I recently requested a new Let's Encrypt certificate from the webmin control panel as it expired.
I can access all others certifcates and ssl on all other hosts without issue. However I cannot access port 10000 which webmin uses to access control panel.
I suspect this is an issue with webmin and their implementation of Let's encrypt as I have no other issue with certbot of configurations. Webmin creates seperate certificates inside /etc/webmin/
Port 10000 is served by MiniServe and responding to HTTP requests with a redirect to https on the same port
Server: MiniServ/1.974
I am fairly confident the following is happening:
Port 10000 fails with HTTPS requests, because it is not configured to serve HTTPS. The problem is not with the Certificates, but with the server configuration itself. You are trying to serve HTTP and HTTPS on the same port (10000) ~~ - you can not do that~~. The HTTPS requests are failing, because the port appears to be configured for HTTP instead of HTTPS, and trying to speak HTTPS to an HTTP endpoint will generate the errors you noted.
You will need to reconfigure the port 10000 service appropriately. if you need to support both http and https, you need to decouple that onto two different ports (edit: added the following) or have a properly configured server that can speak both on the same port. if you only need to support https, you need to configure that service to speak HTTPS and not HTTP.
Thank you for the response. I will try to configure :10000 only for https. The current configuration was working fine until I renewed the certificate today. But I am happy to be pointed in the right direction.
That's not entirely correct: It is technically perfectly possible to speak HTTP and HTTPS simultaneously on the same port. Some webservers can do this.
The webserver in question here responds with a HTTP-to-HTTPS redirect on HTTP requests, which indeed indicates it does speak at least HTTP. When sending a TLS handshake request, the server responds with a TLS Alert code 40 "handshake error". This shows that the service is capable of also speaking TLS: It understands TLS Client Hellos and responds with a TLS alert protocol message.
The reason for the service replying with handshake errors is unknown though. Perhaps a misconfiguration, or an internal server error - logs could be helpful.
[Wed Mar 08 17:48:34.946798 2023] [ssl:warn] [pid 8760] AH01909: RSA certificate configured for africanstudios.net:443 does NOT include an ID which matches the server name
[Wed Mar 08 17:48:34.947371 2023] [ssl:warn] [pid 8760] AH01909: RSA certificate configured for africanstudios.net:443 does NOT include an ID which matches the server name
[Wed Mar 08 17:48:34.948510 2023] [ssl:warn] [pid 8760] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Mar 08 17:48:34.951659 2023] [so:warn] [pid 8760] AH01574: module proxy_module is already loaded, skipping
[Wed Mar 08 17:48:34.959063 2023] [so:warn] [pid 8760] AH01574: module proxy_module is already loaded, skipping
[Wed Mar 08 17:48:35.034217 2023] [ssl:warn] [pid 8760] AH01909: RSA certificate configured for africanstudios.net:443 does NOT include an ID which matches the server name
[Wed Mar 08 17:48:35.035807 2023] [ssl:warn] [pid 8760] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Mar 08 17:48:35.081356 2023] [mpm_prefork:notice] [pid 8760] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 configured -- resuming normal operations
[Wed Mar 08 17:48:35.081427 2023] [core:notice] [pid 8760] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
that's miniserv.conf.
Working on the configurations now. Hopefully it's as simple as adding updated ciphers and making sure the ssl mods are compatible. I dont know what caused this problem. My server has been running with current configuration for years. But I will keep searching then post the solution
I have no idea what could have broken that, as swapping a Certificate should not have changed it. I looked at their docs and am lost, your update must have lost some command - either in the config file, shell environment or commandline. I like to store configuration files in version control so I can audit changes when things break like this - perhaps you have an old version?
Thanks for the info. Big help in narrowing down the problem. I reached out the webmin community and saw the problem was fixed by update algos but no one has current solution. Seems a recent update broke the ssl but I cant get a confirmation,
In the webmin github issue, someone suggested it may be due to the certificate having an ECC key.
You can try using certbot to get a new certificate with an RSA key using the --key-type rsa command. That may get you back up and running until a proper fix is figured out.
It also might not work at all, but that might get you back online.
I use:
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Tired yours and it didnt work. Ran across something obvious, still running OpenSSl 1.0.2k , will upgrade that over the weekend. Most likely that will solve my issue.