#4269 can't create and use user certificates to login

Peter Schiffer


I can't create and use user certificates to login into webmin.

System and software:
CentOS 6.4, x86_64, fresh minimum install, fully updated

rpm -q kernel perl perl-Net-SSLeay openssl webmin

Firefox 22.0

I have one user on the system - root. I've tried it with default unix password and after changing his password with following command. Result was the same.

/usr/libexec/webmin/changepass.pl /etc/webmin root some_pass

How to reproduce:
1. I've created self-signed certificate in SSL Encryption (tried both, for any hostname and for server hostname with the same result)
2. Enabled SSL if available - SSL (https) works fine
3. I've created certificate authority
4. I've requested an SSL certificate for user
5. Filled in all the fields, used High Grade
6. Certificate is created
7. However, after I click on "Click here to pick up your certificate and install it in your browser" I get the "The connection was reset" error and can't connect to webmin again.

Additional information:
When I copy the link with certificate, and turn off ssl in /etc/webmin/miniserv.conf I'm able to download and install the certificate in browser. However, when I turn the ssl on again, I cannot connect to the webmin. I can use the ssl again after I select None SSL certificate name for the user.
In other words, while certificate name is set to something like:
I cannot connect to the webmin with ssl.

Only error in the miniserv.error file is: Failed to initialize SSL connection

That's all I got so far. If you have any idea how to debug it further, please let me know.




  • Jamie Cameron
    Jamie Cameron

    I'd like to try to re-produce this. Were you running Firefox on your linux system, or on a separate Mac or Windows box?

  • Peter Schiffer
    Peter Schiffer

    I was running Firefox on my CentOS 6.4 desktop (32bit), updated, Firefox was installed manually from Mozilla website.

  • Peter Schiffer
    Peter Schiffer

    I've also tried on the same CentOS 6.4 (32bit) desktop machine:

    - same result as with Firefox: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

    - but webmin probably doesn't support this browser: Webmin does not know how to issue client certificates for your browser ( Opera/9.80 (X11; Linux i686; Edition Linux Mint) Presto/2.12.388 Version/12.16 )

  • Peter Schiffer
    Peter Schiffer

    Also sometimes, when trying to request an SSL certificate for user, I get this error:
    Using configuration from /etc/webmin/acl/openssl.cnf
    Check that the SPKAC request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    emailAddress :IA5STRING:'some@email.com'
    organizationName :PRINTABLE:'something'
    stateOrProvinceName :PRINTABLE:'Czech'
    countryName :PRINTABLE:'CZ'
    commonName :PRINTABLE:'root'
    Certificate is to be certified until Jul 15 23:26:29 2016 GMT (1095 days)
    failed to update database
    TXT_DB error number 2
    139958245058376:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:

    Then I need to shut down CA and setup a new one, so I can try to request an SSL certificate and proceed to the "Click here to pick up your certificate.." link

  • Peter Schiffer
    Peter Schiffer

    Now I've tried to reproduce this on Win 7 (64bit) SP1, fully updated client:

    Firefox 22.0
    - same result as on CentOS

    Chrome 28.0.1500.72 m
    - same result: SSL protocol error.

    IE 10.0.9200.16635
    - A new SSL key was not submitted by your browser - maybe it does not support SSL client certificates.

    Opera 15.0.1147.141
    - same result as Firefox or Chrome: SSL connection error

    I've also noticed that I have to re-create CA after every failed attempt to request a client side SSL certificate because of the error in the previous comment.

  • Doug Walker
    Doug Walker

    I have all the same problems on Ubuntu 12.04 + webmin 1.65

    Please fix or suggest a manual workaround.


    Last edit: Doug Walker 2013-09-24
  • Stan

    Same problem with Ubuntu 12.04.03 LTS + webmin 1.65. Unable to download user SSL certificate and then unable to connect to webmin with SSL on. Tried Chrome 30.0.1599.66 and Safari Version 7.0 (9537.71) on Mac OSX.

    Last edit: Stan 2013-10-03
  • kwc

    For what it is worth... I am having a very similar problem with Win7 Pro clients using FireFox 24.0 accessing Webmin 1.660 with Virtualmin 4.03.gpl GPL on CentOS Linux 6.4 / Linux 2.6.32-279.14.1.el6.i686 on i686. It tells me that the certificate is installed (and it shows up in the list) but I never get a prompt asking me to certify.

    I am somtimes have the problem accessiung Webmin 1.510 on Redhat Linux Fedora 5, sometimes it just works. When I have the problem it prompts me to select a certificate and then either grants access or requests a username & password. Maybe this only happens when I select the wrong certificate?

  • Steven Page
    Steven Page

    I too have been locked out of my webmin installation when trying to setup, and use client certificates, and the certificate authority.

    I would love to use this feature, but at this time, it simply does not work for me.

    The only way i was able to gain access again (IIRC) was to manually SSH into the box, disable Force SSL, and disable the certificate authority. or manually download the certificate using SFTP, and install it into my browser.

    but this renders the "Certificate Authority" useless for any virtual host users.

    Last edit: Steven Page 2014-07-05
  • Ray Lance
    Ray Lance

    Also would like to use client certificates with the new ed25519 certifate.

  • RealGecko

    Ive noticed that cert generated by Webmin is not accessible after installation, either not installed or hidden. I tried Firefox 37.0.2 and Chrome 42.0.2311.135 m under Winduz 8.1. And I presume thats why I cannot login after first cert is generated.
    Webmin is 1.740 under Debian 8.

    Last edit: RealGecko 2015-05-13