Thread: [webmin-l] Webmin certificate(s) location and TinyCA2

A web-based interface for system administration of UNIX

Brought to you by: iliaross, jcameron

webadmin-list

[webmin-l] Webmin certificate(s) location and TinyCA2

From: Robert M. <rg...@ht...> - 2006-07-28 21:41:51

Well,

I have finally gotten TinyCA2 up and working!  Many things got in the 
way; but it is now up and running on my notebook (running Centos 4.3).

So I cut and pasted the root cert I built and exported in PEM format.

I also exported a server cert for my notebook (I run Webmin on it when I 
  need its tools).

I exported both certs to my home directory, now I want to know if I have 
to keep them there, or if I move them to a better locale, do I have to 
inform Webmin of the change?

My hunch is for the CA cert, since I cut and pasted it into CA cert 
authority module, I do not have to keep Webmin appraised of its location.

But the server cert, I suspect I DO have to keep it informed, so WHEN I 
move it to a better directory than my home directory, I will have to 
update the file location in the SSL module.


Now about that file being password protected....

When I supplied Webmin with the cert location (I put the cert and 
private key in a single file), the update failed with a message that 
webmin did not restart.

So from a terminal window I issued:  /etc/webmin/start

And was asked:

Enter PEM pass phrase:

So either I have to live with being asked for the PEM pass phrase 
everytime I start Webmin (reasonable for running it occationally on my 
notebook), or creat the server cert without a passphrase?

I can see that needing a passphrase on a server would require that said 
passphrase be somewhere on the filesystem (or in a token) anyway, so 
just put it in a root controled directory and don't passphrase protect 
it?  What does Webmin do what it creates its own cert?

Re: [webmin-l] Webmin certificate(s) location and TinyCA2

From: Jamie C. <jca...@we...> - 2006-07-29 18:46:04

On 27/Jul/2006 21:01 Robert Moskowitz wrote ..
> Well,
> 
> I have finally gotten TinyCA2 up and working!  Many things got in the 
> way; but it is now up and running on my notebook (running Centos 4.3).
> 
> So I cut and pasted the root cert I built and exported in PEM format.
> 
> I also exported a server cert for my notebook (I run Webmin on it when
> I need its tools).
> 
> I exported both certs to my home directory, now I want to know if I have
> to keep them there, or if I move them to a better locale, do I have to
> inform Webmin of the change?
> 
> My hunch is for the CA cert, since I cut and pasted it into CA cert 
> authority module, I do not have to keep Webmin appraised of its location.
> 
> But the server cert, I suspect I DO have to keep it informed, so WHEN I
> move it to a better directory than my home directory, I will have to 
> update the file location in the SSL module.
> 
> 
> Now about that file being password protected....
> 
> When I supplied Webmin with the cert location (I put the cert and 
> private key in a single file), the update failed with a message that 
> webmin did not restart.
> 
> So from a terminal window I issued:  /etc/webmin/start
> 
> And was asked:
> 
> Enter PEM pass phrase:
> 
> So either I have to live with being asked for the PEM pass phrase 
> everytime I start Webmin (reasonable for running it occationally on my
> notebook), or creat the server cert without a passphrase?
> 
> I can see that needing a passphrase on a server would require that said
> passphrase be somewhere on the filesystem (or in a token) anyway, so 
> just put it in a root controled directory and don't passphrase protect
> it?  What does Webmin do what it creates its own cert?

Webmin always creates non-password-protected cert files, to avoid the problem
of the openssl library prompting for the password at startup time. I suppose
I could add code to allow a password to be specified in Webmin's config files
somewhere (like Apache does), but security-wise this would be no different
from not having a passphrase at all!

Basically, I recommend creating certs without a passphrase, if you want to
use them with a web server than can be started automatically at boot time.

 - Jamie

Re: [webmin-l] Webmin certificate(s) location and TinyCA2

From: Robert M. <rg...@ht...> - 2006-07-31 01:53:58

Jamie Cameron wrote:
> On 27/Jul/2006 21:01 Robert Moskowitz wrote ..
>   
>> Well,
>>
>> I have finally gotten TinyCA2 up and working!  Many things got in the 
>> way; but it is now up and running on my notebook (running Centos 4.3).
>>
>>
>> But the server cert, I suspect I DO have to keep it informed, so WHEN I
>> move it to a better directory than my home directory, I will have to 
>> update the file location in the SSL module.
>>
>>
>> Now about that file being password protected....
>>
>> When I supplied Webmin with the cert location (I put the cert and 
>> private key in a single file), the update failed with a message that 
>> webmin did not restart.
>>
>> So from a terminal window I issued:  /etc/webmin/start
>>
>> And was asked:
>>
>> Enter PEM pass phrase:
>>
>> So either I have to live with being asked for the PEM pass phrase 
>> everytime I start Webmin (reasonable for running it occationally on my
>> notebook), or creat the server cert without a passphrase?
>>
>> I can see that needing a passphrase on a server would require that said
>> passphrase be somewhere on the filesystem (or in a token) anyway, so 
>> just put it in a root controled directory and don't passphrase protect
>> it?  What does Webmin do what it creates its own cert?
>>     
>
> Webmin always creates non-password-protected cert files, to avoid the problem
> of the openssl library prompting for the password at startup time. I suppose
> I could add code to allow a password to be specified in Webmin's config files
> somewhere (like Apache does), but security-wise this would be no different
> from not having a passphrase at all!
>
> Basically, I recommend creating certs without a passphrase, if you want to
> use them with a web server than can be started automatically at boot time.
I cannot see how to get TinyCA to create a server cert without a 
password.  When I leave the password field blank, I get a error about no 
password....

So until I can get the author to accommodate non-passworded server 
certs, I worked out the following:

echo password > /etc/webmin/start

I can put that into the webmin start script.

Re: [webmin-l] Webmin certificate(s) location and TinyCA2

From: Jamie C. <jca...@we...> - 2006-07-31 05:42:12

On 30/Jul/2006 18:53 Robert Moskowitz wrote ..
> Jamie Cameron wrote:
> > On 27/Jul/2006 21:01 Robert Moskowitz wrote ..
> >   
> >> Well,
> >>
> >> I have finally gotten TinyCA2 up and working!  Many things got in the
> >> way; but it is now up and running on my notebook (running Centos 4.3).
> >>
> >>
> >> But the server cert, I suspect I DO have to keep it informed, so WHEN
> I
> >> move it to a better directory than my home directory, I will have to
> >> update the file location in the SSL module.
> >>
> >>
> >> Now about that file being password protected....
> >>
> >> When I supplied Webmin with the cert location (I put the cert and 
> >> private key in a single file), the update failed with a message that
> >> webmin did not restart.
> >>
> >> So from a terminal window I issued:  /etc/webmin/start
> >>
> >> And was asked:
> >>
> >> Enter PEM pass phrase:
> >>
> >> So either I have to live with being asked for the PEM pass phrase 
> >> everytime I start Webmin (reasonable for running it occationally on
> my
> >> notebook), or creat the server cert without a passphrase?
> >>
> >> I can see that needing a passphrase on a server would require that said
> >> passphrase be somewhere on the filesystem (or in a token) anyway, so
> >> just put it in a root controled directory and don't passphrase protect
> >> it?  What does Webmin do what it creates its own cert?
> >>     
> >
> > Webmin always creates non-password-protected cert files, to avoid the
> problem
> > of the openssl library prompting for the password at startup time. I
> suppose
> > I could add code to allow a password to be specified in Webmin's config
> files
> > somewhere (like Apache does), but security-wise this would be no different
> > from not having a passphrase at all!
> >
> > Basically, I recommend creating certs without a passphrase, if you want
> to
> > use them with a web server than can be started automatically at boot
> time.
> I cannot see how to get TinyCA to create a server cert without a 
> password.  When I leave the password field blank, I get a error about no
> password....
> 
> So until I can get the author to accommodate non-passworded server 
> certs, I worked out the following:
> 
> echo password > /etc/webmin/start
> 
> I can put that into the webmin start script.

I guess you really mean  echo password | /etc/webmin/start  right?
I looked in the SSL Perl library for a way of automating this so that
the passphrase can be in the Webmin configuration, but there doesn't
seem to be any :-(

 - Jamie

Re: [webmin-l] Webmin certificate(s) location and TinyCA2

From: Robert M. <rg...@ht...> - 2006-07-31 10:40:45

Jamie Cameron wrote:
> On 30/Jul/2006 18:53 Robert Moskowitz wrote ..
>   
>> Jamie Cameron wrote:
>>     
>>> On 27/Jul/2006 21:01 Robert Moskowitz wrote ..
>>>   
>>>       
>>>> Well,
>>>>
>>>> I have finally gotten TinyCA2 up and working!  Many things got in the
>>>> way; but it is now up and running on my notebook (running Centos 4.3).
>>>>
>>>>
>>>> But the server cert, I suspect I DO have to keep it informed, so WHEN
>>>>         
>> I
>>     
>>>> move it to a better directory than my home directory, I will have to
>>>> update the file location in the SSL module.
>>>>
>>>>
>>>> Now about that file being password protected....
>>>>
>>>> When I supplied Webmin with the cert location (I put the cert and 
>>>> private key in a single file), the update failed with a message that
>>>> webmin did not restart.
>>>>
>>>> So from a terminal window I issued:  /etc/webmin/start
>>>>
>>>> And was asked:
>>>>
>>>> Enter PEM pass phrase:
>>>>
>>>> So either I have to live with being asked for the PEM pass phrase 
>>>> everytime I start Webmin (reasonable for running it occationally on
>>>>         
>> my
>>     
>>>> notebook), or creat the server cert without a passphrase?
>>>>
>>>> I can see that needing a passphrase on a server would require that said
>>>> passphrase be somewhere on the filesystem (or in a token) anyway, so
>>>> just put it in a root controled directory and don't passphrase protect
>>>> it?  What does Webmin do what it creates its own cert?
>>>>     
>>>>         
>>> Webmin always creates non-password-protected cert files, to avoid the
>>>       
>> problem
>>     
>>> of the openssl library prompting for the password at startup time. I
>>>       
>> suppose
>>     
>>> I could add code to allow a password to be specified in Webmin's config
>>>       
>> files
>>     
>>> somewhere (like Apache does), but security-wise this would be no different
>>> from not having a passphrase at all!
>>>
>>> Basically, I recommend creating certs without a passphrase, if you want
>>>       
>> to
>>     
>>> use them with a web server than can be started automatically at boot
>>>       
>> time.
>> I cannot see how to get TinyCA to create a server cert without a 
>> password.  When I leave the password field blank, I get a error about no
>> password....
>>
>> So until I can get the author to accommodate non-passworded server 
>> certs, I worked out the following:
>>
>> echo password > /etc/webmin/start
>>
>> I can put that into the webmin start script.
>>     
>
> I guess you really mean  echo password | /etc/webmin/start  right?
> I looked in the SSL Perl library for a way of automating this so that
> the passphrase can be in the Webmin configuration, but there doesn't
> seem to be any :-(
>   
Interestingly, | does not work, but > does.....

Empirical testing wins out over theory.