The Web Server is running in SSL mode. Try the URL https://SERVER IP ADDRESS:10000/ instead

adamjedgar · January 22, 2022, 10:31pm

Hi guys,
i spun up a new server a few months or so ago and have been busy and not done anything with it.
its a blank install and has no domains currently (just virtualmin gpl).

I thought originally the server was working fine however when i tried to log into webmin this morning i get

The Web Server is running in SSL mode. Try the URL https://SERVER IP ADDRESS:10000/ instead.

I can log in via ip address

It has a letsencrypt ssl install in virtualmin and that is used by webmin, postfix, usermin etc as per the usual button under virtualmin tab>ssl>current certificate in virtualmin GUI.

In webmin tab, I got a new certificate just to make sure its up to date, however, this doesnt seem to make any difference to the problem.

I have checked dns settings and mxtoolbox is returning the correct results for:
dns lookup = correct ip address
reverse dns = hostname.domain.com (as expected)

If i login via Safari web browser and bypass the SSL certificate issue that prevents me from even accessing the server via ipaddress in google chrome…

I can then goto File Manager>ETC>Webmin>miniserv.conf and
edit the line 10 “SSL=1” such that it reads “SSL=0”

restart webmin in Webmin>System> bootup and shutdown> scroll to bottom of list and check webmin> then click the restart button

After doing the above, i can log into webmin/virtualmin gpl immediately

how do i fix this problem so that I can access the webmin/virtualmin interface in SSL mode?

EDIT
i forgot to mention 1 other thing…

i have 2 servers

server1.domain.com (my older virtualmin machine with SSL and also has my domain.com website on it as a virtual server)
server2.domain.com (my new virtualmin machine which i am having ssl problems with and is a blank machine)

where domain.com is identical for the two machines.
both use letsencrypt ssl

Joe · January 22, 2022, 11:07pm

What is the problem?

adamjedgar · January 22, 2022, 11:08pm

The error in the title of the original post…

when i try to access https://server2.domain.com:10000 i get the following error

Your connection is not private

Attackers might be trying to steal your information from server2.domain.com (for example, passwords, messages or credit cards). Learn more

NET::ERR_CERT_INVALID

chrome wont let me access the url beyond this point.

I have updated the certificate in webmin…makes no difference even though it shows todays date (after i update it)

adamjedgar · January 22, 2022, 11:14pm

here is an image of my ssl settings

Ilia · January 24, 2022, 11:23am

Type thisisunsafe while that SSL error page is visible in Chrome. You will be able to pass this screen and later use Virtualmin / SSL Certificate page to request an SSL certificate for the given web-server, which will automatically be added to Webmin to be used (for this warning to go away) by its webserver (miniserv).

Ilia · January 26, 2022, 3:11pm

Let’s Encrypt has changed the root certificate just a while ago. This may be the reason. I wonder if my suggestion above worked to bypass the error though?

Next, make sure that you install latest packages updates, as in this case it is important.

You can switch to using default Webmin /etc/webmin/miniserv.pem file for private key and setting Certificate file to Same file as private key. Like this:

Has Webmin been restarted? Have you tried using a new browser or incognito tab, as certificate information could be incorrectly cached by some versions of the browsers?

adamjedgar · January 29, 2022, 12:20am

my assumption is that it may be because i have two systems with the same primary name…

ie server1.mydomain.com
server2.mydomain.com

where mydomain.com are identical

would this be the problem and its solution that i need to use one of the server SSL certificate requests to request a certificate containing the second servers credentials, and then manually copy that certificate to the second server?

is there a better way of doing this?

i am guessing i should simply be only requesting a wildcard SSL…something like

*.mydomain.com (for both server1.mydomain.com and server2.mydomain.com)

will this work if my server also hosts email for client domains that do not have their own dedicated ip?

jotst · January 29, 2022, 11:02am

We use external dns but should work if you use dns correct local on the boxes to. ( can’t help with that)

External DNS then ofcourse no wildcards or also no * .mydomain.com
Then no problem

All BOXES/ SYSTEM own Domain / Hostname is working here vp1 , vp2 and so on

Manual you have to copy dkim part ( one time, if changing for security then more times_) to the dns services , but no ssl certs ofcourse .

If using tlsa with dnssec then also manual …

ON the server2.mydomain.com box i did created a server for that name and there the certs and copy them for use in system as dovecot / postfix …and co while we use hostname as mailserver / mx records for all domains on it. This cert is also for the virtualmin and usermin.

This is also because for some bigger mailservices you need a imprint page with contact info on the mailserver /hostname to get of the blacklists for mailserver ip. And some basic mail addresses for this one ofourse as abuse , postman , …

EDIT do you use wildcards SSL ?

Joe · January 29, 2022, 5:05pm

A wildcard is almost never the right answer. It has unavoidable security implications, as well as being harder to validate.

adamjedgar · February 28, 2022, 12:33am

I am not fully understanding the above answers…

here is what i think the problem is, and i do not see how there is any way around this for automatic SSL

server1 contains the domain “adam.com”, “server1.adam.com”, and so on. I have a different box called server2.adam.com that i eventually wish to transfer everything across to. however, i do not want any of server1 information to be carried across…its a fresh system. The only stuff i want carried across is the websites…nothing else but i cant even log into server.adam.com virtualmin interface to install SSL, google chrome browser wont even allow access to the url.

there is a virtual server on server1.adam.com with the website “adam.com”

DNS records for “adam.com”, which are hosted by registrar not me, obviously must point to the ipaddress of “server1.adam.com”

Based on the above, i do not see how it is possible for server2.adam.com on a different ipaddress to pass the acme test when the check is performing it checks on “adam.com” dns records first.

Surely that means that the acme test can never pass on two servers with different ipaddresses where the primary domain name is the same (ie “adam.com”).

so, in light of the above, how do i fix this so that server2.adam.com has a valid SSL record and can be accessed in google chrome browser? (at present it is not possible to even access it at all…i cannot get anywhere near the virtualmin login screen)

Is the only option to disable SSL mode for accessing the root login for virtualmin/webmin server1.adam.com:10000

Joe · February 28, 2022, 3:43am

Let’s Encrypt can validate either via web request or via DNS. You do not need both. Web is preferred for all except wildcard certs (which I do not recommend, and which require DNS validation, which means Virtualmin must manage the DNS for the zone in question).

You must have a valid DNS record pointing to the host you want to validate and only try to validate hostnames that are hosted by Virtualmin on the system you’re requesting them on.

server2.adam.com is a completely different name from adam.com, with regard to web or DNS validation. They simply do not have any relationship at all, according to Virtualmin and according to Let’s Encrypt. I don’t understand what you think adam.com has to do with server2.adam.com, if they’re hosted on different systems?

stefan1959 · February 28, 2022, 9:47pm

Just Create a new A record for it and point it to IP of server2.

system · April 29, 2022, 9:47pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.