Problem when adding SSL certificate for cPanel/WHM web service with stunnel

Vedran Rodic

Registered
Dec 22, 2014
2
0
1
Zagreb, Croatia, Croatia
cPanel Access Level
Root Administrator
I'm using cPanel/WHM 11.44.1 (build 23)

I've added a SSL certificate for use with cPanel/WHM/Webmail Service (used Manage Service SSL certificates). I've added an existing apache certificate from the menu.

The UI requested a restart but after that the cPanel/WHM web service didnt work.
I've checked the /usr/local/cpanel/logs/error_log file, and there was this:
Code:
===
[2014-12-22 10:10:14 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “ssl” in the “Cpanel” namespace call t
o function “FETCHINSTALLEDCERT” ended prematurely: The subprocess reported the “EIO” (5) error when it ended.: namespace=[Cpanel
] module=[ssl] function=[FETCHINSTALLEDCERT]: raw_response=[{"exit_code":1280,"action":"fetch","mode":"full","statusmsg":"You do not control the IP address <MY IP> on this server.","error":1,"timeout":0,"status":1,"version":"2.3"}] at /usr/local/cpanel/Cpanel/Wrap.pm line 121
        Cpanel::Wrap::send_cpwrapd_request('module', 'ssl', 'no_cperror', 1, 'env', HASH(0x<cut>), 'data', HASH(0x<cut>?), 'f
unction', 'FETCHINSTALLEDCERT', 'action', 'fetch', 'namespace', 'Cpanel') called at /usr/local/cpanel/Cpanel/Wrap.pm line 58
        Cpanel::Wrap::send_cpwrapd_request_no_cperror('namespace', 'Cpanel', 'module', 'ssl', 'function', 'FETCHINSTALLEDCERT', 
'data', HASH(0x), 'action', 'fetch', 'env', HASH(0x<cut>)) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 298
        Cpanel::AdminBin::_adminfetch('module', 'ssl', 'function', 'FETCHINSTALLEDCERT', 'format', 'storable', 'cache_check_file
s', '', 'cache', 0, 'args', ARRAY(0x<cut>), 'return_status', 1) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 224
        Cpanel::AdminBin::fetch_adminbin_nocache_with_status('ssl', undef, 'FETCHINSTALLEDCERT', 'storable', HASH(0x488e990)) called at /usr/local/cpanel/Cpanel/API/SSL.pm line 1273
====
I've cut this trace a bit, since the error message seems to be: "You do not control the IP address <MY IP> on this server". Now I certainly do control this IP address. This is a bogus warning since I certainly do control this IP address, and the same message is repeated in this file even in earlier dates where I didn't have the problem of cPanel/WHM web UI not working. Additionally, there were no new error messages in the file on subsequent access to 2087 port, and no requests logged in access_log in the same directory. Using 'service cpanel restart' revealed that stunnel was not starting, but no details about why. This confused me when diagnosing the error, and should be fixed separately.



I've managed to get the stunnel error by starting stunnel manually with
/usr/bin/stunnel /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf.run
Code:
2014.12.22 11:24:34 LOG7[605:140395513423808]: Key file: /var/cpanel/ssl/cpanel/mycpanel.pem
2014.12.22 11:24:34 LOG7[605:140395513423808]: Private key loaded
2014.12.22 11:24:34 LOG7[605:140395513423808]: SSL context initialized for service whmhttps
2014.12.22 11:24:34 LOG7[605:140395513423808]: Certificate: /var/cpanel/ssl/cpanel/mycpanel.pem
2014.12.22 11:24:34 LOG7[605:140395513423808]: Certificate loaded
2014.12.22 11:24:34 LOG7[605:140395513423808]: Key file: /var/cpanel/ssl/cpanel/mycpanel.pem
2014.12.22 11:24:34 LOG7[605:140395513423808]: Private key loaded
2014.12.22 11:24:34 LOG7[605:140395513423808]: SSL context initialized for service webmailhttps
2014.12.22 11:24:34 LOG3[605:140395513423808]: FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match
Now, I'm not sure why the FIPS fingerprint doesn't match (I've only used the WHM UI) , and I've fixed the cPanel/WHM by either disabling stunnel by changing /var/cpanel/cpanel.config nativessl value to 1, or by disabling FIPS for stunnel with "fips=no".
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
To update, our support analysts were unable to reproduce the issue using a test server. Feel free to reply back to the support ticket with authentication details if you want us to reproduce the issue on your system.

Thank you.