# webmin self signed cert

## carpman

Hello, ok been through process of creating self signed root ssl certs and certs for postfix and apache and wanted to do same for webmin. 

On webmin site is says to combine the private key and certificate in with the command:

```

cat key.pem cert.pem >/etc/webmin/miniserv.pem

```

now i don't have key.pem cert.pem but have tried:

 *Quote:*   

> 
> 
> cat newkey.pem newcert.pem >/etc/webmin/miniserv.pem
> 
> 

 

this works but i have to enter pass phrase when starting webmin which is not too good, any ideas what i need to do?

I have following files in /etc/ssl/misc

```

new.cert.cert  new.cert.key  newkey.pem  privkey.pem new.cert.csr   newcert.pem   newreq.pem

```

cheers

----------

## carpman

Ok i tried following

```

# openssl rsa -in miniserv.pem -out miniserv.pem

Enter pass phrase for miniserv.pem:

writing RSA key

```

but restarting webmin fails with

```

/etc/init.d/webmin restart

 * Stopping Webmin ...                                                                       [ ok ]

 * Starting Webmin ...

Failed to open SSL cert  at /usr/libexec/webmin/miniserv.pl line 3520.

```

----------

## jpl888

When you install Webmin with ssl support it already has a certificate created. You don't need to create another.

----------

## carpman

 *jpl888 wrote:*   

> When you install Webmin with ssl support it already has a certificate created. You don't need to create another.

 

Prefer to create my own, then i know that it is safe plus if other users login they see familiar cert.

PS found out how to do it.

----------

## GNUtoo

you can also alternatively do port forwarding with openssh in order to connect to webmin

----------

## jpl888

Maybe you could post the solution here to help other like-minded admins.

----------

## GNUtoo

 *jpl888 wrote:*   

> Maybe you could post the solution here to help other like-minded admins.

 

```
ssh -L port_of_webmin:127.0.0.1:port_of_webmin youruser@yourbox
```

----------

## jpl888

 *Quote:*   

> jpl888 wrote:
> 
> Maybe you could post the solution here to help other like-minded admins.
> 
> Code:
> ...

 

I actually meant for creating the Webmin cert but thanks anyway   :Very Happy: 

----------

## carpman

Hello, ok here is how i did webmin self signed cert, was going to put it in a little howto about self signed certs but will include it here so other can find it easier.

This assumes you have already created root ssl cert.

-------------------------

You may or may not use webmin, if you do you will know that it has its own server and you can use via https, thing is it has it own cert.  Not sure how secure this is but i am happier using self signed cert.

First off we will backup the webmin cert:

```

mv  /etc/webmin/miniserv.pem   /etc/webmin/miniserv.pem-orig

```

now we will create new self signed cert by doing following: 

```

Creating a key for signing

Make a non-passphrase version

Then create the signing request

Combine the passphraseless key with the certificate to make a file that Webmin likes:

Copy to webmin

```

To do this enter following commands: (Note the days setting, 365 is for a years, for 10ys make it 3650

cd /etc/ssl/misc

```

openssl genrsa -des3 -out webmin.key 1024

openssl rsa -in webmin.key -out webmin.pem

openssl req -new -key webmin.key -out webmin.csr

openssl x509 -req -days 365 -in webmin.csr -signkey webmin.key -out webmin.crt

cat webmin.crt >> webmin.pem 

cp webmin.pem /etc/webmin/miniserv.pem

/etc/init.d/webmin restart

```

That is it.

----------

## neofutur

 *jpl888 wrote:*   

> When you install Webmin with ssl support it already has a certificate created. You don't need to create another.

 

 7 years later, yes you do need to create yourself a different certificate for each of your webmin ( or IDRAC or whatever you run on more than one IP address ) servers, or firefox will be badly unhappy if so many ips have the same exact default webmin ( or IDRAC ) certificate.

( unhappy firefox meaning something like that : http://imgur.com/czen665  . you wont even be asked for the traditional "security exception" question ! )

firefox message :

 *Quote:*   

> Secure Connection Failed
> 
>     An error occurred during a connection to XXXX:10000. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
> 
>     The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
> ...

 

 I repeat, you cant even add an exception, you re just ****ed until you downgrade to firefox 31 or manually delete the cert8.db file

 Ok most people have only one webmin ( or one IDRAC access ) and wont see the problem, but, some do.

 So you have to get a different certificate for each of your webmin, they cant all have the same default one ( and thats what changed, you could until a few years or months ago ).

concerning webmin :

 I recently needed to do that for a few webmin servers and finally found an easy way for non openssl genrsa savvy people.

 You can regenerate yourself your self-signed certificate in webmin itself -> webmin configuration ->SSL Encryption-> Self-Signed Certificate ->fill the form -> check "Use new key immediately"? and click create now

 then restart webmin

 If at first nothing is working because http redirects you to ( still non working )https, you can edit miniserv.conf first to allow you non ssl access

ssl=0

ssl_redirect=0

allowing you to login on the http:// url ( non https )

( if you have password problems, change it with  : /usr/libexec/webmin/changepass.pl /etc/webmin root newwebminpassword )

 then generate your new key , command line or in webmin

 and restart webmin

 after you setup your new certificate and everything is working great on https:// ,  better put them back to :

ssl=1

ssl_redirect=1

#<troll>( if you consider ssl is still useful after all the recent holes </troll>

 But I cant do that for the IDRAC consoles provided by my datacenter ( online.net ) and they dont seem to care too much about that even if it could be a real security issue.

edit: offtopic bonus reading http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

edit2: idea : it would be great if the ebuild automatically generated a new self signed cert when first installed or new emerge --config

edit3: lol its more or less a firefox 33 featurebug : http://superuser.com/questions/826232/how-to-bypass-the-secure-connection-failed-warning-in-firefox-33

edit4: same problem for accessing DELL IDRAC6 default certificate I ll have to use an old insecure browser grrrr

edit5 : link to the firefox bugreport, please add rantings : https://bugzilla.mozilla.org/show_bug.cgi?id=435013

----------

