Installing Webmin on Ubuntu 12.04 LTS Precise Pangolin is quite simple. This article will walk you through the complete installation of Webmin 1.580 including the upgrading of the self-signed certificate to a 2048-bit key (a 512-bit key is the default).
This is my system:
$ uname -a Linux brasenose 3.2.0-24-generic-pae #37-Ubuntu SMP Wed Apr 25 10:47:59 UTC 2012 i686 i686 i386 GNU/Linux $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 12.04 LTS Release: 12.04 Codename: precise $ openssl version OpenSSL 1.0.1 14 Mar 2012
That last check is pretty important. If you don’t have OpenSSL installed you are not going to be able to run Webmin over TLS so make sure it is installed.
My demonstration system is a minimal system with only a SSH Server installed and a static IP set-up.
Things have come a long way in the Webmin world and some cranky old Perl dependencies have now been flushed from the code. Unfortunately, there is no specialized Ubuntu version, so aficionados need to install the Debian version and make manual changes. Fortunately, installing the Debian package is simple. First we need to add the official Webmin repository to our list of software packages:
$ sudo vi /etc/apt/sources.list
Add the following line to the bottom of the file:
deb http://download.webmin.com/download/repository sarge contrib
This adds the Webmin Debian repository to your package list. Wondering why the repo release code name is ‘Sarge’? My guess is that it simply never got changed once Debian moved on to Etch in 2007 because it works fine. Sarge was an ancient Debian release from the late pleistocene and it hasn’t been ’round these parts for many moons.
Now we need to add Webmin author Jamie Cameron’s public key to our keyring. Do this from your home directory:
$ cd ~ $ wget http://www.webmin.com/jcameron-key.asc --2012-04-29 01:34:19-- http://www.webmin.com/jcameron-key.asc Resolving www.webmin.com (www.webmin.com)... 126.96.36.199 Connecting to www.webmin.com (www.webmin.com)|188.8.131.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1320 (1.3K) [text/plain] Saving to: `jcameron-key.asc' 100%[======================================>] 1,320 --.-K/s in 0s 2012-04-29 01:34:19 (41.4 MB/s) - `jcameron-key.asc' saved [1320/1320] $ sudo apt-key add ~/jcameron-key.asc [sudo] password for kelvin: OK
Now we can install Webmin from the repo we added:
$ sudo apt-get update ... Fetched 12.6 MB in 37s (333 kB/s) Reading package lists... Done $ sudo apt-get install webmin Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl The following NEW packages will be installed: apt-show-versions libapt-pkg-perl libauthen-pam-perl libio-pty-perl libnet-ssleay-perl webmin 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 16.1 MB of archives. After this operation, 100 MB of additional disk space will be used. Do you want to continue [Y/n]? Y Get:1 http://download.webmin.com/download/repository/ sarge/contrib webmin all 1.580 [15.8 MB] Get:2 http://ca.archive.ubuntu.com/ubuntu/ precise/main libnet-ssleay-perl i386 1.42-1build1 [184 kB] ... Setting up libnet-ssleay-perl (1.42-1build1) ... Setting up libauthen-pam-perl (0.16-2build2) ... Setting up libio-pty-perl (1:1.08-1build2) ... Setting up libapt-pkg-perl (0.1.25build2) ... Setting up apt-show-versions (0.17) ... ** initializing cache. This may take a while ** Setting up webmin (1.580) ... Webmin install complete. You can now login to https://brasenose:10000/ as root with your root password, or as any user who can use sudo to run commands as root.
Webmin now is running on port 10000 but you can inspect the TLS properties and see that it is using a 512-bit key. Your browser may warn you of the weak default cryptographic key. That sort of thing is fine if you’re living in North Korea, but we need to upgrade it to use a 2048-bit key like all the cool kids.
The username and password for Webmin is the same as any user that has sudo rights on the system. My username is therefore ‘kelvin’ and my password is ‘PASSWORD’. LOL. No, I’m not going to tell you my password…
Upgrade the self-signed SSL Certificate
OpenSSL will be used to generate the needed keys and certificates. We are going to make a self-signed certificate which means that it will raise warnings, scary red flags, a Cthulhu and whoknowswhatelse in most browsers. So if this system will be used by easily frightened system admins (most are) then you might want to get a properly signed certificate from a Certificate Authority instead. Having said that (and alienated most of my readership) let’s get on with it.
The self-signed certificate will be valid for 1825 days or 5 years which is also how long your OS will be maintained by Canonical. Simply change the value after the ‘days’ attribute in the command to meet your needs.
Use OpenSSL to make a private key and a self-signed certificate in one badass command:
$ cd /etc/webmin $ sudo openssl req -newkey rsa:2048 -days 1825 -nodes -x509 -keyout server.key -out server.crt [sudo] password for kelvin: Generating a 2048 bit RSA private key .............................................................................................+++ .........+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:British Columbia Locality Name (eg, city) :Victoria Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kelvin Wong Heavy Industries S.p.A. Organizational Unit Name (eg, section) :Network Operations Common Name (e.g. server FQDN or YOUR name) :brasenose.kelvinwong.ca Email Address :firstname.lastname@example.org
Okay, so how cool was that? Now you have to make your artifacts usable and safe. First, concatenate the private key and the certificate into a single PEM file that Webmin can understand (tee used for piping because I’m cool and I can read Wikipedia). Second, set the correct permissions and file ownership.
$ pwd /etc/webmin $ cat server.crt server.key | sudo tee server.pem > /dev/null $ sudo chmod 600 server.pem server.key server.crt $ sudo chown root:bin server.pem server.key server.crt $ ls -l server.* -rw------- 1 root bin 1610 Apr 29 13:33 server.crt -rw------- 1 root bin 1704 Apr 29 13:33 server.key -rw------- 1 root bin 3314 Apr 29 13:45 server.pem
Now you need to tell Webmin to use your new upgraded certificate.
$ sudo vi /etc/webmin/miniserv.conf
Change the certificate name:
Then restart Webmin:
$ sudo invoke-rc.d webmin restart Stopping Webmin server in /usr/share/webmin Starting Webmin server in /usr/share/webmin Pre-loaded WebminCore
Your Webmin installation is now totally badass like a Honey Badger.
Question: What changes do you make to your Webmin configuration so that it runs well on Ubuntu?