SSL key directory - just have one location which is in the owner account

OS type and version Ubuntu Linux 22.04.4
Webmin version 2.111
Usermin version 2.010
Virtualmin version 7.10.0
Theme version 21.10
Package updates 3 package updates are available


During the Post-Installation Wizard you are asked where you want to store the users certificates (and I guess keys etc…)

The current wisdom is

This all makes sense.

Proposed Blueskies

Is it now possible to just store the certificates in the users home directory and make the server resilient to accidental certificate deletions.

This as mentioned can make things easier to manage, a little more logical because all user files should be in their home directory and one further step from the wizard can be removed.

Thanks for looking :smile:

@Jamie, I think this is a good question — what really stops Virtualmin from creating ~/ssl.* files in user home directory without permissions to edit/delete those files?

This doesn’t sound right. I have yet to know anyone accidentally deleting their own ssl certs.
You would cause a lot of problems if the user is unable to delete a corrupted cert and keys or just delete for manually switching them out.

I would suggest making a directory /home/user/ssl makes it easier to find instead of throwing them in the /home/user/ directory.

I had a case not to long ago where Let’s Encrypt Certs where corrupted during creation and being able to go in and delete all ssl files and recreate took only 5 minutes to resolve.

1 Like

That sounds like the best plan but tbf back in the days of ftp my users where jailed to the public_html directory so they could not see the files

Although it might seem like a good plan, in practice, it’s a worst-case scenario for shared hosting. Unless each user had a separate webserver, on a separate IP address, it’s not feasible to implement this idea safely. Each domain’s SSL certificate is read by a webserver. If a certificate is missing or corrupt, the webserver (such as Apache or Nginx) will fail to restart, affecting every other domain hosted on the system.

And, yes, it needs to be managed by Virtualmin. If Virtualmin configured the ~/ssl.* files to be owned by root:domain1 with permissions set to 0640, it would prevent manual mis-editing of SSL certificates. However, this approach would require making those files immutable to prevent deletion, and handling it every time certificates are renewed can be error-prone; using a separate directory like ~/ssl/ (with special permissions) under user’s home to store ssl.* certificate files could also work though.

Besides, storing system-related files under a user’s home directory presents other issues (like malicious symlink attack) and generally should be avoided.

I think we should just stick to /etc/ssl/virtualmin for storing SSL certificates.

Yeah, we used to put certs in the home directory, but this allows domain owners to rename or delete them, which can then cause Apache to fail to start! In a shared hosting environment, this allows one user to take down websites for everyone…

should this option just be removed then? If it is a bad thing, maybe it is time to get rid.

Maaaybe … some users like the old location, and it’s more convenient if all domains are owned by a single person.

fair enough :smile:

Why not then put it under ~/ssl/ssl.* and make ~/ssl/ directory only writable by root user?

Because the user could still rename ~/ssl because they own the home directory.

That’s right! Then why didn’t we simply use the immutable flag in the first place? I’m asking to understand the initial reasoning.

I don’t think the immutable flag prevents a directory from being renamed, because it’s name exists in the parent directory structure.

Immutable flag should prevent renaming as well, on both files and directories.

What problem are we trying to solve? The only thing I see that having a copy in the users home directory is that it is easier to move the site? ( I guess I never thought of this, but does the VM backup include the keys?) Maybe it would be just as good to store a copy of the current good cert there then?

Maybe it would be just as good to store a copy of the current good cert there then?

I don’t think we need a copy. Virtualmin can migrate a website and take care of SSL certificates.

I’m on a treasure hunt for decisions from the past.

Oh. I thought you were above ‘vendor lock in’ . :smiley:

The domain owner could also directly edit and corrupt the SSL cert file though.

So this becomes a potential attack vector. One compromised site could take down the web server?

Not to say a bad word, how does cpanel do it.