WHMCS is getting a SSL call back from your CPanel API
I need to disable SSL for people CPanel log in from WHMCS. The issue is they cannot disable the SSL it has to be done from something in CPanel. Here is the message they sent. Can you tell where to disable SSL for the call back please.
In WHMCS v6.0 the software uses the cPanel API to facilitate logging in to cPanel/WHM and also the new cPanel functionality from the WHMCS product details page.
This relies upon the create_user_session function in the cPanel API:
-
Could you be more specific as to why you need to disable it? Unless I am misunderstanding something, the advice of "ensure your hostname resolves correctly and install a cheap certificate for use as a service SSL" seems a lot more sensible and secure. 0 -
It really doesn't seem more sensible or secure. SSL certified certificates is a sham for most cases, self signed SSL is just as secure as a certificate, it's just a trick to make more money from us server admins. It works though, hence why you think it's normal to buy them when a browser gives you an error. The truth is a self signed SSL is just as secure. The error is there to have you spend money on SSL. Beyond that though, CPanel users do need to use SSL, if they have people sniffing on their home computer or network than they are in more trouble than a website issue. In over 13 years we have never had one issue from this. I just want to not have to use SSL to log into CPanel with our API. It really shouldn't be an issue. So far we have lost customers because of the SSL errors freaking them out. Our goal is to make things simple and feel safe. This issue has thrown all that out the window. I should say for Ecommerce I understand SSL because it verifies the business to some extent, but just for a control panel it's not needed. Ideally if could decide which servers use SSL and which do not, that way if a customers wants the added security I can move them and have a certified cert there. Adding SSL certs to every server is just a waste of thousands of dollars I would rather use for bonuses with our employees or improving our network, or anything that isn't part of a sham. 0 -
I understand that in most cases, self signed certificates are secure enough for transporting data, and I use them a lot myself. I would never log into my control panel for a server without using SSL (at least self signed if nothing else). While you are right that viruses on end users computers generally steal more passwords than using insecure connections, that certainly doesn't eliminate the risk. Anyone on wifi, or in an office network with an IDS worth two cents, would be exposing their account. In monitoring a corporate network, any plain text logins or insecure login methods are logged. If it's just for your end users (customers) and not for your administrative logins I guess I could see it being acceptable in some cases to skip the SSL login to cPanel, but as a security conscious user I certainly would not appreciate logging into cPanel without an SSL connection (at least self signed would be good enough for me). I've found most of our customers (90% or better) do not mind accepting a self signed certificate for cPanel login. Anyway I hope you are able to find a solution for your issue. I do not know of a way to change the value returned by that API call. 0 -
Thanks, I hope so too! It's killing me. Please CPanel help me fix this. 10 years and never ask for any favors, this forced SSL for CPanel API access is murder though. 0 -
Should I be posting this somewhere else? Forcing SSL to access CPanel seems a little odd, considering you have always had ports for both options. Anyway I can get a little help with this? 0 -
Feel free to open a ticket directly to cPanel Technical Support about this. 0 -
Hello :) The behavior you have reported is by design in order to enforce HTTPS intentionally, and without waver. The API call create_user_session is sending user session data over the wire, which if left without SSL encryption could be intercepted allowing a malicious user to access the users cPanel account. If you absolutely must change this rather than obtaining validated SSLs you could modify Session.pm to use http, vs https. The block of code is: File: /usr/local/cpanel/Whostmgr/API/1/Session.pm $metadata->{'reason'} = 'Created session'; $metadata->{'result'} = 1; my $url = "https://$host:$port$token/login/"; my %url_query_params = ( 'session' => $randsession ); if ($app) { my $app_url = Cpanel::Themes::get_users_links($user); if ( $app_url->{$app} ) { $url_query_params{'goto_uri'} = $app_url->{$app}; } }
Here you would changehttps://$host:port$token/login/
tohttp://$host:port$token/login/
To avoid this being overwritten during updates you would add it to the cpanelsync.exclude file:0
Please sign in to leave a comment.
Comments
7 comments