Howdy all,
There has been a serious security vulnerability discovered in OpenSSL versions 1.0.1 through 1.0.1f. It is a major remote data availability exploit, and requires immediate action.
All of the Virtualmin-supported Operating Systems and versions have released security updates for this exploit, and I encourage you to update immediately. (Note that we don't provide the affected packages on any OS; they come from your OS vendor. This is just a warning, just in case you didn't see the notifications from your OS vendor...this is just such a sever exploit, I wanted to do what I could to make folks aware of it).
After updating you will need to restart any remotely accessible services that use SSL/TLS. On a Virtualmin system, this may include Apache, Dovecot, Postfix, ProFTPD, Webmin, Usermin (I'm not actually sure if the library Webmin uses to enable SSL has the exploitable heartbeat feature enabled, but it probably doesn't matter, given the nature of the attack, so restart these services anyway).
You will also need to revoke and re-issue any SSL certificates you use, as it is impossible to determine whether the private keys have been compromised. Your certificate issuer may or may not charge to revoke and issue new keys.
For more on the exploit: http://heartbleed.com/
Is there a way to regenerate the self signed certificate that Webmin & Usermin use from the command line?
You can use any certificate you like with Webmin. It isn't a special format or anything.
So, follow the usual directions for creating a certificate (like these found in the OpenSSL docs: https://www.openssl.org/docs/HOWTO/certificates.txt (in the section titled "Creating a self-signed test certificate"). Once you have the .pem certificate+private key file, you can move it to /etc/webmin/miniserv.pem and restart Webmin to have the new certificate take effect.
You should notify users of the new certificate (because if they've saved the old certificate and expect it to not give security warnings anymore, this will surprise them), and provide some way for them to verify the new certificate (maybe a copy of it in a public place that isn't easy to compromise with a MITM attack, like on your website).
--
Check out the forum guidelines!
Oh, and from within Webmin you can regenerate your certificate in the Webmin->Webmin Configuration->SSL Certificates->Self-Signed Certificate page.
--
Check out the forum guidelines!
And...for yet more complexity, I want to make clear the above two bits of advice would only be if you are just wanting to replace the self-signed certificate that Webmin automatically generated when you installed Webmin, Virtualmin, or Cloudmin (you'd also want to do it for Usermin). If you have a certificate from a certificate issuing authority, like Namecheap or Comodo, etc. you would want to creat a new CSR with a new private key, and get your certificate from re-issued (or get a new certificate, if re-issuing with a new key is not possible), and then install that for all of the services you are currently using. Virtualmin has a page to mostly automate those steps, except for your interaction with the certificate provide.
--
Check out the forum guidelines!
Is there a way to confirm if we got these updates? What should we look for? The only updates available to me today were for usermin and webmin with versions 1.590-1 and 1.680-1 respectively. Are these the updates ?
Thanks
rpm -q openssl
should show "openssl-1.0.1e-16" this is on CentOS 6If a yum update doesn't show anything available run
yum clean all
After the update is installed reboot the server, also revoke and reissue all SSL certs on the system, their private keys may have been compromised.
If you are still using the self signed certificates for Webmin & Usermin, they should be recreated, I am trying to find a easier way to do that right now.
Hmm I got:
openssl-0.9.8e-27.el5_10.1
I did what you suggested and even after cleaning I got:
"No Packages marked for Update"
Does this mean I'm not affected?
Ah, I have Centos 5.7...
This only affects CentOS 6, and RHEL 6. CentOS 5 is not affected.
Yes, the only effected versions of OpenSSL are 1.0.1 through 1.0.1f. All earlier releases are not effected.
On CentOS 6, the update is documented here: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
On Ubuntu 12.04LTS, here: https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12
On Debian: http://www.debian.org/security/2014/dsa-2896
Scientific Linux and RHEL have the same version as CentOS. I'm not sure how to find the FreeBSD details.
--
Check out the forum guidelines!
Today I tried to log into the control panel (Virtual/Webmin) and got this message
Secure Connection Failed
An error occurred during a connection to my.server.com:10000. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
What do we do now?
SSH into your server as root
Open /etc/webmin/miniserv.conf with your favorite editor (vi/emacs/nano)
Look for "ssl=1" and change it to "ssl=0" and save & exit
Restart the webmin process /etc/init.d/webmin restart on most systems
Now you can login, don't use https e.g. http://myserver.tld:10000/
Replace or remove the SSL cert, you can generate a self signed as a stopgap. Make sure you turn SSL back on after you are done.
Note: These instructions apply to CentOS for the most part, Debian/Ubuntu/etc might be a little different.
OK that all worked but then I only know where to do SSL changes for the domains where have and explicit "Manage SSL Certificate" under the server configuration. But I don't find such a menu item for web min itself.
2) is there any intrinsic security issue by just using a self-signed certificate? You say.. "stop gap" -- does that mean it is insecure? I don't recall doing anything special before... other than accepting the default cert
Self-signed certificate
Perhaps there is no GUI for this and we just do what Joe says above?
"You can use any certificate you like with Webmin. It isn't a special format or anything.
"So, follow the usual directions for creating a certificate (like these found in the OpenSSL docs: https://www.openssl.org/docs/HOWTO/certificates.txt (in the section titled "Creating a self-signed test certificate"). Once you have the .pem certificate+private key file, you can move it to /etc/webmin/miniserv.pem and restart Webmin to have the new certificate take effect."
I assume "move it to" means "replace the miniserve.pem" with the new certificate.
Again, same question pertains: is there some strong reason not to just go with this cert? I only have a few users and they can just accept the cert via their browser exceptions and be done with it.
OR I wonder if I copy a cert/key from one of the domains, and make the .pem file... if it would work...
Just for closure sake on this one: I escalated this to an issue and solution is simple:
Do as IP86 above describes... you might want to change your root password first to a temp one... then log in to webmin with http:// now easiest option is to go to VirtualMin... one of the domains for which you have a certificate, then
1) go to Server Config --> Manage SSL Certificates --> Copy to Web Min 2) Webmin will not complain that they site is not secure and offer the option to go to the SSL Config area.. .now you can turn on SSL there without having to go back and manually edit miniserv.conf 3) Log out 4) go back to terminal and change your root password back 5) now log into web min; http://my.domain.com:10000
6) Browser will request you to allow a security exception because if the certificate is "officially" only for you "my.otherDomain.com" from which you copied the SSL cert over to web min... doesn't really matter, everything is now encrypted
Here is the complete walkthrough for replacing any certificate with a fresh selfsigned. This has been testing about 79 times on various CentOS 5 & 6 systems.
1) SSH into your server as root
2) Open /etc/webmin/miniserv.conf with your favorite editor (vi/emacs/nano)
3) Look for "ssl=1" and change it to "ssl=0" and save & exit
4) Restart the webmin process /etc/init.d/webmin restart on most systems
5) Login to webmin as root, http://x.x.x.x:10000/
6) Select "Webmin" at the top left corner of the screen.
7) Select "Webmin" -> "Webmin Configuration" - > "SSL Encryption"
8) Select the "Self-Signed Certificate" tab
9) Enter your country in "Country code" ie "US"
10) Click "Create Now"
11) The new key and cert will be displayed, click "Return to Webmin configuration" at the bottom of the screen.
12) Go back to "SSL Encryption"
13) Change "Enable SSL if available?" from "No" to "Yes"
14) Now go to your normal URL https://x.x.x.x:10000/
You are now using Webmin with a fresh self signed certificate!
Ip86 : Thanks for this line-by-line... I've added it to my docs
Hello,
If you use virtualmin, you probably use usermin too .
So update Usermin certificate is needed too.
Go to : webmin/usermin configuration/SSL encryption/ and create a new certificate.
Restart is not needed (change are applied on validation), clients will have a prompt for the new certificate when connecting for the first time to usermin.
Passwords need to be changed.
Greatings,
Eric