Hello community.
EDIT: Resolution at the end of the post, but still curious as to why this is happening.
I recently enabled phpmyadmin Sing-Sign-On and in almost all servers it works flawlessly. On one server though, I get an “Access denied” error, when clicking on the phpmyadmin icon, next to the DB name, under DB tab in Hestia UI: 
The non-SSO phpmyadmin page loads fine at https://[ServerFQDN//phpmyadmin/ when I click on the phpMyAdmin button (or type the address manually).Only the SSO thing creates the Access Denied error below:
(not to be confused with this error as described in 2364)
The server is Ubuntu 18.04.6 LTS running Hestia in apache2 + php-fpm multiphp configuration. The installation command was:
bash hst-install.sh --nginx yes --apache yes --phpfpm no --multiphp yes --named yes --vsftpd yes --proftpd no --iptables yes --fail2ban yes --quota yes --exim yes --dovecot yes --spamassassin no --clamav no --mysql yes --postgresql no --interactive yes --hostname $(hostname -f) --email [REDACTED] --password [REDACTED] --port [REDACTED] --api yes
Here is what I have tried so far:
- Checked that the API is enabled in Server > Configure > Security > System > API and that the IP of the server as well as 127.0.0.1 are on the allow list. I even tried “allow-all” in the allow list, just for testing purposes
-
/var/log/hestia/auth.logdoes not contain any errors. -
/var/log/apache2/domains/[ServerFQDN].error.logcontains the following error
Got error 'PHP message: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0Unable to open primary script: /usr/share/phpmyadmin/hestia-sso.php (Permission denied)', referer: https://ServerFQDN:PORT/
Although the file /usr/share/phpmyadmin/hestia-sso.php exists with permissions 0640 Group=www-data, Owner=root. The /usr/share/phpmyadmin directory has permissions 0755 with Group=root, Owner=root. I think this is actually causing the error, but I can’t figure out why this is happening 
- The FQDN Web Domain is under the admin user in Hestia and is using default template for apache2, PHP-7_4 template, and default proxy template. I made sure the PHP-7_4 template contains
/usr/sharein theopen_basedirentry. Here are both templates for reference:
/usr/local/hestia/data/templates/web/php-fpm/PHP-7_4.tpl
; origin-src: deb/php-fpm/multiphp.tpl
[%domain%]
listen = /run/php/php%backend_version%-fpm-%domain%.sock
listen.owner = %user%
listen.group = www-data
listen.mode = 0660
user = %user%
group = %user%
pm = ondemand
pm.max_children = 8
pm.max_requests = 4000
pm.process_idle_timeout = 10s
pm.status_path = /status
php_admin_value[upload_tmp_dir] = /home/%user%/tmp
php_admin_value[session.save_path] = /home/%user%/tmp
php_admin_value[open_basedir] = /home/%user%/.composer:/home/%user%/web/%domain%/public_html:/home/%user%/web/%domain%/private:/home/%user%/web/%domain%/public_shtml:/home/%user%/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt
php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f admin@%domain%
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /home/%user%/tmp
env[TMPDIR] = /home/%user%/tmp
env[TEMP] = /home/%user%/tmp
/usr/local/hestia/data/templates/web/apache2/php-fpm/default.stpl
#=========================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
# https://docs.hestiacp.com/admin_docs/web.html#how-do-web-templates-work #
#=========================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<FilesMatch \.php$>
SetHandler "proxy:%backend_lsnr%|fcgi://localhost"
</FilesMatch>
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
IncludeOptional /etc/apache2/conf.d/*.inc
</VirtualHost>
- Here is the relevant log entry in
/var/log/apache2/domains/[ServerFQDN].log
[Client-IP] - - [05/Feb/2022:18:51:22 +0200] "GET /phpmyadmin//hestia-sso.php?database=[redacted]&user=[redacted]&exp=1644079879&hestia_token=$2y$10$2c5W5Z1e24LLW0.U5dgiCOckCodY5nubL/9YkFIlRxUdunD7m/fcu HTTP/1.0" 403 369 "https://[FQDN]:[PORT]/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0"
-
Disabled PMA SSO (Server > Configure > Database) and then re-enabled.
-
The file
/etc/hostscontains a line for FQDN pointing to 127.0.0.1. Here are the entries
127.0.1.1 [FQDN] [HOSTNAME]
127.0.0.1 localhost
I think I am missing something, but what 
EDIT - PROBEM SOLVED
It turns out that when I select hosting
apache web template for FQDN Web Domain, it’s working OK 
But I’m still puzzled, because on other servers I don’t need to change the FQDN Web Domain apache template to something other than the default for the PMA SSO to work.
Actually I noticed that on other servers, there is no apache template other than the default. So I guess this has something to do with the fact this is an “older” server. Maybe before removing plain apache support, or something. Judging from the date of the folder hst_install_backups in /root, I must have setup this server on 25/09/2019.
I have looked for differences between the default apache web template in this “problematic” server (/usr/local/hestia/data/templates/web/apache2/php-fpm/default.stpl) and the one in the Hestia Repository and they are identical.
Also checked /etc/apache2/conf.d/phpmyadmin.inc against another server, and they are identical.
For reference, this is the hosting.stpl apache web template that is working fine with PMA SSO on this server:
hosting.stpl
#=======================================================================#
# Default Web Domain Template #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS #
#=======================================================================#
<VirtualHost %ip%:%web_ssl_port%>
ServerName %domain_idn%
%alias_string%
ServerAdmin %email%
DocumentRoot %sdocroot%
ScriptAlias /cgi-bin/ %home%/%user%/web/%domain%/cgi-bin/
Alias /vstats/ %home%/%user%/web/%domain%/stats/
Alias /error/ %home%/%user%/web/%domain%/document_errors/
#SuexecUserGroup %user% %group%
CustomLog /var/log/%web_system%/domains/%domain%.bytes bytes
CustomLog /var/log/%web_system%/domains/%domain%.log combined
ErrorLog /var/log/%web_system%/domains/%domain%.error.log
<Directory %sdocroot%>
AllowOverride All
SSLRequireSSL
Options +Includes -Indexes +ExecCGI
php_admin_value upload_max_filesize 10M
php_admin_value max_execution_time 20
php_admin_value post_max_size 8M
php_admin_value memory_limit 32M
php_admin_flag mysql.allow_persistent off
php_admin_flag safe_mode off
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f info@%domain_idn%"
php_admin_value open_basedir %docroot%:%home%/%user%/tmp:/bin:/usr/bin:/usr/local/bin:/var/www/html:/tmp:/usr/share:/etc/phpMyAdmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/etc/roundcubemail:/etc/roundcube:/var/lib/roundcube
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
</Directory>
<Directory %home%/%user%/web/%domain%/stats>
AllowOverride All
</Directory>
SSLEngine on
SSLVerifyClient none
SSLCertificateFile %ssl_crt%
SSLCertificateKeyFile %ssl_key%
%ssl_ca_str%SSLCertificateChainFile %ssl_ca%
<IfModule mod_ruid2.c>
RMode config
RUidGid %user% %group%
RGroups www-data
</IfModule>
<IfModule mpm_itk.c>
AssignUserID %user% %group%
</IfModule>
IncludeOptional %home%/%user%/conf/web/%domain%/%web_system%.ssl.conf_*
</VirtualHost>
This is ultra-low priority, or of no importance at all. I’m just putting it here just in case it is actually related to “something - somewhere - sometime” 
