The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem when adding SSL certificate for cPanel/WHM web service with stunnel

Discussion in 'Security' started by Vedran Rodic, Dec 22, 2014.

  1. Vedran Rodic

    Vedran Rodic Registered

    Joined:
    Dec 22, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Zagreb, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    I'm using cPanel/WHM 11.44.1 (build 23)

    I've added a SSL certificate for use with cPanel/WHM/Webmail Service (used Manage Service SSL certificates). I've added an existing apache certificate from the menu.

    The UI requested a restart but after that the cPanel/WHM web service didnt work.
    I've checked the /usr/local/cpanel/logs/error_log file, and there was this:
    Code:
    ===
    [2014-12-22 10:10:14 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “ssl” in the “Cpanel” namespace call t
    o function “FETCHINSTALLEDCERT” ended prematurely: The subprocess reported the “EIO” (5) error when it ended.: namespace=[Cpanel
    ] module=[ssl] function=[FETCHINSTALLEDCERT]: raw_response=[{"exit_code":1280,"action":"fetch","mode":"full","statusmsg":"You do not control the IP address <MY IP> on this server.","error":1,"timeout":0,"status":1,"version":"2.3"}] at /usr/local/cpanel/Cpanel/Wrap.pm line 121
            Cpanel::Wrap::send_cpwrapd_request('module', 'ssl', 'no_cperror', 1, 'env', HASH(0x<cut>), 'data', HASH(0x<cut>?), 'f
    unction', 'FETCHINSTALLEDCERT', 'action', 'fetch', 'namespace', 'Cpanel') called at /usr/local/cpanel/Cpanel/Wrap.pm line 58
            Cpanel::Wrap::send_cpwrapd_request_no_cperror('namespace', 'Cpanel', 'module', 'ssl', 'function', 'FETCHINSTALLEDCERT', 
    'data', HASH(0x), 'action', 'fetch', 'env', HASH(0x<cut>)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 298
            Cpanel::AdminBin::_adminfetch('module', 'ssl', 'function', 'FETCHINSTALLEDCERT', 'format', 'storable', 'cache_check_file
    s', '', 'cache', 0, 'args', ARRAY(0x<cut>), 'return_status', 1) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 224
            Cpanel::AdminBin::fetch_adminbin_nocache_with_status('ssl', undef, 'FETCHINSTALLEDCERT', 'storable', HASH(0x488e990)) called at /usr/local/cpanel/Cpanel/API/SSL.pm line 1273
    ==== 
    I've cut this trace a bit, since the error message seems to be: "You do not control the IP address <MY IP> on this server". Now I certainly do control this IP address. This is a bogus warning since I certainly do control this IP address, and the same message is repeated in this file even in earlier dates where I didn't have the problem of cPanel/WHM web UI not working. Additionally, there were no new error messages in the file on subsequent access to 2087 port, and no requests logged in access_log in the same directory. Using 'service cpanel restart' revealed that stunnel was not starting, but no details about why. This confused me when diagnosing the error, and should be fixed separately.



    I've managed to get the stunnel error by starting stunnel manually with
    /usr/bin/stunnel /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf.run
    Code:
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Key file: /var/cpanel/ssl/cpanel/mycpanel.pem
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Private key loaded
    2014.12.22 11:24:34 LOG7[605:140395513423808]: SSL context initialized for service whmhttps
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Certificate: /var/cpanel/ssl/cpanel/mycpanel.pem
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Certificate loaded
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Key file: /var/cpanel/ssl/cpanel/mycpanel.pem
    2014.12.22 11:24:34 LOG7[605:140395513423808]: Private key loaded
    2014.12.22 11:24:34 LOG7[605:140395513423808]: SSL context initialized for service webmailhttps
    2014.12.22 11:24:34 LOG3[605:140395513423808]: FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match
    Now, I'm not sure why the FIPS fingerprint doesn't match (I've only used the WHM UI) , and I've fixed the cPanel/WHM by either disabling stunnel by changing /var/cpanel/cpanel.config nativessl value to 1, or by disabling FIPS for stunnel with "fips=no".
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  3. Vedran Rodic

    Vedran Rodic Registered

    Joined:
    Dec 22, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Zagreb, Croatia, Croatia
    cPanel Access Level:
    Root Administrator
    5871763 is the ticket id.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, our support analysts were unable to reproduce the issue using a test server. Feel free to reply back to the support ticket with authentication details if you want us to reproduce the issue on your system.

    Thank you.
     
Loading...

Share This Page