#4089 Problems setting up a certificate authority on Debian

open
nobody
None
5
2014-08-17
2012-05-14
Mike Robinson
No

I have two servers:

Centos 5, Webmin 1.585 and Virtualmin 3.92.gpl GPL
Debian 6 Webmin 1.587 (upgraded to 1.588) and Virtualmin 3.92.gpl GPL

Since I am using different Webmin versions on each server, I'm not sure if this was some sort of regression between 1.585 and 1.587 or if it is something to do with the OS.

On the Centos server, when I set up a certificate authority (Webmin > Webmin config > Certificate authority) everything works fine. I can then add a certificate to the root user and log in using certificate authentication instead of password authentication. No problems here.

However, with the Debian server, as soon as I enable the certificate authority, I get a request for a SSL client certificate, and when I cancel it, I am unable to access Webmin with Firefox or Google Chrome. Every page I try to access times out (in Chrome) or just keeps trying to load until cancelled (Firefox). I tried restarting the browsers and deleting all of the user SSL certificates to no avail.

Fortunately, I am able to access this server using the Rekonq browser. When I shut down the certificate authority, I can immediately access it again in both Chrome and Firefox. Note Rekonq doesn't have support for SSL client certificates, which is likely why it works.

Note, this looks like a problem ONLY with Webmin and not with Apache. On the same Debian server I set up the following VirtualHost

<VirtualHost *:443>
DocumentRoot /opt/roundcube
ErrorLog ${APACHE_LOG_DIR}/error.log

DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /opt/roundcube>
Options -Indexes +IncludesNOEXEC +FollowSymLinks
allow from all
AllowOverride All
</Directory>
SSLEngine on

SSLCertificateFile /root/testssl.crt
SSLCertificateKeyFile /root/testssl.key

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
</VirtualHost>

and this works correctly. It prompts me for a certificate and if I cancel it, it continues to load the page.

Update :: I just tried it in the Opera browser, and I get slightly different behavior. First, when I go to the Webmin URL, I am asked to accept/reject the invalid SSL certificate for my server since I haven't added it to my Opera keyring yet. This is true, it is invalid, however shouldn't the client SSL certificate be sent first (before the server's SSL certificate)? If I recall correctly, this was the behavior with Chrome and Firefox. First it would ask for the client certificate, THEN it would tell me the server's certificate was invalid.

In Opera, when I approve the server's SSL certificate, I am asked to choose an SSL client certificate... FIVE times. When I log in using password authentication and on every subsequent request to the server, I am prompted to send an SSL client certificate at least 2 times per request. I have a feeling Chrome and Firefox don't support multiple certificate requests, which is why they just time out.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2012-05-15

    Does anything get logged to /var/webmin/miniserv.error when you try to login after enabling the CA?

     
  • Mike Robinson
    Mike Robinson
    2012-05-15

    It spits out a few "Failed to initialize SSL connection" lines

     
  • Mike Robinson
    Mike Robinson
    2012-05-15

    This is the output of when I shut down the CA in case this is of any use:

    restarting miniserv
    [15/May/2012:00:41:03 -0400] Restarting
    Pre-loaded virtual-server/virtual-server-lib-funcs.pl in virtual_server
    Pre-loaded virtual-server/feature-unix.pl in virtual_server
    Pre-loaded virtual-server/feature-dir.pl in virtual_server
    Pre-loaded virtual-server/feature-dns.pl in virtual_server
    Pre-loaded virtual-server/feature-mail.pl in virtual_server
    Pre-loaded virtual-server/feature-web.pl in virtual_server
    Pre-loaded virtual-server/feature-webalizer.pl in virtual_server
    Pre-loaded virtual-server/feature-ssl.pl in virtual_server
    Pre-loaded virtual-server/feature-logrotate.pl in virtual_server
    Pre-loaded virtual-server/feature-mysql.pl in virtual_server
    Pre-loaded virtual-server/feature-postgres.pl in virtual_server
    Pre-loaded virtual-server/feature-ftp.pl in virtual_server
    Pre-loaded virtual-server/feature-spam.pl in virtual_server
    Pre-loaded virtual-server/feature-virus.pl in virtual_server
    Pre-loaded virtual-server/feature-webmin.pl in virtual_server
    Pre-loaded virtual-server/feature-virt.pl in virtual_server
    Pre-loaded virtual-server/feature-virt6.pl in virtual_server
    Pre-loaded WebminCore
    [15/May/2012:00:41:05 -0400] miniserv.pl started
    [15/May/2012:00:41:05 -0400] Using MD5 module Digest::MD5
    [15/May/2012:00:41:05 -0400] PAM authentication enabled

     
  • Jamie Cameron
    Jamie Cameron
    2012-05-15

    If you try to connect using a command like :

    wget -O - https://localhost:10000/

    what does it output?

     
  • Mike Robinson
    Mike Robinson
    2012-05-15

    root@dog:~# wget -O - https://localhost:10000/ --no-check-certificate
    --2012-05-15 18:20:14-- https://localhost:10000/
    Resolving localhost... 127.0.0.1
    Connecting to localhost|127.0.0.1|:10000... connected.
    WARNING: cannot verify localhost’s certificate, issued by “/C=CR/ST=San Jose/O=Webmin Webserver on myserver.com/OU=Security/CN=myserver.com/emailAddress=myserver.com@myserver.com”:
    Self-signed certificate encountered.
    WARNING: certificate common name “myserver.com” doesn’t match requested host name “localhost”.
    HTTP request sent, awaiting response... 200 Document follows
    Length: unspecified [text/html]
    Saving to: “STDOUT”

    [<=> ] 0 --.-K/s <!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
    <html>
    <head>
    <link rel='stylesheet' type='text/css' href='/unauthenticated/reset-fonts-grids-base.css'>
    <link rel='stylesheet' type='text/css' href='/unauthenticated/virtual-server-style.css' />
    <!--[if IE]>
    <style type="text/css">
    table.formsection, table.ui_table, table.loginform { border-collapse: collapse; }
    </style>
    <![endif]-->
    <script>
    var rowsel = new Array();
    </script>
    <script type='text/javascript' src='/unauthenticated/sorttable.js'></script>
    <meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
    <title>Login to Webmin</title></head>
    <body bgcolor=#ffffff link=#376ebd vlink=#376ebd text=#000000 onLoad='document.forms[0].pass.value = ""; document.forms[0].user.focus()'>
    <table class='header' width=100%><tr>
    <td id='headln2l' width=15% valign=top align=left></td>
    <td id='headln2c' align=center width=70%><font size=+2></font></td>
    <td id='headln2r' width=15% valign=top align=right></td></tr></table>
    <p><center>

    <form class='ui_form' action='/session_login.cgi' method=post >
    <input class='ui_hidden' type=hidden name="page" value="/">
    <table class='shrinkwrapper' width=40% class='loginform'>
    <tr><td>
    <table class='ui_table' width=40% class='loginform'>
    <thead><tr><td><b>Login to Webmin</b></td></tr></thead>
    <tbody> <tr class='ui_table_body'> <td colspan=1><table width=100%>
    <tr class='ui_form_pair'>
    <td class='ui_form_value' colspan=2 align=center>You must enter a username and password to login to the Webmin server on <tt>localhost</tt>.</td>
    </tr>
    <tr class='ui_form_pair'>
    <td class='ui_form_label' ><b>Username</b></td>
    <td class='ui_form_value' colspan=1 ><input class='ui_textbox' name="user" value="" size=20 ></td>
    </tr>
    <tr class='ui_form_pair'>
    <td class='ui_form_label' ><b>Password</b></td>
    <td class='ui_form_value' colspan=1 ><input class='ui_password' type=password name="pass" value="" size=20 ></td>
    </tr>
    <tr class='ui_form_pair'>
    <td class='ui_form_label' ><b> </b></td>
    <td class='ui_form_value' colspan=1 ><input class='ui_checkbox' type=checkbox name="save" value="1" id="save_1" > <label for="save_1">Remember login permanently?</label>
    </td>
    </tr>
    </tbody></table></td></tr></table>
    </td></tr>
    </table>

    <input class='ui_submit' type=submit value="Login">
    <input type=reset value="Clear">
    </form>
    </center>

    <script>
    if (window != window.top) {
    window.top.location = window.location;
    }
    </script>
    </div><p>
    <br>
    </body></html>
    [ <=> ] 2,463 --.-K/s in 0.06s

    2012-05-15 18:20:14 (38.8 KB/s) - written to stdout [2463]

     
  • Jamie Cameron
    Jamie Cameron
    2012-05-16

    I've been looking into this, and the good news is that I managed to re-produce the problem on Ubuntu 12.04. The bad news is that no fix is apparent yet .. but it seems like there have been changes in the openssl libraries that prevent the Perl Net::SSLeay library Webmin uses from working.

    One work-around you could try is editing /usr/share/webmin/miniserv.pl and changing line 4196 from :

    Net::SSLeay::CTX_set_verify(

    to :

    Net::SSLeay::set_verify(

    Then run /etc/webmin/restart

     
  • Mike Robinson
    Mike Robinson
    2012-05-16

    I'm glad you were able to duplicate the error. Trying the workaround you mentioned doesn't seem to work on Debian. I am unable to access it with any browser after applying it. They all give me an error with SSL:

    Chrome:
    SSL connection error
    Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
    Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error

    Firefox:
    The connection was interrupted
    The connection to servername.com:10000 was interrupted while the page was loading.

    Rekonq:
    servername.com: SSL negotiation failed
    When connecting to: https://servername.com:10000/

     
  • Jamie Cameron
    Jamie Cameron
    2012-05-17

    While I debug this, there is one quick fix you can do to allow yourself to login to Webmin again - edit /etc/webmin/miniserv.conf and delete the line starting with ca= . Then run /etc/webmin/restart

     
  • Mike Robinson
    Mike Robinson
    2012-05-17

    Thank you. I was also able to shut down the CA by using a browser that doesn't support client SSL certificates.

     
  • Mike Robinson
    Mike Robinson
    2012-05-22

    In case it helps, these are the versions of openssl and SSLeay on both servers:

    Working (Centos 5):
    # yum list installed | grep -i 'ssleay\|openssl'
    openssl.i686 0.9.8e-22.el5_8.3 installed
    openssl-devel.i386 0.9.8e-22.el5_8.3 installed
    openssl097a.i386 0.9.7a-11.el5_8.2 installed
    perl-Crypt-SSLeay.i386 0.57-3.el5.rf installed
    perl-Net-SSLeay.i386 1.36-1.el5.rf installed

    Not working (Debian 6):
    # dpkg --list | grep -i 'ssleay\|openssl'
    ii libcrypt-ssleay-perl 0.57-2 Support for https protocol in LWP
    ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Layer (SSL)
    ii openssl 0.9.8o-4squeeze13 Secure Socket Layer (SSL) binary and related cryptographic tools
    ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL

     
  • Jamie Cameron
    Jamie Cameron
    2012-05-22

    Yes, I suspect there is some problem with perl-Net-SSLeay that is stopping the API that Webmin depends on for SSL cert validation from working properly :-(

     
  • Mike Robinson
    Mike Robinson
    2012-10-07

    It's been 5 months. Any word if this is fixable yet or not?

     
  • Jamie Cameron
    Jamie Cameron
    2012-10-08

    Unfortunately this is out of my hands - Webmin depends on the Net::SSLeay perl module for SSL, and if it is broken there isn't much I can do :-(