"Set as Default Services Certificate" option available for shared-IP virtual servers?

OS type and version CentOS Linux 7.9.2009
Webmin version 2.001
Virtualmin version 7.3
Related packages SSL management

This is just a question about a feature that actually works pretty well in my last Webmin/Virtualmin deployment.

My hostname/main domain of this server has a wildcard certificate. I use an individual dedicated ip for this main domain. Then I set this wildcard certificate as the default for all the services (Webmin, Usermin, Dovecot, Postfix, and ProFTPD).

Then I use Virtualmin with a shared-ip for all other virtual server users, each of them with their domains having a LETSENCRYPT certificate, which is working fine too for their individual request to Virtualmin, Usermin, Dovecot and Postfix (last version which supports SNI) through their individual domains.

But I was wondering, why under the shared-ip virtual server user interface this option “Set as Default Services Certificate” is available ? Is it not supposed to be that option only available for the administrator of the server, since it’s an option that affects a global parameter for services ?

I haven’t tried clicking on that button yet (logged as a virtual server user / virtualmin, not root/admin), but not sure if it does what it says. Could any virtualmin server user overwrite what the admin already set server wide (global) for those services?

Thanks in advance

That button should only be visible to the root user. Are you saying that when logged in as the domain owner user (not merely looking at the domain as the root user) you see the button to make it the default?

Yes, exactly. When I logged as a regular user that button still appears. I even tried in a different browser, just in case the cache from my Chrome browser is still reading the root session. Still appears.

@jamie @ilia I can’t reproduce this, but it sounds problematic. Domain owner should never be able to switch the default SSL cert for the whole server, even if they have access to the manage SSL certificates page.

Oh, wait, does your user have sudo ALL privileges? If so, that user is a root user as far as Webmin is concerned.

I dont’t think they are in sudo group.

I just run

 [root@xxx ~]# sudo -l
Matching Defaults entries for root on xxx:
User root may run the following commands on xxx:
    (ALL) ALL

[root@xxx ~]# groups virtualminuser
virtualminuser : virtualminuser

[root@xxx ~]# ls -l /etc/sudoers
-r--r----- 1 root root 4328 Sep 30  2020 /etc/sudoers

Also, about both users that I tried login into their virtualmin accounts: one was imported years ago from CPANEL, the other one was created last year directly on Virtualmin. I haven’t assigned any root privileges to those users manually. Both of them can see that button “set as default services certificate” in their respective “SSL CERTIFICATE” page under Server configuration, individually.

This is bug - those buttons shouldn’t even be visible to the non-root user. Fortunately they don’t actually work if clicked, but I’ll make sure they are hidden in the 7.5 release.


Thanks for the replies guys. And thanks for the clarification that the button is not functional. I didn’t click on it (didn’t want to mess with configs).
By the way, I’m fine with the top button (the one that each Virtualmin user can activate the certificate for the services for individual domains). If they acquire a certificate, I don’t see a problem with them playing with that configuration for the services they use, individually. So please, do not remove the one from the top (if it’s functional). The only button that I would like to see removed from the user interface is the one in the bottom, which is for global purposes. Only root should have both buttons.

Thank you guys for this super useful platform for server admins. This is a time-saving tool. I really appreciate it.

Our goal actually is for these buttons to never be needed at all, and for the SSL cert to be copied to per-service configs automatically upon domain creation.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.