Can I reuse cert for :443 on :10000

Question

I have used letsencrypt/certbot to setup SSL for my site on ubuntu 16.04. I've installed webmin and it correctly complains that it is not secure. What should I do to get a cert working on webmin port 10000 ? I am using apache.

Answer 1

1. Install Let's Encrypt / certbot module for Webmin if you don't have it via command line.
2. Go into Webmin accepting your browser's complaint that it is an insecure site.
3. In Webmin, navigate to Webmin > Webmin Configuration, SSL Encryption.
4. Click on Let's Encrypt tab at top.
5. Choose options for certificate, eg put in the domain name for the webmin domain without the port, and click Request Certificate.
6. Deal with any errors (eg write permissions on directories created by certbot run on command line that were not writeable by apache webserver).
7. Once this webmin config process was complete, it had installed a certificate under /etc/webmin that was only working on port 10000, the default webmin port.

You may want to verify your cert is working by putting in yourdomain.com:10000 at a cert checker that accepts ports like https://www.sslshopper.com/ssl-checker.html. I had to fiddle to get chrome to notice the new cert.

Answer 2

The short answer is: Yes you can.

Unfortunately I don't remember the exact steps, I've done it over 2 years ago. But I will write down some principal states.

• Webmin uses the Lighttpd web server and this is not Apache's configuration setting. (Not on this state.)

• You should convert the certificate to an appropriate for Webmin format, if it is not.

• You can import your certificate through Webmin's web interface, or you can edit manually Webmin's Lighttpd config file (/etc/webmin/config as I remember correctly).

• It doesn't matter on which port you are using HTTPS, just (once it is configured) your browser's requests should start with https:// instead of http://. And because the certificates are for a domain name you should access Webmin through domain name (and port) instead of IP (and port).

Currently I don't using Webmin. For me ssh connection is enough to administrate a remote instance. So I would suggest you to configure Apache as reverse proxy for similar cases, that, IMO, will be more useful experience.

• Open port 1010 (or some other free port) in your Firewall.

• Create a new Apache's VirtualHost configuration file, based on the one that serves HTTPS (on port 443). The content of the new configuration file should look as this:

  <IfModule mod_ssl.c>
  
      Listen 1010
  
      <VirtualHost _default_:1010>
  
          ServerName my.domain.com
          ServerAdmin admin@my.domain.com
  
          ErrorLog ${APACHE_LOG_DIR}/my.domain.com.error.log
          CustomLog ${APACHE_LOG_DIR}/my.domain.com.access.log combined
  
          SSLEngine on
          SSLCertificateFile /etc/letsencrypt/live/my.domain.com/cert.pem
          SSLCertificateKeyFile /etc/letsencrypt/live/my.domain.com/privkey.pem
          SSLCertificateChainFile /etc/letsencrypt/live/my.domain.com/chain.pem
  
          ProxyRequests Off
          <Proxy *>
              Order deny,allow
              Allow from all
          </Proxy>
  
          ProxyPass "/"  "http://localhost:1000/"
          ProxyPassReverse "/"  "http://localhost:1000/"
  
          <Location />
              Order allow,deny
              Allow from all
          </Location>
  
      </VirtualHost>
  
  </IfModule>
  

• Enable the basic Apache's proxy modules, enable the new Virtual Host and restart the web server:

  sudo a2enmod proxy proxy_http                    # [Tab] to find more modules
  sudo a2ensite <my.domain.com on port 1010>.conf
  sudo systemctl restart apache2.service
  

• Now you should be able to access Webmin through HTTPS at address as this:

  https://my.domain.com:1010/
  

• Now you can close port 1000 in the Firewall.