Skip to main content

Why are *ALL* cPanel accounts SSL certs owned by root?

Comments

16 comments

  • DennisMidjord
    The certificate files are also available within /home/user/ssl.
    0
  • Benjamin D.
    That's nice, but where's the combined cert? (It's still better than nothing though)
    0
  • DennisMidjord
    That is only available in /var/cpanel/ssl/apache_tls/. You can combine the certificate the same way that cPanel does, though.
    0
  • Benjamin D.
    I am not 100% sure of how it would work, though. From what I believe I understand and please correct me if I'm wrong and you know how it works, but I would need to: 1) Create an empty file named "combined" 2) Loop through all files in /home/user/ssl/keys/ and find the most recent one, then append the whole contents of that file to the file "combined" 3) Loop through all files in /home/user/ssl/certs/ and find the most recent one that does not begin with "_wildcard_", then append the whole contents of that file to the file "combined" 4) [?] There are 2 more certs in the root owned combined file, but I'm not sure what they are...
    0
  • DennisMidjord
    The two other files are just the CA. You're able to get all the relevant information using the cPanel UAPI: cPanel Account SSL Management
    0
  • Benjamin D.
    I'm staring at that API and I'm wondering why I should use that when the DATA is literally in a text file in the home directory. That sounds like over engineering to me and I don't understand why I would even have to go that far when I pay nearly 40$/month for WHM/cPanel licences. It feels like I'm working for cPanel when I'm actually the paying customer here. Anyway, is there a way cPanel could kindly copy the combined file to the home directory so that the user can easily use it?
    0
  • DennisMidjord
    You don't have to use the UAPI but it would probably be the easiest way to do it and it would guarantee that you got the correct data. The newest certificate is not necessarily the certificate that is in use. The cPanel UAPI has PHP examples. The intermediate and root certificates for Sectigo certificates can be found here: Sectigo
    0
  • Benjamin D.
    "The newest certificate is not necessarily the certificate that is in use." That's an interesting point right there. But uh, about Sectigo, I won't need anything from that entity since I've given up on them a few years back when the AutoSSL fiasco happened and I lost 2 customers while cPanel was fixing the issue with Sectigo (which I could not afford to wait so I permanently switched over to Let's Encrypt).
    0
  • DennisMidjord
    But uh, about Sectigo, I won't need anything from that entity

    I actually meant to include the link to Let's Encrypt as well but somehow forgot. They can be found here: Chain of Trust - Let's Encrypt It's gonna be an issue if your customer installs their own certificates, though - like if they install their own GeoTrust certificate. You'd need to read the certificate issuer from the certificate and then download the correct one. Again, this is where the UAPI would come in handy as it would as you'd also be able to get the CA. May I ask what you're trying to build?
    0
  • cPRex Jurassic Moderator
    I see we had some good discussion here - let me know if you still need anything from my end!
    0
  • Benjamin D.
    I see we had some good discussion here - let me know if you still need anything from my end!

    Oh yes! It's all in the first post ;-) Hope you can bubble this up to improve cPanel. If it's not welcome, then feel free to delete my post. I understand improvement ideas may not be welcome from cpanel customers. It's fine.
    0
  • cPRex Jurassic Moderator
    We take suggestions from customers every day - that's one of my main jobs is getting feedback to the development team(s) so they are aware of what our users are looking for. Just so I'm understanding clearly, you want to see the combined certificate that is stored in /var/cpanel/ssl/apache_tls/ available to the cPanel user, correct?
    0
  • Benjamin D.
    Yes, exactly. Ideally, if it could be generated in /home/A-user/ssl/combined and chowned to A-user like the separate cert and key files already are, that would make our lives easier compared to connecting to an API to download them and/or to generate them manually by looping through keys and certs folders to get the most recent one of each... which is not ideal. Whoever makes a bunch of Secure WebSocket apps will understand what I mean. I don't see why cPanel would generate all other files, but not the combined one. That can't be that complicated for cPanel to do it... just cp the combined file and chown it while you're already generating all the other files. It would save us time as developers. That's just my cents. Thanks.
    0
  • cPRex Jurassic Moderator
    Sure! I went ahead and created this feature request for you:
    0
  • Benjamin D.
    Refreshing. Thx for improving cPanel even if it's just a minor thing, it will improve the dev experience.
    0
  • cPRex Jurassic Moderator
    I'm always happy to help!
    0

Please sign in to leave a comment.