Chroot and /etc/ssl/certs for PHP curl

SYSTEM INFORMATION
OS type and version Ubuntu 20.04 LTS
Webmin version 2.105
Virtualmin version 7.8.2

Hi Virtualmin Team!

I found the chroot feature of Virtualmin to work really well, up to a small glitch found today:

Creating a new top-level server with chroot enabled in Virtualmin doesn’t create a link to /etc/ssl/certs, and thus SSL curl requests in PHP fail.

Is this a bug ?

If yes, wil the bug fix version update/fix existing chrooted servers ?

Otherwis/Anyway, any suggested fix that will be compatible with the eventuel future Virtualmin version fixing that ?

Wishing you a wonderful day!

I think the problem has to be something else. The certs are only needed by the web server, and the web server is not chrooted.

What error are you getting? What are you actually trying to do with PHP curl that fails?

Hi,

We had a problem related to this in our hosted WP sites. The PHPMailer plugin showed SSL errors and I solved the problem modifying the netutils jail. Let’s explain what I did (It was an AlmaLinux 9, so the paths may be different in other OS).

To ensure SSL works correctly with PHP, we need to add the file containing the certification entities to the jail and modify the PHP-FPM pool to include this path. We edit /etc/jailkit/jk_init.ini and in the [netutils] section, we add the line:
regularfiles= /etc/ssl/certs/ca-bundle.trust.crt, /etc/pki/tls/certs/ca-bundle.crt

It would look as follows:
[netutils]
comment=several internet utilities like wget, ftp, rsync, scp, ssh
paths=wget, curl, lynx, ftp, host, rsync, smbclient
regularfiles= /etc/ssl/certs/ca-bundle.trust.crt, /etc/pki/tls/certs/ca-bundle.crt
includesections=netbasics, ssh, sftp, scp

Next, we edit the configuration of the php-fpm pool to include the path by adding the following line:
php_value[openssl.cafile] = /etc/pki/tls/certs/ca-bundle.crt

You then need to reapply the chroot jail to the website.

If we want this configuration to be added by default when creating a new server, then we should include it in the default template. So we edit System Settings > Server Templates > Default Settings > PHP options and in the “Additional FPM pool options” section, we add the line:
php_value[openssl.cafile] = /etc/pki/tls/certs/ca-bundle.crt

2 Likes

Ah…it’s the CA bundle that it needs, not the certificates! That makes sense!

1 Like

Thank you very much @RobertoPastor ! :star_struck:

@Joe will this be fixed in an upcoming VirtualMin release ?

I guess as VirtualMin has many LAMP uses, it would make sense to integrate it ?

And, if fixed, will the fix include updating existing chrooted virtual servers ? :wink:

FYI: We also have issues with access from PHP to the tmp directory inside of /home/domain of chrooted servers, in particular to move uploaded images. We had to disable the chroot in Administration Options / Edit Owner Limits / Other restrictions for it to work.

while your environment I’m sure is very different from mine, I have not found any real use for chroot at all :slight_smile: Any chance the isolation Virtualmin gives is enough for your purposes and chroot is no longer needed?

just a crazy thought !!!

I had added chroot as an added layer of security and privacy, as in PHP /home can be visible.

How does php expose /home ? I was under the impression that it was locked to the serving directory

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.