Virtualmin Password Recovery module issue

I am still chipping away at this one.
What I think I know so far:
Both my “working & problem servers” (problem = password recovery page not showing) have the same link associated with the orange button:
<a target="_blank" href="/virtualmin-password-recovery/" class="btn btn-warning"><i class="fa fa-unlock"></i>&nbsp;&nbsp;Forgot your Webmin password?</a>

Resulting in a browser window with address DOMAIN:10000/virtualmin-password-recovery/

The issue is about how that address is then resolved/treated. On the working server the link is followed to the index.cgi file in /usr/share/webmin/virtualmin-password-recovery/
On the problem server this is MOSTLY not the case & I simply get another window/tab with the Webmin log in page repeated.
However in the Chrome session I have open now somehow this has changed & “the problem” server is acting the same as the good server - password recovery page is reached.
So it’s fixed? No, as I now have the weird behaviour that if I enter DOMAIN:10000/virtualmin-password-recovery/ in this Chrome session all seems well, but if I copy that address to Firefox or Edge on same machine (or Chrome on another machine) I still have the issue.
It seems there is some tiny glitch in resolving DOMAIN:10000/virtualmin-password-recovery/ so that it now works in this one Chrome session, some link made or gap bridged & now things are behaving as they are supposed to.
But in a fresh browsing session I still have the issue.

Sorry. I remember about this issue, I just haven’t had a chance yet to look at it. I will update this ticket when it’s done.

Hi Ilia - any progress on this one?
Let me know if I can do anymore investigation.
I’m coming to the end of some other work & will try to get back to looking at this myself, though, as above, I’m at the limit of my knowledge/skill in taking further.

I’m starting another round of attempting to fix (or at last understand) this issue now.
If, by some chance, you have given this issue any further consideration & can provide me any information that will help me please let me know.

So far I have discovered that IT SEEMS that whatever I edit the link in /usr/share/webmin/authentic-theme/session_login.cgi to be
(e.g. I have tried creating a test.html file in the same /usr/share/webmin/authentic-theme/ directory & attempting to link to that)
when the button is pressed (the link used) you just get another copy of /usr/share/webmin/authentic-theme/session_login.cgi in a new tab

The work I’m doing - documenting full process for use of Virtualmin in my organisation - is now held up by the issue with Password Recovery Module & I’m not making progress either via this ticket or trying to solve it myself.
I’ve experienced the issue in multiple installs. The most recent was a trial of the beta installer that was avaialble for 22.04 compatibility when 22.04 wasn’t on the list of supported systems. The one before was the stable installer on 20.04.
As some time has passed since my last creation of a new Virtualmin VM I just checked & 22.04 is now listed as fully supported. Consequently I’m going to have a go at a fresh install in the hope things have changed & issue won’t be there. Grasping at straws, but I don’t have another route to go, other than getting someone more technically able to investigate the issue.

We have discussed it with @Jamie, and password recovery functionality will be implemented as WebminCore feature in the future.

@FrancisW so it’s expected that the “Forgot your Webmin password?” button will open up a new page with a URL like https://yourdomain.com:10000/virtualmin-password-recovery/

I didn’t quite follow what goes wrong after this point though?

Hi @Jamie
Thanks for your response. Let me rephrase the paragraph from my original post opening this topic, for more clarity:

Expected behaviour:
Clicking the “Forgot your Webmin password?” orange button on : DOMAIN/:10000/session_login.cgi opens a new browser tab which has the address DOMAIN:10000/virtualmin-password-recovery/ & displays the desired password recovery page.

Actual behaviour (on my newer installs, older installs are OK):
Clicking the “Forgot your Webmin password?” orange button on : DOMAIN/:10000/session_login.cgi opens a new browser tab which has the address DOMAIN:10000/virtualmin-password-recovery/ BUT this does NOT display the password recovery page, but “another copy” of the Webmin log in page (= pressing the orange password recovery button just opens another log in page with another orange password recovery button).

Seems like access to the password recovery module while not logged in isn’t working. Is there any anonymous= line in your /etc/webmin/miniserv.conf file ?

Yes, the line is:
anonymous=/virtualmin-password-recovery=

Try changing that to anonymous=/virtualmin-password-recovery=anonymous , then running /etc/webmin/restart

Also, is there an entry in /etc/webmin/webmin.acl for the user anonymous ?

I have made the change you specify, but it has not fixed the issue.

The line in /etc/webmin/webmin.acl is:
anonymous: virtualmin-password-recovery

Ok we found the bug that causes that anonymous= line to be incorrectly created.

After fixing it to be like anonymous=/virtualmin-password-recovery=anonymous , do you still get the same error when trying password recovery?

Hi Jamie
Yes I have made that change & no it has not fixed the issue

Hi @Jamie - do we have any progress on this?

I’d like to make clear my circumstances are perhaps different to people generally putting in a ticket.

  1. I have no real need to “fix” the particular Vmin install I’m working on/have running at the moment. It’s a test bed to help me develop documentation (though when I’m happy with my documentation I will create a new Vmin server based on it, that will be our new production server).

  2. What I do need is the issue I’m encountering to be solved “going forward”. If you were to say to me “We don’t seem to be able to patch your already created server, however we’ve made a change that we’re confident will mean a new install of Virtualmin & the Password Recovery module will not have the issue you’re encountering” that will be fine.
    That of course would mean you’ve found something & made a change to your install packages, I’m not saying that is necessarily what will happen, it may be that I am repeatedly making some mistake in my install, which causes the issue on a repeating & consistent basis (over maybe 4 installs now).
    I need to either know what wrong step I’m taking, so I can change it - or have you find there’s an improvement you can make your end. Either way I need a (working) password recovery function.

Thank you for your help so far on this.

So we found a couple of bugs in Webmin that can cause this kind of incorrect setup. And the next release (version 2.011) will fix this for future installs…

Ah, that’s great to know. When do you expect to release that? I need to decide on either waiting a few days & able to start a clean install & complete run through of my set up work & documentation, hopefully finishing with a server I can go on to use, or, if longer wait, I might do more work on the server I currently have (with the issue) while I’m waiting.

Within a week I’d estimate…

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.