I have a new Ubuntu 22.04.3 server minimal. I have installed webmin and all is well. The challenge I have is that I want to secure webmin access using SSL. This is not a virtualmin host simply a host server with Webmin installed and all it’s useful sysadmin goodness.
There is nothing else installed. No apache etc.
I am trying to work out how to install a letsencrypt ssl cert into webmin so that webmin uses that for all web access. It is set to automatically route to ssl any web connections.
Webmin is running on a non-standard port. i.e. not 10000
I can see what the issue is. When using the dialogue box driven letsencrypt request cert process. Letsencrypt expects a web server on port 80. The only webserver is webmin itself running on a non standard port.
Does anyone know how to use letsencrypt to install a cert in to webmin?
Webmin can only do it if there’s a web server installed. It might be able to do DNS validation instead, if it’s managing DNS (I’m not sure about this, I don’t use the Webmin Let’s Encrypt feature, at all, only Virtualmin).
You probably need to just use the certbot standalone mode, if you don’t have a web server on the system. Webmin’s server can’t do it, AFAIK, because it usually doesn’t run on port 80 and the LE will only validate if it can fetch the validation file from the domain you’re claiming to own in the .well-known dir.
OK that bit I just about understand. (but my bad grammar) was why LE SSL when Webmin comes with a self signed cert?
As was explained above LE looks for the usually open port 80 (open for Apache or Nginx webservers) it knows nothing about 10000 being a webserver.
It could technically be implemented, I think, right @Jamie … ? Although, it would require quite a lot of work, as Webmin isn’t a standard webserver. Besides, it would be necessary to re-configure Webmin to listen on port 80 for LE to work, as Joe already explained earlier.
Supposedly, all this could be implemented, but it seem like a lot of work to do to address some very uncommon setup.
This might be the issue. Every time I have to log into my home router I have to bypass the warnings. Maybe at some point I locked my browsers down ‘too tight’ because I don’t remember seeing an option to permanently store the cert. Maybe I’m just not paying attention.
That said, ideally you don’t want Webmin answering on a public IP. VPN into the network for access.
It would be possible to fire up a miniserv to serve static files on port 80, temporarily, on each renewal I guess. It has to be unauthenticated and allow dropping files into .well-known and retrieving them.
Starting an extra miniserv would require a whole other config file (since I don’t think you can pass config in the environment or on the command line to miniserv, it wants to find a Webmin installation and serve it). But, since this one would be very stupid and do nothing other than serve unencrypted port 80, no authentication, and only one directory, maybe it’d be possible to just ship one that needs no user changes. The only file that would ever appear there in this use case would be the verification file, though I’m sure somebody somewhere would decide to serve their websites with it, somehow, against all reason. But, really, I don’t think it’s too crazy of an idea to allow Webmin to spin up a webserver to verify LE.
All that said, there are some things that I know people will try to do that will cause confusion and “bug reports”. Like trying to use this validation method when they already have a web server running (and so the LE miniserv can’t listen on port 80). It’ll also make people more likely to try to get a “Webmin cert” when using Virtualmin, I’d bet, even though you never need a Webmin cert when using Virtualmin because you can use any domain’s cert just by connecting with the name of any domain that has a cert.
Maybe at some point I locked my browsers down ‘too tight’ because I don’t remember seeing an option to permanently store the cert. Maybe I’m just not paying attention.