Chroot and /etc/ssl/certs for PHP curl (reopen)

SYSTEM INFORMATION
OS type and version Ubuntu 24.04
Webmin version 2.202
Virtualmin version 7.20.2
Webserver version 2.4.58
Related packages OpenSSL, CURL

Hello,

I don’t normally like discussion but after 2 days of investigating an issue when my 2 websites after deploying to a new Ubuntu 24.04 with Virtualmin fresh install started not able to send phpmailer email and other tasks that requires PHP CURL.

All my research ended up to suggestions that need to check /etc/ssl/certs/ca-certificates.crt. I checked and the folder and files inside exists. I even resintalled and updated ca-certificates.crt just to make sure no corruption, etc. I also tried to download cacert.pem and placed to /etc/ssl/cacert.pem and updated both curl.cainfo and openssl.cafile to point to. Restarted php-fpm, apache2, all were done.

All ended up to same error message that is "Connection failed. failed loading cafile stream: /etc/ssl/certs/ca-certificates.crt'" or "Connection failed. failed loading cafile stream: /etc/ssl/certs/cacert.pem’.

Over 2 days and when i almost decided to give up and change back to CentOS, a system was working fine for me in last 10 years, and then I found this article Chroot and /etc/ssl/certs for PHP curl - And the word “isolation” of a virtualhost that really woke me up. THIS IS THE THING CAUSING ISSUE.

When a new virtualhost created with “Chroot jail new domain Unix users” ticked “Yes”, there will be a new folder created like this /home/chroot/1732371110154109 and inside have every thing including a folder /etc - But the problem here is that Virtualmin “forgot” to copy ssl folder from /etc/ssl into this and that caused PHP CURL couldn’t load the certificate eventhough it clearly exists at global level /etc/ssl

I don’t know if it is a bug or because i misused Virtualmin but I just want to share my experience so that someone else could escape from same mistake. This feature “Chroot jail new domain Unix users” is really dangerous and should be used with care.

My question, if my website created with “Chroot jail new domain Unix users” tick “Yes”. How can I revert so that the website no longer being jailed and back to normal as “No” chroot? For now, I couldn’t find an option to do this.

Virtualmin didn’t forget. Everyone has different requirements, and different security expectations. We don’t alter what jail definitions comes in the jailkit package. If using jails, you’ll need to figure out what you need to be in the jail and put it there. We provide a module for editing the jails, and Jailkit provides jk_cp and other tools for copying files (and their dependencies if its an executable), but it’s best to define your jail in the config file, rather than ad hoc copying files into place.

It isn’t dangerous, but you should use it with care. Well, actually, it’s potentially dangerous on Debian and Ubuntu, but not because you might be missing some files, it’s because last I checked, they don’t build jailkit with capabilities support enabled. While on the RHEL-based distros, capabilities are used, so any potential escalation risks are probably mitigated. I recommend reading the Jailkit documentation before using jails, just so you have some context.

A jail is, by design, a minimal chroot with only the tools the user needs to do the tasks you want them to be able to do. The idea being it reduces the attack surface of your system for users that are potentially a threat, because they have fewer tools to work with and less visibility into the system. If we put everything in the jail, they have all the tools and they can likely escape the jail. So, they don’t have all the tools. If you want them to be able to send mail, you’ll need to give them that ability. Mail is one of the things that untrusted users abuse most often, so I think you should be aware you’re enabling mail when you do so.

Maybe we need to rethink our policy on this, and introduce a new “PHP with mail and TLS” or something, but I really think we just need to make it more clear that jails are not something to enable without understand them. You need to know what you want your users to do, and what tools they need to do it; I think it’s best if you are an active participant in that because it has security implications. PHP can become really complicated with a bunch of different versions on a system, for example, which makes jails pretty complicated, too. One should expect to spend more time than simply enabling the jail.

Reading over my reply, I think I’m giving the wrong impression of chroot jails and what they provide, so let me sum it up from a different angle:

If you want your users to be able to do everything, you don’t need a jail and you don’t benefit from a jail. Regular UNIX permissions are fine for a lot of use cases, maybe most.

If you don’t want users to be able to do everything, you can enable chroot jails which restricts users in many ways (though it’s not a security silver bullet and there are always ways around it in a system where users can execute code via multiple paths, like the web server and procmail, etc.), you need to take a little time to figure out what you do want them to be able to do, and what tools/files they need to do those things.

Or, disabling ssh access entirely is a better security mechanism than ssh+chroot jails, if you really want to restrict your users ability to make mischief…they can still use ftp over ssh on port 2222 or FTP over TLS on the usual ports for secure transfers and the FTP server limits users to their home by default, or they can use the File Manager in Webmin to upload files.

Hello,

Thank you for your helpful info. And due to my last question:

Do you think I can revert my websites back to normal state via Virtualmin tools? For now, my workaround is to copy /etc/ssl into each of the website’s folder and it works but for long term, is there a formal way?

Manage Virtual Server->Edit Owner Limits->Environment limitations->Enable Jailkit for domain