Cpanel – SSL’s hostnames are required to have DNS entries

tl;dr

  • When cPanel starts up, if it doesn’t have a valid SSL (now valid properly signed SSL) it reissues it’s own SSL, or panics if it cannot.
  • cPanel is now requiring a valid hostname check (similar to Let’s Encrypt) as a part of that check.
  • Therefore, a server’s hostname now has to point at the server or cPanel not start.
  • You will receive an email every day if the hostname doesn’t line up.
  • You’ve have to touch a file to disable this, and then run the script and then it should be set.

Due to cPanel’s recent change to their self-signed SSL’s, hostnames are required to have DNS entries. If this is not in place, they will not get a valid SSL and therefore cPanel will start and cpsrvd will immediately fail. To correct this we basically need to fix the DNS entry for the server’s hostname and then run /usr/local/cpanel/bin/checkallsslcerts

Error from the /usr/local/cpanel/logs/error_log:
cpsrvd: Setting up native SSL support ... Could not load ssl libraries or certificate from /var/cpanel/ssl/cpanel/ at cpsrvd.pl line 554.
[root@host] cpanel:/usr/local/cpanel/bin/checkallsslcerts
The system failed to acquire a signed certificate from the cPanel Store because of an error: (XID y4txyq) “host.domain.com” does not resolve to any IPv4 addresses on the internet.

Updating DNS for the hostname and then running the check again will resolve the issue. If you do not have access to the customer’s DNS, this will require them to modify the DNS entries at the registrar and cPanel/WHM will remain down until that change is made.

Additionally, this may be a concern when DNS can not change (or should not be changed for some reason). When this is the case, you can skip the cPanel signed SSL. If you touch this file,
/var/cpanel/ssl/disable_auto_hostname_certificate
the system will no longer order, download, and install a free cPanel-signed hostname certificate.
https://documentation.cpanel.net/display/ALD/Manage+>Service+SSL+Certificates has more information on this. After touching this file, you can run a
/usr/local/cpanel/bin/checkallsslcerts
for a selfsigned ssl on the services.

p.s. You must restart Cpanel after updating the SSL Certs.

New cPanel EasyApache 3.18 Information

 
Hello folks!

As of yesterday, cPanel pushed out the new EA 3.18 build. This is now live in 11.36 and 11.34 (and most likely every other version, as EA seems to update regardless of cPanel version.)

Also of note, if the server does update to 11.36, you are not able to downgrade now. It will be blocked.

One of the major changes in EA 3.18 is it now includes Apache 2.4. The another possible issue will be if no MPM is selected it will default to prefork. So you will want to check apache to see what MPM you are using and be sure to select the corresponding box in EA to not accidentally switch from worker back down to prefork.

Here is the current information from cPanel pages on these new changes:

http://cpanel.net/easyapache-3-18-in-11-36/

http://etwiki.cpanel.net/twiki/bin/view/EasyApache/Apache/Apache24Issues

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/1136ReleaseNotes

Thanks for the info Mike!

cPanel 11.36.0.2 and CSF issues

 
From configserver.com

cPanel v11.36 has now entered the CURRENT tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:

This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe

Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.

To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected. If a perl script that was working before the upgrade is now failing try this. We recommend option 1:

cpanel.net/prepare-your-perl-scripts-for-11-36/

#!/bin/sh
eval 'if [ -x /usr/local/cpanel/3rdparty/bin/perl ]; then exec /usr/local/cpanel/3rdparty/bin/perl -x -- $0 ${1+"$@"}; else exec /usr/bin/perl -x $0 ${1+"$@"}; fi;'
if 0;

#!/usr/bin/perl

Ideally you should update your OS perl modules to support your specific application.

Mail and FTP server settings updated incorrectly by cPanel

 
Hello interwebers!

Recently, we saw a number of issues regarding a failed cPanel upgrade that involved the Mail and FTP server. It looks like an incorrect value was updated in the cpanel.config file for the mail server and FTP server. In order to correct this:

1) Login to WHM
2) Change mail server to something other than what it is currently and then save
3) Change it back to the original mail server setting and save
4) Change FTP server to something other than what it is on and save
5) Change it back to original ftp server setting and save
6) Kick off /scripts/upcp in a screen on the server
7) ?????
8) PROFIT!!

Continue reading “Mail and FTP server settings updated incorrectly by cPanel”

End of Life for cPanel & WHM 11.30

From cpanel.net

This is the notification of the End of Life for cPanel & WHM 11.30. The 18-month lifetime of cPanel & WHM 11.30 ends now. The last release of cPanel & WHM 11.30, being 11.30.8.0, will remain on our mirrors indefinitely. You may continue using this last release, however no updates for version 11.30 will be released going forward. Older releases of cPanel & WHM 11.30 will be removed from our mirrors.

cPanel strongly recommends that you migrate any existing installs of cPanel & WHM 11.30 to a newer version (either 11.32 or 11.34). If you have a server setup that complicates migrating to a newer version of cPanel & WHM, for example an out-of-date operating system, cPanel is here to help. Please open a support ticket via https://tickets.cpanel.net/submit/. Our professional support staff will help with recommendations, migration assistance and more.

For more detailed information visit cPanel End of Life docs.

From cpanel.net

Install Cloudlinux in cPanel

PREPARATION

  • Obtain the Cloud Linux License from manage2.cpanel.net
  • Obtain permission from the customer to reboot the server.
  •   

    In cPanel:

    /usr/local/cpanel/cpkeyclt
    /usr/local/cpanel/bin/cloudlinux_system_install -k

    ~Possible error: Might see "Yum error: Plugins are disabled".

    ~Add "plugins=1" to /etc/yum.conf and try again.
    echo "plugins=1" >> /etc/yum.conf that should do the trick

    shutdown -ar now

    ~When its back up rebuild apache.

    /usr/local/cpanel/scripts/easyapache --build

      
    3rd party license

    wget http://repo.cloudlinux.com/cloudlinux/sources/cln/cpanel2cl
    sh cpanel2cl -k $key
    ~Replace $key with your license key.
    reboot
    /scripts/easyapache --build

      

    Continue reading “Install Cloudlinux in cPanel”

    cPanel Exim Remote Code Execution Vulnerability Notification CVE-2012-5671

    From cpanel.net

    Posted on October 26, 2012 by cPanel
      
    Summary

    A remote code execution vulnerability exists in Exim versions between 4.70 and 4.80, inclusive. Exim is the mail transfer agent used by cPanel & WHM.

    Security Rating
    This vulnerability has been rated as Critical [1] by the cPanel Security team.

    Continue reading “cPanel Exim Remote Code Execution Vulnerability Notification CVE-2012-5671”

    cPanel ‘bug’ in WHM 11.34

    cPanel has introduced an auto-discover SRV into zone files for domains that are apparently in /etc/remotedomains with the new WHM upgrade.

    An additional SRV line is added that send email clients to a cPanel page (cpanelemaildiscovery.cpanel.net) rather than to their Echange server.

    They have added a ‘beta patch’ in this forum link. In order to disable the autoconfig/autodiscovery support on remote domains, please see the info located here:

    http://forums.cpanel.net/f5/autodiscover-dns-records-299412.html#post1247492

    You do need to be in the correct sub-directory as shown on this page to successfully run that patch command.

    WHMCS Security Alert

    Just a heads up for the peep’s using WHMCS…

    ———————-
    WHMCS Security Alert
    whmcs.com

    “We have become aware of a security issue that exists in the third party Boleto
    module included in WHMCS releases. This can potentially be used to exploit a
    WHMCS installation.

    If you do not use the Boleto module, then the quickest and easiest solution is
    to simply delete the /modules/gateways/boleto/ folder entirely after which you
    will not be at risk.

    Alternatively if you do use the module, you can download and apply the patch to
    your installation here: Download Patch

    This issue affects all WHMCS versions.

    If you have any questions or need any assistance, please do not hesitate to
    contact us. We apologize for the inconvenience.”

    Chtaccess

    From prajith.in

    Chtaccess is a cPanel plugin designed to increase functionality in the cPanel interface when working with generating htaccess files, htpassword protected directory and more. The following option are provided:

    Password Protect File
    Custom error page
    Block bad bots
    Change default directory index
    Prevent viewing of .htaccess
    301 Redirect and 302 Redirect
    allow or deny IPs
    WWW Redirection
    Cache Control

     
     
     
     
     
     
     
     
     
    Installation:

    wget http://prajith.in/cpanel/chtaccess.sh
    sh chtaccess.sh

    From prajith.in