Permission problem using CertSage v1.3.0 with Plesk on shared server

I'm on a shared server. From research, it sounds like I should move my mail.domain.com and ftp.domain.com to subdomains of my domain because I'm having invalid certificate issues. Will CertSage still work for me?

I'm on a shared server using Plesk instead of cPanel. I've uploaded certsage.txt and changed it to php. I've run domain.certsage.php. First error, it couldn't write directory CertSage so I created the directory at the same level as wwwroot. Second error, it couldn't write password.txt so I added that to the CertSage directory. I've added a password, copy and pasted, and also tried typing it in to the next screen asking for my domain name and password and get "password was incorrect".

  1. After this point, are write permissions needed?

  2. Can't anyone at a terminal see the password???

  3. I'm stumped, what do I do next?

It sounds like the permissions for where your CertSage directory is located are too strict. You can change where your CertSage directory is located by modifying the $dataDirectory variable on line 18 of certsage.php. You do not want your CertSage directory to be accessible from the internet! CertSage will need to be able to read and write to both your CertSage directory and the webroot directory of your website (where certsage.php is sitting).

Why would anyone without access to your CertSage directory be able to read your password?

CertSage can acquire a certificate for any domain name for which certsage.php is sitting in the webroot directory for that domain name such that an active webserver (e.g. Apache or nginx) is serving content from that webroot directory. Only domain names with a common webroot directory (e.g. example.com and www.example.com) can be covered by the same certificate using CertSage.

5 Likes

@griffin

I checked the permissions for CertSage and it has full control but the check marks are greyed out. Knowing there are full permissions, how do I proceed? Does it matter that I don't have IPv6?

I'm not sure what the internet can see in my directory to know where to safely place my CertSage. Hence the following remark...

If seems like the CertSage directory sits outside of my website "bubble" and is there to be seen. So a txt file could be read. The CertSage is at the same level as my wwwroot directory. Do I need to secure the CertSage directory?

You should put certsage.php in your webroot directory so that when you visit http://domain.com/certsage.php you get the CertSage main page. You should modify the line in certsage.php that I mentioned before to point to a directory where you are sure that no one but yourself (or anyone administrating your hosting account) has any access. CertSage will create the directory if it does not exist. The data directory is not required to be named CertSage. Keep in mind who is the owner of the directory in which CertSage's data resides compared with the owner of your webroot directory where certsage.php resides. Giving full permissions does not necessarily mean that those permissions are being granted to the same owner/user.

IPv6 is irrelevant here.

If you cannot type an address into your browser that can access CertSage's data, you should be safe.

5 Likes

@griffin I can execute CertSage and get the error messages. I have the php file in my wwwroot subdirectory with my web files. I also moved it up a level so it was in brentwoodestateshoa.com above my web files but still get the error message that it can't create /CertSage. I have changed the variable for the placement of the CertSage directory using this syntax:

../../CertSage
../brentwoodestateshoa.com/CertSage
/brentwoodestateshoa.com/CertSage

Is my syntax correct? All gave error messages they couldn't create a directory for CertSage.

I am the "owner" and admin of the website, even though it belongs to the community, and I have all privileges which is why I don't understand the greyed out check marks. Just to be clear:

is the webroot directory my wwwroot directory of brentwoodestateshoa.com?
is the CertSage directory intended to be a subdirectory of brentwoodestateshoa.com?
is the CertSage directory not intended to be located with my web files?

I honestly don't know at what point files can be viewed publicly, I password protect the files I need security. I think we're at the point of screen shots. Please let me know what will be helpful.

The problem that you are facing is that CertSage (not you) does not have permissions for the parent directory ( .. ) or the parent directory's parent directory ( ../.. ) of the directory in which certsage.php resides. Rather than specifying a relative path to somewhere in your web directory structure like you have been trying to do, you should specify an absolute path to a directory that perhaps CertSage can access, like maybe your home directory.

You can specify an absolute path

4 Likes

@griffin I'm not sure what my "home directory" is, the home directory on Arvixe is at the highest level above brentwoodestateshoa.com. I checked "Replace permission entries on all child objects...", Plesk said it was updated but it still shows blank and the script still wouldn't create the /CertSage subdirectory of brentwoodestateshoa.com. If I create an absolute path don't I need the server? We're on pine.arvixe.com, how would I incorporate that into the syntax. Please let me know if there's TMI :slight_smile:

Screen Shot 2022-10-21 at 9.02.07 PM

Based on what I'm seeing, certsage.php should live in the brentwoodestateshoa.com/wwwroot directory. The $dataDirectory should be set to "../CertSage" .

The permissions for the brentwoodestateshoa.com directory need to be set such that PHP can read and write to the CertSage directory once it's created there by PHP. I suggest reading up on setting those permissions then experimenting to see what works. Keep in mind that to find files in a directory, the permissions of the parent directory (and every parent beneath) must allow finding files (listing directory contents, that is). I think it may be the "pool" permissions that you want to set. Once CertSage can create its own data directory, I think the rest will go smoothly.

4 Likes

@griffin I checked the PHP permissions. It seems at the server level the permissions are granted if the user can change the version, I can. I checked the advanced permissions for me, the user, and I marked full control for folder only, subfolder only, and files only. CertSage still cannot create the /CertSage subdirectory.

One thing I noticed, when I change the permissions, Plesk points me to the .package domain rather than the brentwoodestateshoa.com domain where I changed the permissions. I'm not sure if this is a problem or not but submitted ANOTHER trouble ticket to Arvixe (they have not responded to my first TT on 10/10). Can I create the necessary files or is this an issue of the certificates needing to be written to a folder?

Without the proper permissions, CertSage will not be able to read the files even if you create them manually, which is why you ran into the password issue before. The challenge here is setting the permissions for the user/principal under which CertSage itself (as a PHP script) is running. The security column of the following page might provide some clues as to which settings to consider and for which user to set permissions.

4 Likes

@painter

I think this may help a lot, bearing in mind that brentwoodestateshoa.com appears to be an addon domain and not the primary domain on your plesk account:

4 Likes

@griffin Wow! You've bee doing some research. How can you tell my domain is an addon? When we were on cPanel, there was only one domain. Now that we're on Plesk there are two. I looked up .package and read it was like a .zip file so I thought that's how they set up all of our domains. By default brentwoodestateshoa.com is running fastCGI with PHP v7.4.6

@griffin I've verified my login is the owner of the account. When I make changes to brentwoodestateshoa.com it seems to update the .package domain, because the .package domain is now set up with PHP v7.4.6 (and I've been ignoring that domain). I've given myself every permission available. At this point, I'm checking every box I come across in my account. I'm running the PHP script at the URL line of my browser ==>mydomain/certsage.php. Should I be running it inside of Plesk? If so, I have more research to do.

@griffin So as I'm poking around in Plesk, I noticed I have a phpErrorLog. I opened the log and I see I've tried to execute CertSage 64 times. I also notice, even though I'm running the php as mydomain/certsage.php, the errors are occurring in .package domain. Not one error happens in the brentwoodestateshoa.com domain. I'm not sure what this means but I find it confounding. I've checked my permissions in the .package and I have full permissions, running PHP v 7.4.6 with FastConfig and my ftp login has read and write permissions.

Looking at the file managers for both domains, certsage.php is in both. If I rename certsage to certsage1 in my domain, it renames it in the .package domain.

Still poking around, looking for something else, I noticed to the far right of the certsage.php I have a drop down box! When I click on it, I can actually give certsage permission. It didn't change anything, I'm still bombing on creating the /CertSage dir :frowning:

Just a shot in the dark, but try using 'C:\CertSage' as your $dataDirectory . Make absolutely certain that you use single quotes around that path and not the double quotes used in the default installation.

4 Likes

@griffin I still get an error message that it can't create the directory C:/CertSage

Did you set the permissions of the system account?

3 Likes

@griffin I'm not sure what you're asking. What is a system account? If a system account is the .package, then yes, the permissions are there.

One thing I noticed looking at another php file's permissions in my CGIBin was the group/user was set to "Built in account for administering the computer/domain (EIGA Admin)" that is not available for certsage.php. I'm not able to make any selections.

You did actually use a backslash here, right?

2 Likes