ssl cert + 500 internal server error

[backtogeek]

Hi Folks,

Hopefully someone can help me with this one.

I have an ssl cert installed and it works find in WHM, I also have a joomla site and WHMCS installed when i use https on those I get a 500 internal server error.

output of log is:

SoftException in Application.cpp:422: Mismatch between target UID (99) and UID (503) of file "/home/adminroo/public_html/clients/cart.php", referer: http://lmas-networks.com/

and

SoftException in Application.cpp:422: Mismatch between target UID (99) and UID (503) of file "/home/adminroo/public_html/index.php"

UID 99 is nobody I think?

If i stat a directory that contains files that give the 500 error I get:

 File: `public_html'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 37h/55d Inode: 53739932    Links: 17
Access: (0755/drwxr-xr-x)  Uid: (  503/adminroo)   Gid: (   99/  nobody)
Access: 2010-08-08 04:10:10.000000000 +0100
Modify: 2010-08-06 17:44:33.000000000 +0100
Change: 2010-08-08 02:05:59.000000000 +0100

and a file:

  File: `index.php'
  Size: 2049            Blocks: 8          IO Block: 4096   regular file
Device: 37h/55d Inode: 54595371    Links: 1
Access: (0644/-rw-r--r--)  Uid: (  503/adminroo)   Gid: (  500/adminroo)
Access: 2010-08-14 17:23:05.000000000 +0100
Modify: 2010-07-18 04:01:24.000000000 +0100
Change: 2010-08-08 02:06:07.000000000 +0100

I have seen a few threds saying the cert may have been installed as the wrong user but im not sure how to check that and I am farly sure I installed it as adminroo.

Any ideas?

 

[Miraenda]

99 is the user nobody, so it has to be installed under the wrong user (nobody) if that is the error you are receiving.

Go to /var/cpanel/userdata/nobody to see if the cert is there by domain.com_SSL (domain.com being your domain's name) name. If it is, then move it to /var/cpanel/userdata/user (where user is the cPanel username of the right user). Open up the domain.com_SSL file and change the following in that file:

documentroot: /home/user/public_html
group: user
homedir: /home/user
user: user

Replacing user with the username for each one. Of note, these are not the only lines in the file, they are just the lines you need to change in that file.

If the account is a reseller and not owned by root, you will also need to change owner: root to owner: user.

Please also check the ip: field has the right IP listed.

After making all the changes, then run these commands to rebuild Apache with the new entries and get it restarted:

/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

 

[backtogeek]

Thank you so much Miraenda.

This fixed the issue very helpfull indeed!

 

[Miraenda]

I'm glad that worked, and you are very welcome.

 

[joshdale]

thank you Miraenda...this worked like a charm :D

 

[silvatech]

Thanks Miraenda! Worked like a charm!

 

[density5]

Just so I'm clear, WHM forces you to install ssl certs as nobody as a security measure, which breaks ssl on that vhost, and the fix is to change everything back to user, thus circumventing the security?

Pardon me for being picky, but is this the official method for installing ssl in a vhost?

 

[JaredR.]

nobody is only for shared SSL

An SSL certificate should only be installed on the nobody user if it is meant to be a shared certificate. Normally, an SSL certificate should be installed for the account user that owns the domain for which the certificate was generated.

 

[egillette]

Thanks Miranda. . .

That worked. The interesting this is that WHM said I couldn't install it unless I installed it as the nobody user, but in SSH all I did was follow the steps you laid out, and it worked like a charm, but then I had the issue with a second site, and all I did the second time around was assign that user his own IP, and the problem was solved that way too. =0)

 

[cPanelTristan]

Correct, any SSL installed onto the main shared IP will only be installed as the user nobody via WHM, so if you are using that main shared IP for an account, you'd first have to install as nobody in WHM, then go into root SSH and do the steps I had noted (Miraenda user is my non-staff account).

If you do not want to go through such a hassle, simply install a dedicated IP onto the account getting the SSL, then you can install the SSL using WHM onto the user's account rather than using the user nobody.

 

[Stuff5]

What if i want to SSL a specific directory?

For example my site has installed in the root

so its: /https://www.domain.gr

but i want the ssl to be used in /https://www.domain.gr/dir

 

[egillette]

What if i want to SSL a specific directory?

For example my site has installed in the root

so its: /https://www.domain.gr

but i want the ssl to be used in /https://www.domain.gr/dir

You would install the SSL certificate and then simply refer to the URL exactly the way you mentioned in your post.

Securing a domain also secures its directories as well.

So /https://www.domain.gr would be secure, just as https://www.domain.gr/<whatever_directory> would be.

The only thing you can't do is secure a sub-domain in that fashion -- that would require a wildcard SSL certificate to secure *.domain.gr.

But to answer your main question. . .it's just a matter of referring to the SSL secured domain within your HTML code.

 

[mikaoj]

I've done the steps mentioned above, but when I try to rebuild httpd.conf I get this error:

Syntax error on line 266 of /usr/local/apache/conf/httpd.conf.1323104889:
<VirtualHost> directive requires additional arguments

When I remove the sub.domain.com_SSL file from /var/cpanel/userdata/user and try again, the rebuilding is fine. The account is owned by root and uses the shared ip from WHM and the certificate was installed in WHM.

What am I missing?

Best regards.

 

[cPanelTristan]

Please provide the information in that file:

cat /var/cpanel/userdata/user/sub.domain.com_SSL

Something in the file is either missing or invalid.

 

[mikaoj]

I've substituted the username and domain with a generic one:

--- 
documentroot: /home/user/public_html
group: user
hascgi: 1
homedir: /home/user
ip: 213.166.179.17
owner: root
phpopenbasedirprotect: ~
port: 443
serveradmin: [email protected]
serveralias: www.sub.domain.com
servername: sub.domain.com
ssl: 1
sslcacertificatefile: /etc/ssl/certs/sub.domain.com.cabundle
sslcertificatefile: /etc/ssl/certs/sub.domain.com.crt
sslcertificatekeyfile: /etc/ssl/private/sub.domain.com.key
usecanonicalname: 'Off'
user: user
userdirprotect: -1

 

[mikaoj]

Thanks for the quick reply! Here's the file (I've substituted the username and domain):

--- 
documentroot: /home/user/public_html
group: user
hascgi: 1
homedir: /home/user
ip: 213.166.179.17
owner: root
phpopenbasedirprotect: ~
port: 443
serveradmin: [email protected]
serveralias: www.sub.domain.com
servername: sub.domain.com
ssl: 1
sslcacertificatefile: /etc/ssl/certs/sub.domain.com.cabundle
sslcertificatefile: /etc/ssl/certs/sub.domain.com.crt
sslcertificatekeyfile: /etc/ssl/private/sub.domain.com.key
usecanonicalname: 'Off'
user: user
userdirprotect: -1

 

[cPanelTristan]

I don't see anything there that would really cause this issue. Could you try opening up a ticket so we can check into this further? WHM > Support Center > Contact cPanel or the link in my signature are the methods you can use to submit a ticket. Thanks!

 

[egillette]

Tristan,

On an unrelated side-note:

I read your blog yesterday just for kicks, and I found out something
that actually helped me with a client's server.

It was the "@reboot" thing for cron.

I have a service that I have to start manually everytime this client's server goes offline or gets rebooted, and that did the trick -- you're just a fountain of information! =0)

 

[OcalaDesigns]

99 is the user nobody, so it has to be installed under the wrong user (nobody) if that is the error you are receiving.

Go to /var/cpanel/userdata/nobody to see if the cert is there by domain.com_SSL (domain.com being your domain's name) name. If it is, then move it to /var/cpanel/userdata/user (where user is the cPanel username of the right user). Open up the domain.com_SSL file and change the following in that file:

documentroot: /home/user/public_html
group: user
homedir: /home/user
user: user

Replacing user with the username for each one. Of note, these are not the only lines in the file, they are just the lines you need to change in that file.

If the account is a reseller and not owned by root, you will also need to change owner: root to owner: user.

Please also check the ip: field has the right IP listed.

After making all the changes, then run these commands to rebuild Apache with the new entries and get it restarted:

/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

Alright, so now it's 2012 and you still can't just create your un-signed ssl in whm and assign it to a cpanel user account (with static IP) without doing these steps? WHM still forces you to use 'nobody' instead of the user in which it's intended for or am I doing something wrong? I don't understand why?

 

[cPanelTristan]

Hello,

I've posted on another thread where you've also commented on the same issue - http://forums.cpanel.net/f5/cannot-install-ssl-certificate-160954.html

Thanks!