ssl cert + 500 internal server error

backtogeek

Member
Aug 4, 2010
7
0
51
Hi Folks,

Hopefully someone can help me with this one.

I have an ssl cert installed and it works find in WHM, I also have a joomla site and WHMCS installed when i use https on those I get a 500 internal server error.

output of log is:
Code:
SoftException in Application.cpp:422: Mismatch between target UID (99) and UID (503) of file "/home/adminroo/public_html/clients/cart.php", referer: http://lmas-networks.com/
and

Code:
SoftException in Application.cpp:422: Mismatch between target UID (99) and UID (503) of file "/home/adminroo/public_html/index.php"
UID 99 is nobody I think?

If i stat a directory that contains files that give the 500 error I get:

Code:
 File: `public_html'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 37h/55d Inode: 53739932    Links: 17
Access: (0755/drwxr-xr-x)  Uid: (  503/adminroo)   Gid: (   99/  nobody)
Access: 2010-08-08 04:10:10.000000000 +0100
Modify: 2010-08-06 17:44:33.000000000 +0100
Change: 2010-08-08 02:05:59.000000000 +0100
and a file:


Code:
  File: `index.php'
  Size: 2049            Blocks: 8          IO Block: 4096   regular file
Device: 37h/55d Inode: 54595371    Links: 1
Access: (0644/-rw-r--r--)  Uid: (  503/adminroo)   Gid: (  500/adminroo)
Access: 2010-08-14 17:23:05.000000000 +0100
Modify: 2010-07-18 04:01:24.000000000 +0100
Change: 2010-08-08 02:06:07.000000000 +0100
I have seen a few threds saying the cert may have been installed as the wrong user but im not sure how to check that and I am farly sure I installed it as adminroo.

Any ideas?
 

Miraenda

Well-Known Member
Jul 28, 2004
243
5
168
Coralville, Iowa USA
cPanel Access Level
Root Administrator
99 is the user nobody, so it has to be installed under the wrong user (nobody) if that is the error you are receiving.

Go to /var/cpanel/userdata/nobody to see if the cert is there by domain.com_SSL (domain.com being your domain's name) name. If it is, then move it to /var/cpanel/userdata/user (where user is the cPanel username of the right user). Open up the domain.com_SSL file and change the following in that file:

Code:
documentroot: /home/user/public_html
group: user
homedir: /home/user
user: user
Replacing user with the username for each one. Of note, these are not the only lines in the file, they are just the lines you need to change in that file.

If the account is a reseller and not owned by root, you will also need to change owner: root to owner: user.

Please also check the ip: field has the right IP listed.

After making all the changes, then run these commands to rebuild Apache with the new entries and get it restarted:

Code:
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart
 

density5

Member
Aug 9, 2010
8
0
51
Just so I'm clear, WHM forces you to install ssl certs as nobody as a security measure, which breaks ssl on that vhost, and the fix is to change everything back to user, thus circumventing the security?

Pardon me for being picky, but is this the official method for installing ssl in a vhost?
 

JaredR.

Well-Known Member
Feb 25, 2010
1,834
23
143
Houston, TX
cPanel Access Level
Root Administrator
nobody is only for shared SSL

An SSL certificate should only be installed on the nobody user if it is meant to be a shared certificate. Normally, an SSL certificate should be installed for the account user that owns the domain for which the certificate was generated.
 

egillette

Well-Known Member
Jan 5, 2010
68
0
56
Orlando, FL
cPanel Access Level
DataCenter Provider
Thanks Miranda. . .

That worked. The interesting this is that WHM said I couldn't install it unless I installed it as the nobody user, but in SSH all I did was follow the steps you laid out, and it worked like a charm, but then I had the issue with a second site, and all I did the second time around was assign that user his own IP, and the problem was solved that way too. =0)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Correct, any SSL installed onto the main shared IP will only be installed as the user nobody via WHM, so if you are using that main shared IP for an account, you'd first have to install as nobody in WHM, then go into root SSH and do the steps I had noted (Miraenda user is my non-staff account).

If you do not want to go through such a hassle, simply install a dedicated IP onto the account getting the SSL, then you can install the SSL using WHM onto the user's account rather than using the user nobody.
 

Stuff5

Registered
Jun 17, 2011
1
0
51
What if i want to SSL a specific directory?

For example my site has installed in the root

so its: /https://www.domain.gr

but i want the ssl to be used in /https://www.domain.gr/dir
 

egillette

Well-Known Member
Jan 5, 2010
68
0
56
Orlando, FL
cPanel Access Level
DataCenter Provider
What if i want to SSL a specific directory?

For example my site has installed in the root

so its: /https://www.domain.gr

but i want the ssl to be used in /https://www.domain.gr/dir
You would install the SSL certificate and then simply refer to the URL exactly the way you mentioned in your post.

Securing a domain also secures its directories as well.

So /https://www.domain.gr would be secure, just as https://www.domain.gr/<whatever_directory> would be.

The only thing you can't do is secure a sub-domain in that fashion -- that would require a wildcard SSL certificate to secure *.domain.gr.

But to answer your main question. . .it's just a matter of referring to the SSL secured domain within your HTML code.
 

mikaoj

Registered
Dec 5, 2011
3
0
51
cPanel Access Level
Root Administrator
I've done the steps mentioned above, but when I try to rebuild httpd.conf I get this error:

Code:
Syntax error on line 266 of /usr/local/apache/conf/httpd.conf.1323104889:
<VirtualHost> directive requires additional arguments
When I remove the sub.domain.com_SSL file from /var/cpanel/userdata/user and try again, the rebuilding is fine. The account is owned by root and uses the shared ip from WHM and the certificate was installed in WHM.

What am I missing?

Best regards.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Please provide the information in that file:

Code:
cat /var/cpanel/userdata/user/sub.domain.com_SSL
Something in the file is either missing or invalid.
 

mikaoj

Registered
Dec 5, 2011
3
0
51
cPanel Access Level
Root Administrator
I've substituted the username and domain with a generic one:
Code:
--- 
documentroot: /home/user/public_html
group: user
hascgi: 1
homedir: /home/user
ip: 213.166.179.17
owner: root
phpopenbasedirprotect: ~
port: 443
serveradmin: [email protected]
serveralias: www.sub.domain.com
servername: sub.domain.com
ssl: 1
sslcacertificatefile: /etc/ssl/certs/sub.domain.com.cabundle
sslcertificatefile: /etc/ssl/certs/sub.domain.com.crt
sslcertificatekeyfile: /etc/ssl/private/sub.domain.com.key
usecanonicalname: 'Off'
user: user
userdirprotect: -1
 

mikaoj

Registered
Dec 5, 2011
3
0
51
cPanel Access Level
Root Administrator
Thanks for the quick reply! Here's the file (I've substituted the username and domain):

Code:
--- 
documentroot: /home/user/public_html
group: user
hascgi: 1
homedir: /home/user
ip: 213.166.179.17
owner: root
phpopenbasedirprotect: ~
port: 443
serveradmin: [email protected]
serveralias: www.sub.domain.com
servername: sub.domain.com
ssl: 1
sslcacertificatefile: /etc/ssl/certs/sub.domain.com.cabundle
sslcertificatefile: /etc/ssl/certs/sub.domain.com.crt
sslcertificatekeyfile: /etc/ssl/private/sub.domain.com.key
usecanonicalname: 'Off'
user: user
userdirprotect: -1
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I don't see anything there that would really cause this issue. Could you try opening up a ticket so we can check into this further? WHM > Support Center > Contact cPanel or the link in my signature are the methods you can use to submit a ticket. Thanks!
 

egillette

Well-Known Member
Jan 5, 2010
68
0
56
Orlando, FL
cPanel Access Level
DataCenter Provider
Tristan,

On an unrelated side-note:

I read your blog yesterday just for kicks, and I found out something
that actually helped me with a client's server.

It was the "@reboot" thing for cron.

I have a service that I have to start manually everytime this client's server goes offline or gets rebooted, and that did the trick -- you're just a fountain of information! =0)
 

OcalaDesigns

Member
Jun 10, 2011
13
0
51
99 is the user nobody, so it has to be installed under the wrong user (nobody) if that is the error you are receiving.

Go to /var/cpanel/userdata/nobody to see if the cert is there by domain.com_SSL (domain.com being your domain's name) name. If it is, then move it to /var/cpanel/userdata/user (where user is the cPanel username of the right user). Open up the domain.com_SSL file and change the following in that file:

Code:
documentroot: /home/user/public_html
group: user
homedir: /home/user
user: user
Replacing user with the username for each one. Of note, these are not the only lines in the file, they are just the lines you need to change in that file.

If the account is a reseller and not owned by root, you will also need to change owner: root to owner: user.

Please also check the ip: field has the right IP listed.

After making all the changes, then run these commands to rebuild Apache with the new entries and get it restarted:

Code:
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart
Alright, so now it's 2012 and you still can't just create your un-signed ssl in whm and assign it to a cpanel user account (with static IP) without doing these steps? WHM still forces you to use 'nobody' instead of the user in which it's intended for or am I doing something wrong? I don't understand why?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
38
248
somewhere over the rainbow
cPanel Access Level
Root Administrator