Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disabling AutoSSL Issue

Discussion in 'Security' started by 0884094, Oct 18, 2017.

  1. 0884094

    0884094 Member

    Joined:
    Nov 14, 2013
    Messages:
    9
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi friends,

    I have ~400 cPanel accounts, each with a WordPress installation inside. My customer go straight to their WordPress admin login and don't know about cPanel. I manage their cPanel accounts through API calls.

    Some of my customers want to use SSL. I have the autossl feature disabled by default on all accounts, but when a customer wants SSL, I enable it with this API call:
    Code:
    [URL='https://ns1.example.com:2087/xml-api/add_override_features_for_user?api.version=1&user=aa474402&features=%7B%22autossl%22%3A%220%22%7D']https://ns1.example.com:2087/xml-api/add_override_features_for_user?api.version=1&user=aa474402&features={"autossl":"0"}[/URL]
    -- that's features={"autossl":"1"}
    
    This works fine... the problem is, if the customer decides that they don't want SSL right now (i.e. if their website has inlined dependencies that are non-SSL), I cannot then disable autossl no matter what I do... I have tried sending the reverse API call to set features={"autossl":"0"} but Apache still automatically redirects all incoming requests from domain.com to domain.com with ssl even if that lands them on an error page due to a self-signed or incorrect cert. I have explored all through WHM and the cPanel account pages but I don't see any way to turn off this automatic undesired forced redirect onto https://. Any ideas?
     
    #1 0884094, Oct 18, 2017
    Last edited by a moderator: Oct 18, 2017
  2. cPWilliamL

    cPWilliamL cP Technical Analyst II
    Staff Member

    Joined:
    May 15, 2017
    Messages:
    257
    Likes Received:
    27
    Trophy Points:
    103
    Location:
    America
    cPanel Access Level:
    Root Administrator
    Hi @0884094,

    I've tried to replicate this on a 66 server, but am unable to. When AutoSSL follows the package default, the 'FEATURE-AUTOSSL' directive will not exist in `/var/cpanel/$username'. When you run the 'add_override_features_for_user' whmapi1 call, the user file is updated with 'FEATURE-AUTOSSL=1' to enable it, and 0 to disable it. I've tested this as below
    Code:
    # grep FEATURE-AUTOSSL /var/cpanel/users/$user
    # whmapi1 add_override_features_for_user user=$user features=%7B%22autossl%22%3A%221%22%7D
    # grep FEATURE-AUTOSSL /var/cpanel/users/$user
    FEATURE-AUTOSSL=1
    # whmapi1 add_override_features_for_user user=$user features=%7B%22autossl%22%3A%220%22%7D
    # grep FEATURE-AUTOSSL /var/cpanel/users/$user
    FEATURE-AUTOSSL=0
    # /usr/local/cpanel/bin/autossl_check --user=$user
    This system has AutoSSL set to use “cPanel (powered by Comodo)”.
    “$user” does not have the required feature “autossl”.
    
    Do you see the same? I believe there is confusion with what disabling AutoSSL actually does for a user. This prevents it from applying any new SSL CRT's via the AutoSSL system; it doesn't remove the installed SSL CRT's.

    Redirects are done by the user's '.htaccess' file or even the applications PHP database(e.g. site_url in wp_options on Wordpress installs). I don't believe AutoSSL add's any http -> https redircts in the users '.htaccess', just redirects for DCV file validation.

    Thanks,
     
  3. 0884094

    0884094 Member

    Joined:
    Nov 14, 2013
    Messages:
    9
    Likes Received:
    5
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi cPWilliamL, thank you very much for looking into this. You're right, the AutoSSL feature does not force redirects. It is now working very well for me.

    A year ago I'd put this deep in my core Apache conf file to make all SSL requests use HTST (back when the only SSL site was my admin site, and I wanted to score A+ on ssllabs):

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
    Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
    </IfModule>

    Once I started experimenting with SSL, my browsers saw the HTST header and flagged my test domains as always-SSL and so would "redirect" there automatically forever no matter else I did, even for requesting static files after forcibly removing all certs...

    I also had some confusion with the WordPress site_url and my own database caching logic... in the end I just assumed it was ain cPanel... anyway it really helps to get a sanity check from someone else, so thanks again for taking the time to debug something that's not your issue.
     
Loading...

Share This Page