curl can't find ca-bundle on centos7

uadm

Well-Known Member
May 19, 2003
92
0
156
The problem is this:

We run a page that sends curl request to a remote https server. This failed since we moved the account to a new centos7 server.

It seems on centos7 /etc/pki/tls/certs/ca-bundle.crt is linked to /etc/pki/ca-trust/extracted/openssl/ca-bundle.crt which is not available to cagefs users.

We tried to add /etc/pki to /etc/cagefs/cagefs.mp and run cagefsctl --remount-all
but this doesn't help while /etc/pki/ca-trust is still not available to cagefs users.

We also tried to delete the /etc/pki/tls/certs/ca-bundle.crt link and put there a real file, however to cagefs users it's still being shown as a link.

finnaly we solved it with moving the bundle to the account directory and setting curl.cainfo="ca-bundle.crt" in it's php.ini.


However we want to solve this server wide.

Please advise.
 

uadm

Well-Known Member
May 19, 2003
92
0
156
Hello :)

Could you verify if this account is assigned jailed shell access?

Thank you.
This account has noshell.
It's not the shell it has or hasn't, when we disable cagefs for the account it can access the ca-bundle.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,910
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

A resolution for this is scheduled for the next update from Cloud Linux. In the meantime, try running the following commands to address the issue:

Code:
cagefsctl --addrpm ca-certificates
cagefsctl --force-update
Thank you.