created some additional problems.
i think the OP wants a website running on his hostname with SSL so his security team feel better.
This thread is way too long to be guiding you in a reasonable direction (and way too long for me to read it all).
If it’s this complicated, the answer is “Don’t. You’ve taken a wrong turn somewhere and you’re trying to do something in a way that doesn’t fit the tools.”
Use any domain you’re managing in Virtualmin to log in to Webmin. Don’t do anything with the system hostname (which should, generally, not match any domain you are virtually hosting in Virtualmin…as covered in the docs in multiple places).
I have tested it. Adding your server’s hostname as sub-server does not affect Virtualmin in any negative way. If I remember correctly, cPanel does the same thing.
It would never effect Virtualmin. Virtualmin isn’t the thing that has a problem with having multiple things with the same name. The biggest issue would be Postfix, so if you try to virtual host mail on the same name as the hostname of the system, that’s a problem (because then postfix tries to map user@domain.tld to user@domain.tld which is nonsensical). There are other implications for other services. Virtualmin is not among the service that will be confused, though.
But, I recommend you don’t name your server something you want a website for. Just name it anything else. You never have to think about the name again or use it for anything.
To be clear: The system hostname is not the “main domain”. It’s nothing. It’s just a name.
You never have to use it for anything. You never have to worry about getting a certificate for it. You never have to worry about whether someone gets a cert warning for it, because you never have to give out the system hostname as an address that people can connect to. It’s not the main domain.
Just don’t name your system some name you want to use for something in Virtualmin. It’s super simple. Don’t make your system hostname important.
1 Like
Isn’t the hostname used for email delivery? How can you deliver emails with TLS without an SSL certificate? That is not possible as far as I know. I have not experienced any issues with the mail. TLS and DKIM both work. Every sent email is signed and secured.
It is used when sending mail (though it doesn’t necessarily have to be, Virtualmin supports sender-dependent maps), and you don’t need a server certificate to operate as a client, which is what happens when sending mail.
For receiving mail, you can use any name you want. It is never the hostname of the system (it can’t be, because all mail in Virtualmin is virtually hosted…again, if you try to virtual host a domain that is the same as the hostname of the system postfix is trying to map user@domain.tld to user@domain.tld which is nonsense).
Of course. Virtualmin has support for all of that. Has nothing to do with system hostname.
Everything works if you let it.
1 Like
You know you can get a cert for both at the same time?
Just ask a new cert and use
domain.tld
server.domain.tld
I always do it like that.
I do it the other way around, make sure the hostname doesn’t have a dns a record this method the browser ruturns the could find address error. Depends if you want the hostname resolvable or not
The main domain (:443) isn’t doing anything and I don’t want or need it to do anything but unfortunately it seems the security scanner someone is concerned about so so we have to care about it.
I cannot create a new subdomain as/for the main domain because we already have a DNS zone that matches the main domain / hostname.
I will admit we didn’t put very much thought into how the main domain and subdomain would be structured, we pretty much followed the vmin defaults. Arguably never the best practice I realise but here we are.
As I mentioned before, I think one solution here might be to change our main domain login to use 443 instead of 10000. What are our other options here? Blocking port 443 obviously isn’t an option and I’m not keen on temporarily having to delete a DNS zone, that doesn’t sound like safe thing to do to a production server.
You keep using the phrase “main domain”, there is no such thing.
Your system hostname does not need to be configured in Apache.
And, any hostname that is configured in Apache can get a certificate.
I want people visiting
https://poseidon.salford.ac.uk:10000/ (this has a valid SSL cert and is the main login vmin login page)
to get the same page as when people visit:
https://poseidon.salford.ac.uk:443/ (this does not, and people shouldn’t really be using it)
That is the root problem I’m trying to solve here, I’ve just used poor terminology to describe my problem. Sorry about that!
How do I most easily and safely do that? Maybe I shoud use a proxy feature in apache or within webmin?
WTF. If nothing comes up then it is simply a check list item. If there is no site configured there, even a default page, then it isn’t a REAL issue. Otherwise, put up a blank page and be done with it. Or better yet, a redirect?
Something that isn’t there isn’t a security threat. Is this an outside scan or someone in the company with software they know nothing about? Yeah, I’ve done network security and know the idiocy that can be involved because someone doesn’t understand this stuff or the tools they use.