I’m trying to get SSL access to work properly on my virtualmin/usermin admin and webmail ports. Not sure if I’m asking the impossible here, but it seems as if it should work.
I have a main server (mail.mckerracher.net) hosting a mail server and several sites on the shared IP that don’t use SSL. But I also have sites on that server that have their own dedicated IP address and SSL certificate for eCommerce purposes.
SSL access on port 443 generally works fine on all of the above, EXCEPT when accessing the webmin/usermin ports. When I try those, I get a browser warning that the certificate for the site doesn’t match the IP address, which resolves to the server name (mail.mckerracher.net).
Is there a way to configure virtualmin/usermin so that this works - in other words, so that the webmin/usermin servers appear to be on the static IP address for each individual site, thus matching the certificate?
Certificates are not matched against IP addresses, but only against the hostname you entered in the browser (except of course you happened to enter an IP address in your browser, which is rather unusual).
So if you browse to “https://something.mckerracher.net:10000”, the certificate must be valid for either specifically that, or for *.mckerracher.net (wildcard cert).
Thanks for the clarification. I confirm that I do NOT see an error if I browse to https://mckerracher.net:11100, or to http://mail.mckerracher.net:11100 (I’m using port 11100 instead of the default 10000).
But if I browse to say https://www.bromleysymphony.org:11100 which is on its own separate IP address but the same server, I get the message (e.g. in Chrome) “You attempted to reach www.bromleysymphony.org, but instead you actually reached a server identifying itself as mail.mckerracher.net.” Yet https://www.bromleysymphony.org (without the port) is fine. Is there anything I can do to prevent that misidentification?
Webmin uses a mini-webserver of its own, independent from Apache, which has its own certificates. When you browse to port 443 (or give no port at all), Apache handles the request. When you browse to port 11100 (in your case), Webmin’s webserver will handle it.
So to not see a mismatch warning, you need to import your certificate in Webmin as well.
Of course the certificate you upload to Webmin must be valid for all URLs that you want to browse to without seeing a warning (multi-domain certificate).
Thanks for the clarification - I suspected as much.
Is there any point in raising a feature request to get the same behaviour Apache has (matching certificates to virtual domains) implemented in the webmin mini-webserver? That would allow the expected behaviour without an (expensive) multi-domain certificate but it sounds like a lot of work.
The only alternative I can see is to redirect the webmin/usermin ports of the domains with private IP addresses back to the main server where webmin runs. That works, but is potentially confusing for users and encourages them to trust a changing domain name, which isn’t a good idea.
Hmm, I suspect it can’t hurt making that feature request. It doesn’t sound too terribly complicated to implement, and it might indeed be advantageous.
You should note though that selection of the certificate according to requested domain only works if you either have a different IP address per domain, or your browser (and the miniserv) supports SNI. Otherwise the webserver cannot decide which certificate to use, because to do so, it needs to read the request header, which is only done after the SSL setup is already complete.