Monday, May 16, 2011

How to configure cPanel + SSL + suPHP + SharedIP

Getting cPanel and suPHP and SSL with a shared IP to work takes some manual configuration.

If you receive the following error when browsing to a SSL+sharedIP+suPHP site, then these directions are for you:


Internal Server Error 

The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, webmaster@training.nts.wustl.edu and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Server at training.nts.wustl.edu Port 443


The following errors will show up in the log file:

root@prism [/usr/local/apache/logs]# cat /usr/local/apache/logs/suphp_log | grep Mismatch
[Fri May 13 14:11:29 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"
[Fri May 13 14:11:35 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"
[Mon May 16 08:27:48 2011] [warn] Mismatch between target UID (99) and UID (1006) of file "/home/training/public_html/test.php"



Original Files:
=============================

root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/main
--- 
addon_domains: {}

main_domain: prism.nts.wustl.edu
parked_domains: []

sub_domains: 
  - training.nts.wustl.edu





root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/training.nts.wustl.edu_SSL
--- 
documentroot: /home/training/public_html
group: nobody
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: 128.252.69.1
owner: root
phpopenbasedirprotect: 1
port: 443
serveradmin: webmaster@training.nts.wustl.edu
serveralias: www.training.nts.wustl.edu
servername: training.nts.wustl.edu
ssl: 1
sslcacertificatefile: /etc/ssl/certs/training.nts.wustl.edu.cabundle
sslcertificatefile: /etc/ssl/certs/training.nts.wustl.edu.crt
sslcertificatekeyfile: /etc/ssl/private/training.nts.wustl.edu.key
usecanonicalname: 'Off'
user: nobody
userdirprotect: -1



The above files generated the following snippet from /usr/local/apache/conf/httpd.conf:




    ServerName training.nts.wustl.edu
    ServerAlias www.training.nts.wustl.edu
    DocumentRoot /home/training/public_html
    ServerAdmin webmaster@training.nts.wustl.edu
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu combined
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User nobody # Needed for Cpanel::ApacheConf
    
        suPHP_UserGroup nobody nobody
    
    ScriptAlias /cgi-bin/ /home/training/public_html/cgi-bin/
    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/training.nts.wustl.edu.crt
    SSLCertificateKeyFile /etc/ssl/private/training.nts.wustl.edu.key
        SSLCACertificateFile /etc/ssl/certs/training.nts.wustl.edu.cabundle
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    
        SSLOptions +StdEnvVars
    

    # To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/ssl/2/nobody/training.nts.wustl.edu/*.conf"










Following These Directions:
====================================

* Manually adjust the files in /var/cpanel/userdata 
 * moving the SSL host file from the "nobody" user folder 
          to the actual/original user (training), 
 * edit the file to change the user and group names, 
 * edit the "main" file to remove that domain from the 
          nobody user. 

* Remove the cache files for any files you've moved or changed,

* Run /scripts/updateuserdomains and then /scripts/rebuildhttpdconf

* This should results in the suPHP_UserGroup being the "training"
  instead of nobody in httpd.conf. At this point you can restart
  apache to make sure everything works as expected still.


Detailed Commands run:
===================================
root@prism [/var/cpanel/userdata/nobody]# mv training.nts.wustl.edu_SSL ../training/

root@prism [/var/cpanel/userdata/nobody]# rm training.nts.wustl.edu_SSL.cache 
rm: remove regular file `training.nts.wustl.edu_SSL.cache'? y

root@prism [/var/cpanel/userdata/nobody]# vi main

root@prism [/var/cpanel/userdata/nobody]# rm main.cache 
rm: remove regular file `main.cache'? y

root@prism [/var/cpanel/userdata/nobody]# cd ../training/

root@prism [/var/cpanel/userdata/training]# vi training.nts.wustl.edu_SSL

root@prism [/var/cpanel/userdata/training]# /scripts/updateuserdomains

root@prism [/var/cpanel/userdata/training]# /scripts/rebuildhttpdconf
Built /usr/local/apache/conf/httpd.conf OK

root@prism [/var/cpanel/userdata/training]# /etc/init.d/httpd restart



Updated Files:
===============================

root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/nobody/main 
--- 
addon_domains: {}

main_domain: prism.nts.wustl.edu
parked_domains: []

sub_domains: []



root@prism [/var/cpanel/userdata]# cat /var/cpanel/userdata/training/training.nts.wustl.edu_SSL 
--- 
documentroot: /home/training/public_html
group: training
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: 128.252.69.1
owner: root
phpopenbasedirprotect: 1
port: 443
serveradmin: webmaster@training.nts.wustl.edu
serveralias: www.training.nts.wustl.edu
servername: training.nts.wustl.edu
ssl: 1
sslcacertificatefile: /etc/ssl/certs/training.nts.wustl.edu.cabundle
sslcertificatefile: /etc/ssl/certs/training.nts.wustl.edu.crt
sslcertificatekeyfile: /etc/ssl/private/training.nts.wustl.edu.key
usecanonicalname: 'Off'
user: training
userdirprotect: -1




The above files generated the following snippet from /usr/local/apache/conf/httpd.conf:


    ServerName training.nts.wustl.edu
    ServerAlias www.training.nts.wustl.edu
    DocumentRoot /home/training/public_html
    ServerAdmin webmaster@training.nts.wustl.edu
    UseCanonicalName Off
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu combined
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-bytes_log "%{%s}t %I .\n%{%s}t %O ."
    ## User training # Needed for Cpanel::ApacheConf
    
        suPHP_UserGroup training training
    
    
        php4_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        php5_admin_value open_basedir "/home/training:/usr/lib/php:/usr/local/lib/php:/tmp"
    
    
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/local/lib/php:/tmp"
        
        
            php_admin_value open_basedir "/home/training:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp"
        
    
    
        SuexecUserGroup training training
    
    ScriptAlias /cgi-bin/ /home/training/public_html/cgi-bin/
    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/training.nts.wustl.edu.crt
    SSLCertificateKeyFile /etc/ssl/private/training.nts.wustl.edu.key
        SSLCACertificateFile /etc/ssl/certs/training.nts.wustl.edu.cabundle
    CustomLog /usr/local/apache/domlogs/training.nts.wustl.edu-ssl_log combined
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    
        SSLOptions +StdEnvVars
    

    # To customize this VirtualHost use an include file at the following location
    # Include "/usr/local/apache/conf/userdata/ssl/2/training/training.nts.wustl.edu/*.conf"






3 comments:

  1. Does it matter what type of ssl you are using i have just bought a ev ssl so i dont really want to have to buy a new one. I tried this a guide a couple of times and i cant seem to get it to work. any ideas???

    ReplyDelete
  2. Its highly informative. I would be visiting your blog hereafter regularly to gather valuable information. Networking Setup Melbourne

    ReplyDelete
  3. @Tim - What is the exact problem you are having?

    ReplyDelete

Followers