Preventing Apache SSL automatic generation ?

eva2000

Well-Known Member
Aug 14, 2001
339
16
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
If I install a SSL certificate for a cpanel hosted domain, the VirtualHost 443 entry is generated into /usr/local/apache/conf/httpd.conf and it says to customise this virtualhost use include file instead as SSL is automatically generated.

Code:
# SSL
# DO NOT EDIT. AUTOMATICALLY GENERATED.  IF YOU NEED TO MAKE A CHANGE PLEASE USE THE INCLUDE FILES.

# To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf"
But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console ? The usual distiller method doesn't work as Cpanel Apache auto generates the SSL VirtualHost anyway regardless of the commands ?

Code:
/usr/local/cpanel/bin/apache_conf_distiller --update
/usr/local/cpanel/bin/build_apache_conf
cheers

George
 
Last edited:

24x7ss

Well-Known Member
Sep 30, 2014
272
17
68
India
cPanel Access Level
Root Administrator
Twitter
Hello,

It seems apache is working as reverse-proxy for LiteSpeed so it will use the configuration from apache only. You should consider removing the apache completely to switch everything to LiteSpeed.
 

eva2000

Well-Known Member
Aug 14, 2001
339
16
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
thanks for the reply but Apache isn't reverse proxy to LiteSpeed. Litespeed is enabled in WHM/Cpanel and Apache is disabled. Just that to get HTTP/2 support + OCSP stapling enabled for SSL on WHM/Cpanel, I had to setup LiteSpeed with a native SSL vhost and configure OCSP stapling there which seems to have worked without needing to disable Apache httpd.conf's VirtualHost 443 entry as I verified the custom SSL cipher order and OCSP stapling are working on the domain now.

openssl command output
Code:
openssl s_client -connect mydomain.com:443 -tls1 -tlsextdebug -status

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2)
    Produced At: Aug 22 12:06:04 2015 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
      Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
      Serial Number: 1188F371489C6D91CD380851FB274515
    Cert Status: good
    This Update: Aug 22 12:06:04 2015 GMT
    Next Update: Aug 24 12:06:04 2015 GMT
testssl result
Code:
testssl mydomain.com:443

--> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)

SSLv2      not offered (OK)
SSLv3      not offered (OK)
TLS 1      offered
TLS 1.1    offered
TLS 1.2    offered (OK)
SPDY/NPN   h2, h2c, h2-17, h2-14, spdy/3.1, spdy/3, spdy/2, http/1.1 (advertised)

--> Testing ~standard cipher lists

Null Ciphers                 not offered (OK)
Anonymous NULL Ciphers       not offered (OK)
Anonymous DH Ciphers         not offered (OK)
40 Bit encryption            not offered (OK)
56 Bit encryption            not offered (OK)
Export Ciphers (general)     not offered (OK)
Low (<=64 Bit)               not offered (OK)
DES Ciphers                  not offered (OK)
Medium grade encryption      not offered (OK)
Triple DES Ciphers           not offered (OK)
High grade encryption        offered (OK)
--> Testing server preferences

Has server cipher order?     yes (OK)
Negotiated protocol          TLSv1.2
Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA
     TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     h2:        ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     h2c:       ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     h2-17:     ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     h2-14:     ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     spdy/3.1:  ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     spdy/3:    ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     spdy/2:    ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
     http/1.1:  ECDHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA

--> Testing server defaults (Server Hello)

TLS server extensions        renegotiation info, EC point formats, session ticket, status request, heartbeat
Session Tickets RFC 5077     300 seconds
Server key size              2048 bit
Signature Algorithm          SHA256 with RSA
Fingerprint / Serial         SHA1 E737D0911D60FFAD925DC4B07FC9A330E91D2C32 / 1188F371489C6D91CD380851FB274515
                              SHA256 5877AB22697AED02B30357FFBBF9AA53239E1934C565288591865991D5C8D19C
Common Name (CN)             mydomain.com (works w/o SNI)
subjectAltName (SAN)         mydomain.com www.mydomain.com mydomain2.com
Issuer                       WoSign CA Free SSL Certificate G2 (WoSign CA Limited from CN)
EV cert (experimental)       no
Certificate Expiration       >= 60 days (2015-03-24 23:54 --> 2018-03-25 00:54 +0000)
# of certificates provided   3
Certificate Revocation List  http://crls6.wosign.com/ca6-server1-free.crl
OCSP URI                     http://ocsp6.wosign.com/ca6/server1/free
OCSP stapling                offered
TLS timestamp                random values, no fingerprinting possible


--> Testing HTTP header response @ "/"

HTTP Status Code             200 OK
HTTP clock skew              -1 sec from localtime
Strict Transport Security    --
Public Key Pinning           --
Server banner                LiteSpeed
Application banner           --
Cookie(s)                    (none issued at "/")
Security headers             --
Reverse Proxy banner        --
and cipherscan result
Code:
cipherscan mydomain.com:443    
.............
Target: mydomain.com:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
4     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
5     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
6     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
7     AES128-GCM-SHA256            TLSv1.2                None                None
8     AES256-GCM-SHA384            TLSv1.2                None                None
9     AES128-SHA256                TLSv1.2                None                None
10    AES256-SHA256                TLSv1.2                None                None
11    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
12    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: supported
Cipher ordering: server

Fallbacks required:
big-SSLv3 config not supported, connection failed
big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
and nghttp HTTP/2 connection test

Code:
nghttp -nv https://mydomain.com:443
[  0.141] Connected
The negotiated protocol: h2
[  0.205] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
          (niv=2)
          [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
          [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
[  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
          (dep_stream_id=0, weight=201, exclusive=0)
[  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
          (dep_stream_id=0, weight=101, exclusive=0)
[  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
          (dep_stream_id=0, weight=1, exclusive=0)
[  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
          (dep_stream_id=7, weight=1, exclusive=0)
[  0.205] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
          (dep_stream_id=3, weight=1, exclusive=0)
[  0.205] send HEADERS frame <length=40, flags=0x25, stream_id=13>
          ; END_STREAM | END_HEADERS | PRIORITY
          (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
          ; Open new stream
          :method: GET
          :path: /
          :scheme: https
          :authority: mydomain.com
          accept: */*
          accept-encoding: gzip, deflate
          user-agent: nghttp2/1.2.1-DEV
[  0.226] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
          (niv=3)
          [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
          [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65536]
          [SETTINGS_MAX_FRAME_SIZE(0x05):16384]
[  0.226] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
          (window_size_increment=196605)
[  0.226] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
          ; ACK
          (niv=0)
[  0.227] recv (stream_id=13) :status: 200
[  0.227] recv (stream_id=13) etag: "d-55d85693-a98bd14439add40a"
[  0.227] recv (stream_id=13) last-modified: Sat, 22 Aug 2015 11:01:39 GMT
[  0.227] recv (stream_id=13) content-type: text/html
[  0.227] recv (stream_id=13) content-length: 13
[  0.227] recv (stream_id=13) date: Sat, 22 Aug 2015 14:33:48 GMT
[  0.227] recv (stream_id=13) accept-ranges: bytes
[  0.227] recv (stream_id=13) server: LiteSpeed
[  0.227] recv HEADERS frame <length=102, flags=0x04, stream_id=13>
          ; END_HEADERS
          (padlen=0)
          ; First response header
[  0.227] recv DATA frame <length=13, flags=0x00, stream_id=13>
[  0.227] recv DATA frame <length=0, flags=0x01, stream_id=13>
          ; END_STREAM
[  0.227] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
          ; ACK
          (niv=0)
[  0.227] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
          (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
Only thing is ssl labs test isn't reporting OCSP despite the results shown for openssl cmd line, testssl and cipherscan.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
But how do I customise this in include file if I want to disable/remove only Apache from serving the site via 443 but not uninstall the SSL certificate and let LiteSpeed web server take priority of HTTPS/SSL and serve the site's 443 via LiteSpeed's native vhost config console
Hello :)

You will likely receive more feedback on this type of question at the LiteSpeed forums, as it's a customization of the LiteSpeed plugin and it's not a configuration that's natively supported by cPanel:

https://www.litespeedtech.com/support/forum/

Thank you.
 

eva2000

Well-Known Member
Aug 14, 2001
339
16
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
thanks @cPanelMichael while I solved my problem without needing to disable the 443 in apache httpd.conf, it's actually a question of whether easyapache apache can disable 443 vhost using include "/usr/local/apache/conf/userdata/ssl/2_2/username/DOMAINNAME.COM/*.conf" include file but NOT uninstall the ssl certificate for the vhost
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,205
363
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.