How to hide the "Purchase and Install an SSL Certificate" link in reseller's WHM?

[electric]

Hello,

I have disabled the reseller privilege in WHM for " Account Management --> Purchase SSL Certificates (ssl-buy)". However, our resellers are still able to see the "Purchase and install an SSL Certificate" link in their WHM menu.

How can we disable this link? we sell SSL certificates ourselves, and we do not want our customers to go to cpanel to purchase their ssl certificate,

Thanks.

 

[cPanelJamesW]

Greetings,

If you would like to disable the cPanel store as a provider for SSL certificates, this can be done via your Manage2 account by using "Update Company Information", we have some great information on doing so here:

How to Disable the cPanel Store as an SSL Certificate Provider in WHM | cPanel & WHM Documentation

This article provides instructions on how to use Manage2's Update Company Information interface to disable the cPanel Store as an SSL certificate provider.

docs.cpanel.net

To disable the free/automatic hostname certificates from being issued, the following touch file(s) can be generated:

• /var/cpanel/ssl/disable_service_certificate_management:
  • Fully disables checkallsslcerts which fully prevents generation of new certificates (expired, SHA1, revoked, etc) (both cpanel signed and unsigned).
• /var/cpanel/ssl/disable_auto_hostname_certificate
  • The system will no longer order, download, and install a free cPanel-signed hostname certificate.
• /var/cpanel/ssl/disable_hostname_mismatch_check
  • This touchfile instructs the checkallsslcerts script to not replace any SSL certificates that do not match the hostname of the server with a cPanel-signed certificate. This includes wildcard certificates.

Thanks!

 

[electric]

Hello,

The cpanel store has is disabled in the WHM>>Market Provider Manager screen. However, this does not fix the problem.

The problem is that my resellers can still click on the WHM » SSL/TLS » Purchase and Install an SSL Certificate menu option, and it shows links to cpanel.

I do not our resellers to see that link at all in their WHM. It is confusing for them to see ssl certificates offered by cpanel, even if clicking the "Go to Cpanel" button just gives an error message.

When I go into the "Home » Resellers » Edit Reseller Nameservers and Privileges screen I have disabled the "Account Management >> Purchase SSL Certificates" option... but this link is still shown in their WHM.

How can we remove that purchase link in their WHM?

 

[SamA]

Hello!

To remove the actual page Purchase and Install an SSL Certificate, this can be managed through the Edit Reseller Nameservers and Privileges interface.

I tested this on my own VM by deselecting "Purchase SSL Certificates", saving the changes, and I'm no longer seeing the page populating within the WHM sub-menu (see attachment)

This is what is currently configured for my reseller:

# grep autorepairshop /var/cpanel/resellers
autorepairshop:acct-summary,basic-system-info,basic-whm-functions,cors-proxy-get,cpanel-api,cpanel-integration,create-user-session,digest-auth,generate-email-config,list-pkgs,manage-api-tokens,manage-dns-records,manage-oidc,manage-styles,mysql-info,ns-config,public-contact,ssl-info,track-email

Are you able to provide us with the above output for the reseller you're working with?

 

[electric]

Yes, here it is:

[[email protected] ~]# grep financia /var/cpanel/resellers
financia:acct-summary,add-pkg,allow-addoncreate,allow-parkedcreate,basic-system-info,basic-whm-functions,cors-proxy-get,cpanel-api,cpanel-integration,create-acct,create-user-session,demo-setup,digest-auth,edit-dns,edit-mx,edit-pkg,generate-email-config,kill-acct,limit-bandwidth,list-accts,list-pkgs,mailcheck,manage-api-tokens,manage-dns-records,manage-oidc,manage-styles,mysql-info,news,ns-config,passwd,public-contact,quota,show-bandwidth,software-ConfigServer-csf,software-JetBackup,software-lvemanager,ssl,ssl-gencrt,ssl-info,stats,status,suspend-acct,thirdparty,track-email,upgrade-account

 

[SamA]

Hello,

Thanks for the quick response!

I copied over your current reseller privileges over to my test account, and sure enough, the Purchase and Install an SSL Certificate, page was populating.

After some digging, it would appear that you would also need to have the SSL Site Management privilege disabled inside Edit Reseller Nameservers and Privileges for the reseller to lose access to that page.

Are you able to complete these changes and let us know if you're still able to see the page?

 

[electric]

Hello,

Yes, that worked. Unchecking the SSL Site Management privilege removes the Purchase and Install an SSL Certificate as well as the Install an SSL Certificate on a Domain and Manage SSL Hosts links... We'd prefer to keep those last two links, however, that's ok, because I the reseller can still log into the end-user's cpanel to perform those actions when needed. (It just means the reseller can't do those tasks from within their WHM.)

It looks like this might be a bug, though? I think if server admin disables the Purchase SSL Certificates reseller privilege, there is no reason to continue showing the Purchase and Install an SSL Certificate link and page. Perhaps that WHM link/page is associated with the incorrect privilege.

 

[SamA]

Greetings,

It's important to note that these conditions are mentioned in the below documentation:

Purchase and Install an SSL Certificate

This interface automatically enables the following required features to purchase and install SSL certificates from cPanel’s SSL/TLS Wizard interface (cPanel >> Home >> Security >> SSL/TLS Wizard) for the user:

• cPanel Market — market
• SSL Host Installer — sslinstall
• SSL/TLS Wizard — tls_wizard

However, I do understand where you're coming from and the importance of retaining Install an SSL Certificate on a Domain and Manage SSL Hosts links for the reseller to use. As such, I went ahead and submitted an improvement case for our developers to review by the ID of CPANEL-34379.

In the event we push these changes, you'll find the updates within our changelog here:

90 Change Log

 

[ScottyBoy]

So I am trying to do the same for some of the users as they tend to break things often lol. Since I am taking care of as I do not want the user to be able to change certs, etc. Is there not way to get rid of it completely for specific users (without getting rid of it completely for all users with some code changes)? Maybe I missed something in the thread, but following the instructions disabled it for everyone for me