Why are *ALL* cPanel accounts SSL certs owned by root?

[Benjamin D.]

Not sure if this is in the correct category (sorry) but I would like cPanel to tweak the way that they generate combined SSL certs a tiny bit.

Let's say that I develop an app in a given cPanel account ("A-user") then I cannot even access my own SSL certs, because they're all owned by root in
/var/cpanel/ssl/apache_tls/A-user/combined

I understand A-user should not be able to read B-user's certs, but cPanel could at least tweak the certs generation so that they're owned by the given cPanel users... at least?!

How am I supposed to grab them e.g. from a PHP script? Nowadays there are many apps that use Secure WebSocket and other raw socket technologies that need the SSL cert to be able to encrypt the DATA stream to the client browsers so cPanel users need to be able to grab the combined SSL cert from /var/cpanel/ssl/apache_tls/A-user/combined

What I did for now is to manually copy them with the root user and then chown them to the cPanel account, but since cPanel now regenerates those certs every 3 months (!?) then I would have to manually copy and chown again those combined SSL certs every 2-3 months? This makes no sense. Multiply that annoyance by 10, 20 or 50 apps?

If it's too complicated for cPanel to generate the combined SSL certs owned by each individual users, then how about just doing the same as before except also making a copy of them in the users' home directories? e.g. also dump a copy of A-user's certs in /home/A-user/mycerts/combined and chown it as A-user?

Thx

 

[DennisMidjord]

The certificate files are also available within /home/user/ssl.

 

[Benjamin D.]

That's nice, but where's the combined cert? (It's still better than nothing though)

 

[DennisMidjord]

That is only available in /var/cpanel/ssl/apache_tls/. You can combine the certificate the same way that cPanel does, though.

 

[Benjamin D.]

I am not 100% sure of how it would work, though. From what I believe I understand and please correct me if I'm wrong and you know how it works, but I would need to:
1) Create an empty file named "combined"
2) Loop through all files in /home/user/ssl/keys/ and find the most recent one, then append the whole contents of that file to the file "combined"
3) Loop through all files in /home/user/ssl/certs/ and find the most recent one that does not begin with "_wildcard_", then append the whole contents of that file to the file "combined"
4) [?] There are 2 more certs in the root owned combined file, but I'm not sure what they are...

 

[DennisMidjord]

The two other files are just the CA.
You're able to get all the relevant information using the cPanel UAPI: cPanel Account SSL Management

 

[Benjamin D.]

I'm staring at that API and I'm wondering why I should use that when the DATA is literally in a text file in the home directory. That sounds like over engineering to me and I don't understand why I would even have to go that far when I pay nearly 40$/month for WHM/cPanel licences. It feels like I'm working for cPanel when I'm actually the paying customer here.

Anyway, is there a way cPanel could kindly copy the combined file to the home directory so that the user can easily use it?

 

[DennisMidjord]

You don't have to use the UAPI but it would probably be the easiest way to do it and it would guarantee that you got the correct data. The newest certificate is not necessarily the certificate that is in use. The cPanel UAPI has PHP examples.
The intermediate and root certificates for Sectigo certificates can be found here: Sectigo

 

[Benjamin D.]

"The newest certificate is not necessarily the certificate that is in use."

That's an interesting point right there.

But uh, about Sectigo, I won't need anything from that entity since I've given up on them a few years back when the AutoSSL fiasco happened and I lost 2 customers while cPanel was fixing the issue with Sectigo (which I could not afford to wait so I permanently switched over to Let's Encrypt).

 

[DennisMidjord]

But uh, about Sectigo, I won't need anything from that entity

I actually meant to include the link to Let's Encrypt as well but somehow forgot. They can be found here: Chain of Trust - Let's Encrypt

It's gonna be an issue if your customer installs their own certificates, though - like if they install their own GeoTrust certificate. You'd need to read the certificate issuer from the certificate and then download the correct one. Again, this is where the UAPI would come in handy as it would as you'd also be able to get the CA.

May I ask what you're trying to build?

 

[cPRex]

I see we had some good discussion here - let me know if you still need anything from my end!

 

[Benjamin D.]

I see we had some good discussion here - let me know if you still need anything from my end!

Oh yes! It's all in the first post ;-)

Hope you can bubble this up to improve cPanel. If it's not welcome, then feel free to delete my post. I understand improvement ideas may not be welcome from cpanel customers. It's fine.

 

[cPRex]

We take suggestions from customers every day - that's one of my main jobs is getting feedback to the development team(s) so they are aware of what our users are looking for.

Just so I'm understanding clearly, you want to see the combined certificate that is stored in /var/cpanel/ssl/apache_tls/ available to the cPanel user, correct?

 

[Benjamin D.]

Yes, exactly.

Ideally, if it could be generated in /home/A-user/ssl/combined and chowned to A-user like the separate cert and key files already are, that would make our lives easier compared to connecting to an API to download them and/or to generate them manually by looping through keys and certs folders to get the most recent one of each... which is not ideal. Whoever makes a bunch of Secure WebSocket apps will understand what I mean.

I don't see why cPanel would generate all other files, but not the combined one. That can't be that complicated for cPanel to do it... just cp the combined file and chown it while you're already generating all the other files. It would save us time as developers. That's just my cents. Thanks.

 

[cPRex]

Sure! I went ahead and created this feature request for you:

https://features.cpanel.net/topic/22661-place-a-copy-of-the-combined-ssl-certificate-in-the-home-user-directory-for-easy-access

and I'll bring that up with the team next week.

 

[Benjamin D.]

Refreshing. Thx for improving cPanel even if it's just a minor thing, it will improve the dev experience.

 

[cPRex]

I'm always happy to help!