open_basedir restriction (ca-bundle)

[SachinPanda]

Hi,

DirectAdmin were kind enough to install and migrate my site from cPanel to DirectAdmin.

However, I seem to now be running into an oAuth issue with Twitter Login [HTTP ERROR 500]. Something to do with cabunndle not within allow path? I've tried multiple Google searches and none of the suggestions seem to fix (inc php.php/Custom HTTPD Configurations etc)

Any ideas?

Code:

Aw, snap! Internal Server Error [debug @ print,error_log]

** errorId #xxxxxxxxxxxxxxxx **
>> Exception [400]: is_file(): open_basedir restriction in effect. File(/etc/pki/tls/certs/ca-bundle.crt) is not within the allowed path(s): (/home/admin/:/tmp/:/var/tmp/:/opt/alt/php74/usr/share/pear/:/dev/urandom:/usr/local/php74/lib/:/usr/local/php74/lib/:/usr/local/lib/php/)
At /app/routes/route.connect.php:190

Stack trace:
#0 /lib/G/classes/class.handler.php(230): G\Handler->{closure}()
#1 /lib/G/classes/class.handler.php(130): G\Handler->processRequest()
#2 /app/web.php(410): G\Handler->__construct()
#3 /app/loader.php(242): require_once('/app/web.php')
#4 /index.php(20): include_once('/app/loader.php')

How do I allow the path? And do I allow the folder (/etc/pki/tls/certs/) or the .crt file directly?

Have tried:

rm -f /etc/ssl/certs/ca-bundle.crt
rm -f /etc/pki/tls/certs/ca-bundle.crt
yum reinstall -y ca-certificates
curl https://curl.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
results in curl: (77) Problem with the SSL CA cert (path? access rights?)

Thanks.

 

[Richard G]

Exception [400]: is_file(): open_basedir restriction in effect.

and

At /app/routes/route.connect.php:190

You can change open basedir settings per domain on admin level. I don't know if that will help in your case.

Neither do I know if it was smart to remove ca bundle and cert.

In any case make sure you only have 1 version of curl installed. Curl can be installed via yum and via custombuild. It's best to not use both at the same time.

For the rest I hope somebody else can help you further with this issue.

 

[SachinPanda]

You can change open basedir settings per domain on admin level. I don't know if that will help in your case.

Many threads on here (and other sites) suggest against turning this off as it's a security related feature? I did turn it off as a fix and it worked but then read threads on here that it's a bad idea(?).

Neither do I know if it was smart to remove ca bundle and cert.

I've backed up both before removing. Many Google suggestions advised to remove and re-install to update. I've restored the backup for now anyway.

In any case make sure you only have 1 version of curl installed. Curl can be installed via yum and via custombuild. It's best to not use both at the same time.

CURL is only installed via CustomBuild which DirectAdmin's installation team took care of.

 

[Richard G]

I did turn it off as a fix and it worked but then read threads on here that it's a bad idea(?).

No. It can be a bad idea if you set this open for everyone. In that case everyone can look into everyones directory, which should not be the case.
But it's not a problem if you're admin and you use it for your domain.
So if enabling basedir for your domain only fixes your issue, I wouldn't worry about it.

So if I understand correctly everything is working now with open basedir disabled for that domain?

 

[SachinPanda]

No. It can be a bad idea if you set this open for everyone. In that case everyone can look into everyones directory, which should not be the case.
But it's not a problem if you're admin and you use it for your domain.
So if enabling basedir for your domain only fixes your issue, I wouldn't worry about it.

So if I understand correctly everything is working now with open basedir disabled for that domain?

Ah, gotcha! Sorry, new to this stuff and just got a VPS for learning and experience coming from Shared environments. Had to switch to get around shared hosts setting .sql limits.

It's just a single account (admin) on the 1 account/1 domain license. Nobody else has access/2FA. Just myself using this server, all my data/files.

 

[Richard G]

No problem. Then you don't need to worry. But it's always better to ask if not sure.

 

[SachinPanda]

No problem. Then you don't need to worry. But it's always better to ask if not sure.

Perfect thanks! I disabled it for the sole account. That error went away. However, it's now reporting;

>> Exception [400]: error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: /etc/pki/tls/certs

Any ideas? I use Cloudflare's free plan/SSL. I heard Let's Encrypt is better(?) but not sure how to go about getting that plus making it work with CF.

 

[Richard G]

No sorry, I've no clue.
But then again, I'm not used to working with Cloudflair. So I can't say if LE would be better or not of how to implement LE in combination with CF.

However, we got frieds like @bdacus01, @Active8 @johannes or @Zhenyapan and others.

Maybe one of them can help you with errors between CF and DA about LE. Or why CF is throwing this error.

 

[Zhenyapan]

I don't faced with such issues yet there wasn't such need. Bu in your case maybe I try to create symlink from allowed by openbasedir path to needed file with r_x access, OR, create separate folder add it to global openbasedir paths and configure Cron to copy there needed file(s) so original files still secured and stored separately.

 

[Ohm J]

look like it's error from "file_get_contents" function

trying put cert location in php.ini

/usr/local/php{XX}/lib/php.ini
find section "[CURL]" and "[OPENSSL]" and make change it like this

one of my server put cert to path like this "/usr/local/openssl_cert/cert.pem "

[curl]
curl.cainfo = "/usr/local/openssl_cert/cert.pem"

[openssl]
openssl.cafile = "/usr/local/openssl_cert/cert.pem"

 

[SachinPanda]

look like it's error from "file_get_contents" function

trying put cert location in php.ini

/usr/local/php{XX}/lib/php.ini
find section "[CURL]" and "[OPENSSL]" and make change it like this

one of my server put cert to path like this "/usr/local/openssl_cert/cert.pem "

[curl]
curl.cainfo = "/usr/local/openssl_cert/cert.pem"

[openssl]
openssl.cafile = "/usr/local/openssl_cert/cert.pem"

Will take a look.

It's to do with "Login with Twitter" button. This is the file. route.connect.php:190 https://pastebin.com/dNYQDeGL

 

[SachinPanda]

look like it's error from "file_get_contents" function

trying put cert location in php.ini

/usr/local/php{XX}/lib/php.ini
find section "[CURL]" and "[OPENSSL]" and make change it like this

one of my server put cert to path like this "/usr/local/openssl_cert/cert.pem "

[curl]
curl.cainfo = "/usr/local/openssl_cert/cert.pem"

[openssl]
openssl.cafile = "/usr/local/openssl_cert/cert.pem"

No luck unfortunately. Still getting the same error. I do use Cloudflare's free SSL I wonder if that's an issue and DA is using it's own/some other SSL?

 

[SachinPanda]

Okay, so seems this is also causing other issues.

When trying to connect to FTP I received "Insecure FTP data connection" error due to server does not support TLS session resumption (not sure how to enable this) I read online suggestions to ditch FTP (dated; insecure) and switch to SFTP via ProFTP/Pure-FTP.

Did some searching and read ProFTP is the better choice.. went to install and SSL/curl errors appear blocking the install.

Same errors blocking my Twitter login.

Spoiler: SSH Window

[root@changeme ~]# cd /usr/local/directadmin/custombuild
[root@changeme custombuild]# ./build update
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

Extracting custombuild.tar.gz...
Cronjob frequency: daily
Automatic notifications: no
Automatic updates: no
[root@changeme custombuild]# ./build set ftpd "proftpd"
Changed ftpd option from pureftpd to proftpd
[root@changeme custombuild]# ./build proftpd
Downloading             proftpd-1.3.7d.tar.gz...
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

Downloaded file /usr/local/directadmin/custombuild/proftpd-1.3.7d.tar.gz does not exist or is empty after download
cwd is: /usr/local/directadmin/custombuild
Fileserver might be down, using the backup file server..
curl: (22) The requested URL returned error: 404

/usr/bin/md5sum: proftpd-1.3.7d.tar.gz: No such file or directory

*** MD5 Checksum for proftpd-1.3.7d.tar.gz Failed.  Redownloading...***

Downloading             proftpd-1.3.7d.tar.gz...
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

Downloaded file /usr/local/directadmin/custombuild/proftpd-1.3.7d.tar.gz does not exist or is empty after download
cwd is: /usr/local/directadmin/custombuild
Fileserver might be down, using the backup file server..
curl: (22) The requested URL returned error: 404

/usr/bin/md5sum: proftpd-1.3.7d.tar.gz: No such file or directory


*** MD5 Checksum for proftpd-1.3.7d.tar.gz failed *again*.***
The md5 checksum value may be incorrect, or a wrong file is being downloaded.
Install continuing with this possibly corrupted file. (it may also be fine)


Downloading             proftpd...
curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

Downloaded file /usr/local/directadmin/custombuild/proftpd does not exist or is empty after download
cwd is: /usr/local/directadmin/custombuild
Fileserver might be down, using the backup file server..
######################################################################################################################################################################################################################################################### 100.0%

Too many failed attempts with files-ca.directadmin.com. Will try a different server.
We'll temporarily try using files.directadmin.com instead

Downloading             proftpd_freebsd...
######################################################################################################################################################################################################################################################### 100.0%curl: (77) error setting certificate verify locations:  CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

Downloaded file /usr/local/directadmin/custombuild/proftpd_freebsd does not exist or is empty after download
cwd is: /usr/local/directadmin/custombuild
Fileserver might be down, using the backup file server..
######################################################################################################################################################################################################################################################### 100.0%

Too many failed attempts with files.directadmin.com. Will try a different server.
We'll temporarily try using 69.162.69.58 instead

Downloading             proftpd_debian...
######################################################################################################################################################################################################################################################### 100.0%
*** Cannot find /usr/local/directadmin/custombuild/proftpd-1.3.7d.tar.gz. Aborting ***
[root@changeme custombuild]#

Ideas?

Thanks