Two facts interact to make it possible for an end user to accidentally (or deliberately) prevent Apache from restarting.
- Apache does not check the validity of SSL certificates when it is asked to check its configuration with 'httpd -t'.
- An end user can delete or corrupt his own ssl certificate, since it resides in ~/ssl.cert and is owned by him.
So a user could, via the shell or file manager, install an invalid SSL certificate into ~/ssl.cert. Or perhaps an invalid key into ~/ssl.key.
On the next attempted restart, Apache will fail to restart and all websites on the server will be down.
To prevent this problem, Apache should not directly use the SSL certificate and key files in the user's home directory. Instead, the UI should check these files for validity by calling the openssl command (which I think it already does), and then make a root-owned copy of the files elsewhere, for use by Apache.
If a user uploads a fresh SSL certificate into his ssl.cert file, Apache should not use it until the user goes to the UI and "registers" the new SSL certificate, which will cause it to be checked for validity and then installed as the root-owned copy.
See also: https://www.virtualmin.com/node/39546.