The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHMCS is getting a SSL call back from your CPanel API

Discussion in 'Security' started by DWHS.net, Oct 7, 2015.

  1. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    I need to disable SSL for people CPanel log in from WHMCS. The issue is they cannot disable the SSL it has to be done from something in CPanel. Here is the message they sent. Can you tell where to disable SSL for the call back please.
     
    #1 DWHS.net, Oct 7, 2015
    Last edited by a moderator: Oct 7, 2015
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Could you be more specific as to why you need to disable it? Unless I am misunderstanding something, the advice of "ensure your hostname resolves correctly and install a cheap certificate for use as a service SSL" seems a lot more sensible and secure.
     
  3. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    It really doesn't seem more sensible or secure. SSL certified certificates is a sham for most cases, self signed SSL is just as secure as a certificate, it's just a trick to make more money from us server admins. It works though, hence why you think it's normal to buy them when a browser gives you an error. The truth is a self signed SSL is just as secure. The error is there to have you spend money on SSL.

    Beyond that though, CPanel users do need to use SSL, if they have people sniffing on their home computer or network than they are in more trouble than a website issue. In over 13 years we have never had one issue from this.

    I just want to not have to use SSL to log into CPanel with our API. It really shouldn't be an issue.

    So far we have lost customers because of the SSL errors freaking them out. Our goal is to make things simple and feel safe. This issue has thrown all that out the window.

    I should say for Ecommerce I understand SSL because it verifies the business to some extent, but just for a control panel it's not needed. Ideally if could decide which servers use SSL and which do not, that way if a customers wants the added security I can move them and have a certified cert there.

    Adding SSL certs to every server is just a waste of thousands of dollars I would rather use for bonuses with our employees or improving our network, or anything that isn't part of a sham.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I understand that in most cases, self signed certificates are secure enough for transporting data, and I use them a lot myself. I would never log into my control panel for a server without using SSL (at least self signed if nothing else). While you are right that viruses on end users computers generally steal more passwords than using insecure connections, that certainly doesn't eliminate the risk. Anyone on wifi, or in an office network with an IDS worth two cents, would be exposing their account. In monitoring a corporate network, any plain text logins or insecure login methods are logged.

    If it's just for your end users (customers) and not for your administrative logins I guess I could see it being acceptable in some cases to skip the SSL login to cPanel, but as a security conscious user I certainly would not appreciate logging into cPanel without an SSL connection (at least self signed would be good enough for me). I've found most of our customers (90% or better) do not mind accepting a self signed certificate for cPanel login.

    Anyway I hope you are able to find a solution for your issue. I do not know of a way to change the value returned by that API call.
     
    Infopro likes this.
  5. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Thanks, I hope so too! It's killing me.

    Please CPanel help me fix this. 10 years and never ask for any favors, this forced SSL for CPanel API access is murder though.
     
  6. DWHS.net

    DWHS.net Well-Known Member
    PartnerNOC

    Joined:
    Jul 28, 2002
    Messages:
    1,569
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    LA, Costa RIca
    cPanel Access Level:
    Root Administrator
    Should I be posting this somewhere else?

    Forcing SSL to access CPanel seems a little odd, considering you have always had ports for both options.

    Anyway I can get a little help with this?
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Feel free to open a ticket directly to cPanel Technical Support about this.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The behavior you have reported is by design in order to enforce HTTPS intentionally, and without waver. The API call create_user_session is sending user session data over the wire, which if left without SSL encryption could be intercepted allowing a malicious user to access the users cPanel account.

    If you absolutely must change this rather than obtaining validated SSLs you could modify Session.pm to use http, vs https. The block of code is:

    File: /usr/local/cpanel/Whostmgr/API/1/Session.pm

    Code:
    $metadata->{'reason'} = 'Created session';
      $metadata->{'result'} = 1;
      my $url = "https://$host:$port$token/login/";
      my %url_query_params = ( 'session' => $randsession );
      if ($app) {
      my $app_url = Cpanel::Themes::get_users_links($user);
      if ( $app_url->{$app} ) {
      $url_query_params{'goto_uri'} = $app_url->{$app};
      }
      }

    Here you would change
    Code:
    https://$host:port$token/login/
    to
    Code:
    http://$host:port$token/login/
    To avoid this being overwritten during updates you would add it to the cpanelsync.exclude file:

    The cpanelsync.exclude File - Documentation - cPanel Documentation

    Be advised that modifying the code and adding it to the exclude file will cause issues if that API call is modified in the future during an update to improve the code, functionality, or address a bug.

    Thank you.
     
    Infopro likes this.
Loading...

Share This Page