SOLVED finding the current install SSL from SSH

[Neutrall]

Hi,


I’m currently working on an automated solution to have Nginx as a reverse proxy for all HTTPS traffic. But for this solution to be feasible, my script need to be able to get the current installed SSL on a domain.


Currently, I can easily parse through the ssl.db file from each hosting, but the problem occurs when some of those file show more than one installed SSL for the same domain. Here an example of an output I get with the UAPI which if giving me the same result as the ssl.db yaml file:

[email protected] [/home/mca/ssl]# uapi --user=mca SSL list_certs
---
apiversion: 3
func: list_certs
module: SSL
result:
  data:
    -
      created: '1462902596'
      domain_is_configured: 1
      domains:
        - www.example.com
        - example.com
      friendly_name: www.example.com and example.com 2
      id: www_example_com_d3b4a_...
      is_self_signed: 0
      issuer.commonName: GeoTrust EV SSL CA - G4
      issuer.organizationName: GeoTrust Inc.
      issuer_text: "\nGeoTrust EV SSL CA - G4"
      modulus: d....
      modulus_length: 4096
      not_after: '1528588799'
      not_before: '1462838400'
      signature_algorithm: sha256WithRSAEncryption
      subject.commonName: www.m105.ca
      subject_text: "..."
      validation_type: ev
    -
      created: '1517513665'
      domain_is_configured: 1
      domains:
        - www.example.com
        - mexample.com
      friendly_name: Cert for “example.com”
      id: www_example5_com_c0061_...
      is_self_signed: 0
      issuer.commonName: GeoTrust EV RSA CA 2018
      issuer.organizationName: DigiCert Inc
      issuer_text: "\nwww.digicert.com\ncommonName\nGeoTrust EV RSA CA 2018"
      modulus: c.....
      modulus_length: 4096
      not_after: '1528545600'
      not_before: '1517443200'
      signature_algorithm: sha256WithRSAEncryption
      subject.commonName: www.example.com
      subject_text: "..."
      validation_type: ev
  errors: ~
  messages: ~
  metadata:
    transformed: 1
  status: 1

My question id how can I get the actual installed SSL for the hosting? Even the uapi SSL:: fetch_best_for_domain (uapi --user=myuser SSL fetch_best_for_domain domain=example.com) function didn’t return the same SSL that is listing inside the user cPanel GUI interface.

 

[cPanelMichael]

Hello @Neutrall,

The SSL::installed_hosts UAPI function is available if you'd like to see the certificates installed on the account, as opposed to seeing a list of all CRT files that exist under the account. Can you let me know if that's what you are looking for?

Thank you.

 

[cPanelMichael]

Hello @Neutrall,

On a side note, in cPanel & WHM version 72 we're adding a Standardized Hook that triggers events before and after the installation or changes to SSL certificates via WHM's Install an SSL Certificate on a Domain interface or WHM API 1's installssl function. This is in addition to a separate Standardized Hook we're adding for AutoSSL certificate installations.

Thank you.

 

[sparek-3]

I would probably recommend using whmapi1 for this, the fetch_ssl_vhosts API call.

The UAPI interface isn't going to work if the account you are checking doesn't have the SSL feature enabled. Now, perhaps all of your accounts have this. But we don't typically allow this in our cPanels, we install certificate ourselves using the WHM (or the whmapi1 API).

cPanel wants to move everything over to UAPI for better permission control, but it's not all that useful to me because the permission control become a burden. This is also why we will probably never see a "Park a domain" API call added to whmapi1, cPanel wants to control the permissions on that with UAPI (but that's getting off topic).

When you run whmapi1 fetch_ssl_vhosts, look for the data->vhosts->crt->servername object. Then take that value (for each vhost installed certificate) and find the combined certificate information in /var/cpanel/ssl/apache_tls/%servername%/combined

 

[Neutrall]

Thank you @cPanelMichael,

This is giving me the proper value, now I just have to find the proper way to get all this information together so I can have it ready for Nginx proxy!.

Thank you!

Also, thanks @sparek-3 for the alternative, chances are that I might also take a look on your suggestion!