autossl_check: Permission denied

[JAB Creations]

I'm getting a pointlessly ambiguous error message when I run the following command:

/usr/local/cpanel/bin/autossl_check --user example

I then logged in as both root and the user PHP runs as. The root user is able to run the command fine while the (confirmed) user PHP runs as is getting the same ambiguous permission denied error.

The cPanel "Errors" page doesn't list anything relevant (just older errors I've cleaned up during this work session).

I have had this command run successfully many times before via PHP's shell_exec command (which I always filter for semi-colon injection attacks). What can I do to debug this issue?

Edit 1: my apologies, could a moderator please move this thread to the Developer Experience forum?

 

[cPanelLauren]

I went ahead and moved this but I did want to mention that you're getting the error because only the root user has the privilege to run this command.

For example if i run this as my own user:

[lauren@server /]$ /usr/local/cpanel/bin/autossl_check --user lauren
bash: /usr/local/cpanel/bin/autossl_check: Permission denied
[lauren@server /]$

This is because the autossl process can't be invoked by a user that is not root. The AutoSSL process is automatically started when a domain is added.

 

[JAB Creations]

• Is AutoSSL a third-party or native cPanel feature?
• How often is AutoSSL executed?
• Where can I change the frequency of it's execution?
• What, if any, is the point in only allowing the root user to run AutoSSL?
• When I am logged in as a user that is not root cPanel allows me to run AutoSSL, how can I emulate this?

 

[cPanelLauren]

• Is AutoSSL a third-party or native cPanel feature?

AutoSSL itself is native, the provider if you're using Sectigo is as well, if you're using Let's Encrypt it's considered a 3rd party provider

• How often is AutoSSL executed?

An AutoSSL run is initiated any time a new domain is added and every 24 hours via cron

[root@server cron.d]# cat /etc/cron.d/cpanel_autossl
57    1    *    *    *    root    /usr/local/cpanel/bin/autossl_check --all

• Where can I change the frequency of it's execution?

If you were going to increase the frequency I'd suggest adding a separate cron in root's crontab otherwise you could modify the cron.d entry but I can't guarantee that it wouldn't be modified.

• What, if any, is the point in only allowing the root user to run AutoSSL?

The process runs as the root user because it runs the process for all users on the system. I cannot disagree that it would be nice if the process was able to be initiated by the user. There is a feature request for this present here: https://features.cpanel.net/topic/autossl-cpanel-interface-for-end-user-control

• When I am logged in as a user that is not root cPanel allows me to run AutoSSL, how can I emulate this?

The command you were running previously won't work for the user themself but this would I believe:

UAPI Functions - SSL::start_autossl_check - Developer Documentation - cPanel Documentation

documentation.cpanel.net

 

[JAB Creations]

AutoSSL itself is native, the provider if you're using Sectigo is as well, if you're using Let's Encrypt it's considered a 3rd party provider

...

Thank you Lauren for all of those clarifications. One last question for now: does AutoSSL automatically run when a subdomain is added?

 

[LucasRolff]

Thank you Lauren for all of those clarifications. One last question for now: does AutoSSL automatically run when a subdomain is added?

Yes, it does, and if you're using the Let's Encrypt provider, then in fact AutoSSL executes every 3 hours.