#4269 can't create and use user certificates to login

1.630
open
nobody
None
5
2015-05-13
2013-07-10
No

Hello,

I can't create and use user certificates to login into webmin.

System and software:
Server:
CentOS 6.4, x86_64, fresh minimum install, fully updated

rpm -q kernel perl perl-Net-SSLeay openssl webmin

kernel-2.6.32-358.11.1.el6.x86_64
perl-5.10.1-131.el6_4.x86_64
perl-Net-SSLeay-1.35-9.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
webmin-1.630-1.noarch
Client:
Firefox 22.0

I have one user on the system - root. I've tried it with default unix password and after changing his password with following command. Result was the same.

/usr/libexec/webmin/changepass.pl /etc/webmin root some_pass

How to reproduce:
1. I've created self-signed certificate in SSL Encryption (tried both, for any hostname and for server hostname with the same result)
2. Enabled SSL if available - SSL (https) works fine
3. I've created certificate authority
4. I've requested an SSL certificate for user
5. Filled in all the fields, used High Grade
6. Certificate is created
7. However, after I click on "Click here to pick up your certificate and install it in your browser" I get the "The connection was reset" error and can't connect to webmin again.

Additional information:
When I copy the link with certificate, and turn off ssl in /etc/webmin/miniserv.conf I'm able to download and install the certificate in browser. However, when I turn the ssl on again, I cannot connect to the webmin. I can use the ssl again after I select None SSL certificate name for the user.
In other words, while certificate name is set to something like:
/C=CZ/ST=Czech/O=something/OU=production/CN=root/Email=some@email.com
I cannot connect to the webmin with ssl.

Only error in the miniserv.error file is: Failed to initialize SSL connection

That's all I got so far. If you have any idea how to debug it further, please let me know.

Thanks,

peter

Discussion

  • Jamie Cameron

    Jamie Cameron - 2013-07-11

    I'd like to try to re-produce this. Were you running Firefox on your linux system, or on a separate Mac or Windows box?

     
  • Peter Schiffer

    Peter Schiffer - 2013-07-12

    I was running Firefox on my CentOS 6.4 desktop (32bit), updated, Firefox was installed manually from Mozilla website.

     
  • Peter Schiffer

    Peter Schiffer - 2013-07-16

    I've also tried on the same CentOS 6.4 (32bit) desktop machine:

    google-chrome-stable-27.0.1453.110-202711.i386
    - same result as with Firefox: Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

    opera-12.16-1860.i386
    - but webmin probably doesn't support this browser: Webmin does not know how to issue client certificates for your browser ( Opera/9.80 (X11; Linux i686; Edition Linux Mint) Presto/2.12.388 Version/12.16 )

     
  • Peter Schiffer

    Peter Schiffer - 2013-07-16

    Also sometimes, when trying to request an SSL certificate for user, I get this error:
    Using configuration from /etc/webmin/acl/openssl.cnf
    Check that the SPKAC request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    emailAddress :IA5STRING:'some@email.com'
    organizationalUnitName:PRINTABLE:'production'
    organizationName :PRINTABLE:'something'
    stateOrProvinceName :PRINTABLE:'Czech'
    countryName :PRINTABLE:'CZ'
    commonName :PRINTABLE:'root'
    Certificate is to be certified until Jul 15 23:26:29 2016 GMT (1095 days)
    failed to update database
    TXT_DB error number 2
    139958245058376:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:

    Then I need to shut down CA and setup a new one, so I can try to request an SSL certificate and proceed to the "Click here to pick up your certificate.." link

     
  • Peter Schiffer

    Peter Schiffer - 2013-07-16

    Now I've tried to reproduce this on Win 7 (64bit) SP1, fully updated client:

    Firefox 22.0
    - same result as on CentOS

    Chrome 28.0.1500.72 m
    - same result: SSL protocol error.

    IE 10.0.9200.16635
    - A new SSL key was not submitted by your browser - maybe it does not support SSL client certificates.

    Opera 15.0.1147.141
    - same result as Firefox or Chrome: SSL connection error

    I've also noticed that I have to re-create CA after every failed attempt to request a client side SSL certificate because of the error in the previous comment.

     
  • Doug Walker

    Doug Walker - 2013-09-23

    I have all the same problems on Ubuntu 12.04 + webmin 1.65

    Please fix or suggest a manual workaround.

    Thanks,

     
    Last edit: Doug Walker 2013-09-24
  • Stan

    Stan - 2013-10-03

    Same problem with Ubuntu 12.04.03 LTS + webmin 1.65. Unable to download user SSL certificate and then unable to connect to webmin with SSL on. Tried Chrome 30.0.1599.66 and Safari Version 7.0 (9537.71) on Mac OSX.

     
    Last edit: Stan 2013-10-03
  • kwc

    kwc - 2013-10-28

    For what it is worth... I am having a very similar problem with Win7 Pro clients using FireFox 24.0 accessing Webmin 1.660 with Virtualmin 4.03.gpl GPL on CentOS Linux 6.4 / Linux 2.6.32-279.14.1.el6.i686 on i686. It tells me that the certificate is installed (and it shows up in the list) but I never get a prompt asking me to certify.

    I am somtimes have the problem accessiung Webmin 1.510 on Redhat Linux Fedora 5, sometimes it just works. When I have the problem it prompts me to select a certificate and then either grants access or requests a username & password. Maybe this only happens when I select the wrong certificate?

     
  • Steven Page

    Steven Page - 2014-07-05

    I too have been locked out of my webmin installation when trying to setup, and use client certificates, and the certificate authority.

    I would love to use this feature, but at this time, it simply does not work for me.

    The only way i was able to gain access again (IIRC) was to manually SSH into the box, disable Force SSL, and disable the certificate authority. or manually download the certificate using SFTP, and install it into my browser.

    but this renders the "Certificate Authority" useless for any virtual host users.

     
    Last edit: Steven Page 2014-07-05
  • Ray Lance

    Ray Lance - 2014-10-08

    Also would like to use client certificates with the new ed25519 certifate.

     
  • RealGecko

    RealGecko - 2015-05-13

    Ive noticed that cert generated by Webmin is not accessible after installation, either not installed or hidden. I tried Firefox 37.0.2 and Chrome 42.0.2311.135 m under Winduz 8.1. And I presume thats why I cannot login after first cert is generated.
    Webmin is 1.740 under Debian 8.

     
    Last edit: RealGecko 2015-05-13

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks