Skip to main content

Unable to access web interface, certificate error on multiple machines?

Posted by lortsungcu on Mon, 01/28/2013

A few of our customers have suddenly been unable to browse to the web interface, at least using internet explorer. This seemed to happen about 3 years after the systems were installed, sounds like it could be a certificate problem. I wasn't the one who installed them, though, and am not sure what to mess with in order to tell. Has anyone else come across anything like this?

Thanks
Cullen


Submitted by justdave on Mon, 01/28/2013 Permalink

Certificates usually expire after a while. 3 years is a nice round number so that's probably what happened. You just need to renew the certificates. How you do this depends on where you got them, whether they were signed by a CA or self-signed by the server, and whether you have them installed directly in Webmin or if you're using an Apache reverse-proxy or somesuch.

Submitted by lortsungcu on Mon, 01/28/2013 Permalink

yeah that's what I figured. it's self signed, not sure why they made a self signed cert expire in 3 years, but whatever. messy. i will redo it and see if that fixes things.

Submitted by eeman on Mon, 02/04/2013 Permalink

actually the problem is a bit different. A few years ago the default webmin certificate was a 56bit encrypted cert. The reason your certificate is not working is often due to the recent windows patch that refuses to accept any cert less than 128bit.

1) update your webmin
2) re-issue your cert using 2048 bits

Submitted by lortsungcu on Fri, 02/08/2013 Permalink

I'd rather just turn SSL off. What's the best way to do this? I didn't install these systems, and they're all looking for SSL over port 80; it's a pain in the ass for our customers, who are just learning to click past warnings as a result.

Submitted by lortsungcu on Thu, 02/14/2013 Permalink

Also, I checked the certificate on this system, and it's 256bit.

We are looking at replacing some hardware that our thirdlane customers are on; is there a version of thirdlane that does not have webmin + everything else as a part of it? Would much prefer to house the PBX by itself.

Submitted by cbbs70a on Wed, 02/20/2013 Permalink

Whats the big deal in getting a real cert? Not to mention the fact that you can install a new one in about, oh I'd say 5 minutes or less. Just Google for instructions. I'm not saying that you should or shouldn't use SSL, but If you do not want Webmin to use it, then simply set ssl=0 in /etc/webmin/miniserv.conf and then do a "service webmin restart". Problem solved.
Regards;
FSD

Submitted by lortsungcu on Fri, 02/22/2013 Permalink

Customer isn't interested in paying for it. I've seen the instructions, but honestly, any time I touch anything on these systems, something else breaks. I was mostly asking to see if there was anything awful that would happen if I did this.

We are going to recommend that the customer ditch Thirdlane, and transition them to something supportable. I appreciate the reply, though.

Submitted by rfrantik on Sat, 02/23/2013 Permalink

I've run into this issue with a few of my Single Tenant customers that were originally created from the older Thirdlane ISO's. The private SSL certs for Webmin employed only 512 bit keys... which Microsoft now considers to be inferior... so much so that they included a security update/patch in October 2012 that doesn't allow Internet Explorer to connect to sites that don't at least have a 1024 bit key.

In our case IE doesn't even really throw an error or a security warning. It just tells you it can't reach the server... like it's not even there.

Relevant Article:
http://www.linux.com/learn/tutorials/635016-do-your-ssl-certs-meet-micr…-

Most of the info in this thread is fairly accurate... but the simple solution may be to just recommend your customers access the site with Google Chrome or another non-IE browser.

Submitted by eeman on Wed, 02/27/2013 Permalink

well the site definitely looks better when accessed with firefox (plus firefox has a simple way of letting you save a self-signed cert easily)

I find it humorous that somoene actually demanded a version of thirdlane without Webmin. Apparently they were so retarded they had no clue exactly what webmin is and what its role plays in relationship with their PBX. Thats like demanding a version of FreePBX that doesnt ship with Apache. OR demanding their wireless routers not ship with lightHTTPd. I bet the first thing they complain about, when someone complies, is the lack of GUI administration. want PBX that doesnt have a web server? Its called vanilla asterisk.. download it and learn to write dialplan.One isnt going to find ANY flavor of PBX made by ANY vendor that doesnt ship with a web server of one variety or another. its essential in order to have a web interface. I assumed most people would get that, but apparently I was mistaken. There really are people that demand cars that run on gasoline be shipped without gas tanks installed.

Submitted by justdave on Wed, 02/27/2013 Permalink

Maybe he seriously didn't know. Webmin isn't generally thought of as a web server. It's mostly thought of as a GUI system administration tool. One that has a history of a lot of security problems. The fact that Thirdlane actually used Webmin was a turnoff for us initially for this reason. We only kept using it when this was discovered because we were already invested in it at that point (it had originally been installed by a third-party vendor).

Now, those security issues are typically with various modules, and if you only install the Webmin engine and the specific modules you need for Thirdlane to work (which are the Net module and Thirdlane itself), then you don't have most of that exposure. This of course was learned after we'd been messing with it ourselves for a while. Knowing what I know now I'm happy to recommend it to people, even though I still dislike Webmin as a whole, because I know Thirdlane doesn't require all of Webmin, just certain pieces of it.

I don't think you're doing Alex any favors by responding to people in the manner in which you did here. You most likely cost Thirdlane a customer here. Maybe he would have went to something else anyway because of his lack of understanding, but instead of berating him for not knowing these things, perhaps acknowledging that he didn't know and providing a little education would have been a much better option.

Submitted by lortsungcu on Wed, 02/27/2013 Permalink

eeman
Last commenter pretty well summed it up. I seriously don't know/care to know about what Thirdlane needs Webmin + all of it's bulk and security issues. I came into managing them for customers that didn't need _any_ of it. Not sure where you're coming from, but it's more than understandable/acceptable to wonder if there's a way to do away with a ton of services that aren't needed on a machine that really should be as secure as possible. I'm not looking to argue with you about it, that's just the way it is. I started this topic, if you're interested in starting your own topic, where we go on about how great having something like Webmin installed is, go for it. PM me if you need help getting started.

Your tone is abusive, insulting, and arrogant. I talked to Alex; apparently you're just a zealous idiot with too much time on their hands. I'm at least thankful that you don't immediately represent him/his company/his work, but there's no way I'll go near the product again, and you can bet that I'll steer as many people away from it and you as possible.