Empowering you with the knowledge to master Linux web hosting, DevOps and Cloud

 Linux Web Hosting, DevOps, and Cloud Solutions

Tag: WHM

Install the free SSL Certificate on the server’s hostname – cPanel WHM server


cPanel and WHM (WebHost Manager) is a popular web hosting control panels that allow server administrators to manage web hosting services efficiently. Among their many features, cPanel offers a handy tool called AutoSSL, which provides free SSL certificates for added security. In this guide, I will show you how to use AutoSSL to secure your server’s hostname.

Step 1: The checkallsslcerts Script

The checkallsslcerts Script is used by cPanel to issue SSL certificates for server hostname. It’s important to note that checkallsslcerts
runs as part of the nightly update checks performed on your system. These updates include cPanel’s own update script, upcp (cPanel update script).

Step 2: When to Manually Run AutoSSL

In most cases, checkallsslcerts will take care of securing your server’s hostname during the nightly updates. However, there may be instances when you want to update the SSL certificate manually. This is especially useful if you’ve recently changed your server’s hostname and want to ensure the SSL certificate is updated immediately.

Step 3: Understanding the checkallsslcerts Script

The `/usr/local/cpanel/bin/checkallsslcerts` script is responsible for checking and installing SSL certificates for your server’s hostname. Here’s what the script does:

– It creates a Domain Control Validation (DCV) file.
– It performs a DNS lookup for your hostname’s IP address.
– It checks the DCV file using HTTP validation (for cPanel & WHM servers).
– If needed, it sends a request to Sectigo to issue a new SSL certificate.
– It logs the Sectigo requests for validation.

You can learn more about the checkallsslcerts script and it’s usage in this article from cPanel:

Step 4: How to Manually Execute the Script

To manually run the script, use the following command:

/usr/local/cpanel/bin/checkallsslcerts [options]

You can use options like `–allow-retry` and `–verbose` as needed.

Step 5: Troubleshooting and Tips

If you encounter issues with the SSL certificate installation, the script will provide helpful output to troubleshoot the problem. Ensure that your server’s firewall allows access from Sectigo’s IP addresses mentioned in the guide.

Common Issue: Unable to obtain a free hostname certificate due to 404 when DCV check runs in /usr/local/cpanel/bin/checkallsslcerts

After running the /usr/local/cpanel/bin/checkallsslcerts script via SSH, you may see errors similar to the following:

FAILED: Cpanel::Exception/(XID bj6m2k) The system queried for a temporary file at “http://hostname.domain.tld/.well-known/pki-validation/B65E7F11E8FBB1F598817B68746BCDDC.txt”, but the web server responded with the following error: 404 (Not Found). A DNS (Domain Name System) or web server misconfiguration may exist.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: Neither HTTP nor DNS DCV preflight checks succeeded!

Description:
Encountering errors like “404 Not Found” during the DCV check when running /usr/local/cpanel/bin/checkallsslcerts via SSH? This issue typically arises when the shared IP address doesn’t match the main IP. To resolve it, ensure both IPs match and that the A record for the server’s hostname points to the main/shared IP. Here’s a workaround:

Workaround:

1. Confirm that the main IP and shared IP are identical.
2. Make sure the A record for the server’s hostname points to the main/shared IP.
3. To change the shared IP:
Log in to WHM as the ‘root’ user.

  • Navigate to “Home » Server Configuration » Basic WebHost Manager® Setup.”
  • Update “The IPv4 address (only one address) to use to set up shared IPv4 virtual hosts” to match the main IP.
  • Click “Save Changes” and then execute the following via SSH or Terminal in WHM:
    /scripts/rebuildhttpdconf
    /scripts/restartsrv_httpd --hard

    This will help resolve issues with obtaining a free hostname certificate in cPanel/WHM.

    Conclusion

    Securing your cPanel/WHM server’s hostname with a free SSL certificate from AutoSSL is essential for a secure web hosting environment. By following these steps, you can ensure that your server’s hostname is protected with a valid SSL certificate.

    Remember to regularly check your SSL certificates to ensure they remain up-to-date and secure.

  • How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3

    How To Install PHP 7 On A cPanel/WHM Server With EasyApache 3

    Latest versions of cPanel come with EasyApache 4 which provides lots of new features like native support for multiple PHP versions, PHP 7 support, very fast, etc. So it is recommended to migrate to EasyApache 4. However, if you cannot migrate EasyApache 4 because of some reason (Example: Tomcat support), you will have to compile the PHP 7 manually from source.

    To migrate to EasyApache for, just run the below command. cPanel will try to build a matching PHP setup using EasyApache 4.

    /scripts/migrate_ea3_to_ea4 --run

    If anything goes wrong during the upgrade process you can always go back with /scripts/migrate_ea3_to_ea4 –revert –run

    Manually install PHP 7

    Following steps are tested with cPanel 11.64.0.36 and CentOS 6.9 64 bit. The PHP handler should be suphp to get this working.

    cd /usr/local/src/
    wget http://php.net/distributions/php-7.0.22.tar.gz #Go to php.net site to find the latest version
    tar xvf php-7.0.22.tar.gz
    

    Build it.

     #./configure  --enable-bcmath --enable-calendar --enable-exif --enable-ftp --enable-gd-native-ttf --enable-libxml --enable-mbstring --enable-pdo=shared --enable-sockets --enable-zip --prefix=/usr/local/php70  --with-curl=/opt/curlssl/ --with-freetype-dir=/usr --with-gd --with-gettext --with-imap=/opt/php_with_imap_client/ --with-imap-ssl=/usr --with-jpeg-dir=/usr --with-kerberos --with-libdir=lib64 --with-libxml-dir=/opt/xml2/ --with-mcrypt=/opt/libmcrypt/ --with-mysqli --with-openssl=/usr --with-openssl-dir=/usr --with-pcre-regex=/opt/pcre --with-pdo-mysql=shared --with-pdo-sqlite=shared --with-pic --with-png-dir=/usr --with-xpm-dir=/usr --with-zlib --with-zlib-dir=/usr
    

    You may add any additional parameters required. You can run ./configure --help to see all available options first.
    Important: Do not forget to set the "--prefix=/usr/local/php70". Otherwise, your existing PHP installation will be lost.

     make
     make install
    

    If everything is successful, the PHP binaries will be installed in "/usr/local/php70/bin/" directory.

    Copy the default php.ini:

     cp -pr /usr/local/src/php-7.0.22/php.ini-production /usr/local/php70/lib/php.ini
    

    Add pdo,opcache, other modules to php.ini file.

     echo "extension=pdo.so" >> /usr/local/php70/lib/php.ini
     echo "extension=pdo_mysql.so" >> /usr/local/php70/lib/php.ini
     echo "zend_extension=opcache.so" >> /usr/local/php70/lib/php.ini
    

    Verify the installation

    /usr/local/php70/bin/php -v
    PHP 7.0.22 (cli) (built: Aug 5 2017 01:56:23) ( NTS )
    Copyright (c) 1997-2017 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.22, Copyright (c) 1999-2017, by Zend Technologies

    Now link our new PHP 7 installation with Apache web server

    Generate the PHP config:

    cat >  /usr/local/apache/conf/php70.conf << EOF
    AddType application/x-httpd-php7 .php7 .php
    
        suPHP_AddHandler application/x-httpd-php7
    
    EOF
    

    Add new handler to suphp

    Edit the /opt/suphp/etc/suphp.conf and add below code, at the end of the handlers list to enable PHP7 handler.

    ;Handler for php-scripts
    #... existing handlers are here ... put yours below them
    application/x-httpd-php7="php:/usr/local/php70/bin/php-cgi"

    Now add our custom php config file to EasyApache list so that the changes will not be lost future EasyApache builds.

    There are two options here. You can either go into WHM and edit the post_virtualhost_global.conf file from there or you just run: vi /usr/local/apache/conf/includes/post_virtualhost_global.conf. Add the line below in that file and you should be all done.

    Include /usr/local/apache/conf/php70.conf

    Now restart Apache

    service httpd restart

    Configure a website To Use This new PHP 7
    Add following code to .htaccess file(/home/username/public_html/.htaccess)

    AddType application/x-httpd-php7 .php7 .php

    Disable/suspend email service for one domain – cPanel

    Disable/suspend email service for one domain

    From version 56, cPanel provides API support to disable email service for domain or email accounts. Please note this limit cannot be override by the user from their cPanel. This can be very helpful if there is any spamming activity and you just want to disable the email service feature for the domain for the time being.

    You can run the below commands through SSH console

    To suspend email service for a the cPanel user “aacenyor”

    whmapi1 suspend_outgoing_email user=aacenyor
    

    For unsuspending the account, please run the below command:

    whmapi1 unsuspend_outgoing_email user=aacenyor
    

    If you are not comfortable with SSH, you can also call these through browser XML.

    Example:

    To suspend
    https://hostname.example.com:2087/cpsess##########/xml-api/suspend_outgoing_email?api.version=1&user=aacenyor

    where replace hostname.example.com with your hostname
    replace cpsess########## with WHM session id.

    To un suspend
    https://hostname.example.com:2087/cpsess##########/xml-api/unsuspend_outgoing_email?api.version=1&user=aacenyor

    For older versions cPanel, you may refer to this below forum from cPanel. There is a workaround

    https://forums.cpanel.net/threads/how-do-i-block-one-domain-from-sending-email-from-my-server.223731/#post920912

    Blocking spoofed outgoing mails from your cPanel server

    Spoofing is where the mail headers are manipulated to appear as if the mail comes from some other domain. When emails are set to be from an email address on your domain and bounce, they are sent to our servers, attempting to deliver themselves to that mailbox. Generally, you will never see these emails; however, if the email spoofer happens to configure the “From:” header to be a real email box, the bounce will come back to your mailbox and you will receive the email. There is a high chance that a very large number of spam message already sent from server. This can cause high load in the server and sometimes leads to the blacklist of your mail server IP address.

    There are two ways in which a spoofed mail can be created.

    1. Exploiting vulnerable form to mail scripts to send out spoofed mails through local mail agent.
    2. Using stolen mail account login details to send spoofed mails through SMTP authentication.
    Let’s look at a solution on how spoofing can be prevented in Exim mail servers commonly implemented in cPanel/WHM servers.

    I. Blocking all un-authenticated spoofed outbound emails
    1. Login to WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EDITOR

    2. Add the following entry in the top using Add additional configuration setting:

    domainlist remote_domains = lsearch;/etc/remotedomains

    3. Add the following code under acl_not_smtp :

    deny
    condition = ${if ! match_domain{${domain:${address:$h_From:}}}{
    +local_domains : +remote_domains}}
    message = Sorry, you don’t have\
    permission to send email from this server with a header that\
    states the email is from ${lc:${domain:${address:$h_from:}}}.
    accept

    Here, the ACL will check for the presence of domain name part of the from address in either of the files – /etc/localdomains or /etc/remotedomains. If there is a mismatch, server will reject the email.

     

    II. Blocking all authenticated spoofed outbound emails
    1. WHM >> EXIM CONFIGURATION MANAGER >> ADVANCED EXIM EDITOR

    2. Search for acl_smtp_data and add the following lines under it:

    deny
    authenticated = *
    condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
    { !eqi{$authenticated_id} {${address:$header_From:}} }\
    }\
    }
    message = Your FROM address ( $sender_address , $header_From )
    must match your authenticated email user ( $authenticated_id ).
    Treating this as a spoofed email.
    Here, for all authenticated users, the rule will check whether the authenticated userid matches with the from address. If it matches, it will allow the email. Else, it will display the message “Your FROM must match your authenticated email user. Treating this as spoofed email”

     

    PS: If the acl_smtp_data is mentioned as something else(like acl_smtp_data = check_message), locate check_message and add the above lines just under it.
    IMPORTANT points to keep in mind
    a. POP before SMTP won’t work with this setting. You will have to ask your customers to use the option – “My Server Requires Authentication” in the SMTP settings of their email client.
    b. Username in the format user+domain.com will not work. They have to use user@domain.com instead.

    Also your customer cannot change the from field to something other than original authentcated user. People use this method in Website Contact forms.

     

    Setting SPF records

    Another way to prevent spoofing is using SPF records. You must specify valid spf records for your domain, so that only the intended people or server can send mails on behalf of your domain name.

    Powered by WordPress & Theme by Anders Norén