Filed with Developers SSL certificate per domain on all services (Case 55985)

[sehh]

Currently, the SSL certificate installed in each domain is only used for web HTTPS connections.

This leads to several problems:
1) domains who pay for a *.domain.com wildcard domain are useless and a waste of money
2) people who enable encryption for email POP/IMAP/SMTP get the server-wide certificate, thus their email client complains that the certificate is not valid for their domain.

It would be best if WHM/cPanel could install the domain SSL certificate to other services, like email (POP/IMAP/SMTP), ftp (pure-ftpd) and/or others. I do know that at least exim supports this kind of thing.

[sehh]

So far so good, here is what I've got. I created a short PHP script which can enable per-domain SSL certificates for the following services:

1) pure-ftpd
2) courier-imap
3) courier-pop3
4) exim

what is missing, is dovecot. Support for virtual host SSL certificates was added in dovecot version 2.0 and thus does not exist in the cPanel/WHM dovecot which is using an older version (1.2.16).

Thus, this feature request is 80% complete and my script works perfectly

As far as I know, cPanel developers have no plans to update dovecot to the latest version, so I'll keep this thread open and hopefully someone will do something about it.

Thank you.

[cPanelTristan]

Would you be willing to share your script that you've developed here in the meantime?

[sehh]

Sure, here is my first version (still coding the second version which has flags to enable-disable features), it shows you the base idea and works with pure-ftpd, courier-pop3 and courier-imap, I'll post the code for exim by hand.

Code:

<?php
/*
Software.....: updatecerts.php
License......: Public Domain
Version......: 1.0
Description..: Generate certificates for courier-imap/pop3
Coded by.....: sehh
*/

// == Configuration options ==

// Enable debug output (true/false)
$debug = true;

// Don't make any changes, just print output only (true/false)
$nochanges = true;

// Default cPanel/WHM files & paths (strings, paths end with /)
$ssldomains = "/etc/ssldomains";
$keydir = "/usr/share/ssl/private/";
$certdir = "/usr/share/ssl/certs/";
$imapcfg = "/usr/lib/courier-imap/etc/imapd-ssl";
$pop3cfg = "/usr/lib/courier-imap/etc/pop3d-ssl";



// == No need to change anything below this point!



// Load domains with SSL certificates
if(file_exists($ssldomains)===true) {
	$domains = file_get_contents($ssldomains);
	$domains = str_replace("\r", "", $domains);
	$domains = str_replace("\n\n", "\n", $domains);
	$domains = preg_replace("/\n$/", "", $domains);
	$domains = explode("\n", $domains);
	if(sizeof($domains)==0) {
		echo "[ERROR] No SSL domains found\n";
		exit(2);
	}
	if($debug==true)
		echo "[DEBUG] Loaded ".sizeof($domains)." lines from ".$ssldomains."\n";
} else {
	echo "[ERROR] SSL domains file not found\n";
	exit(2);
}

// Find the existing system-wide IMAP certificate
$rc = exec('/bin/grep "^TLS_CERTFILE" '.$imapcfg);
if(strpos($rc, "TLS_CERTFILE=")===false) {
	echo "[ERROR] IMAP TLS certificate not found\n";
	exit(2);
}
$certimap = substr($rc, strpos($rc, "TLS_CERTFILE=")+13);
$certimappath = dirname($certimap)."/";
if($debug==true) {
	echo "[DEBUG] System-wide IMAP certificate: ".$certimap."\n";
	echo "[DEBUG] IMAP certificate path: ".$certimappath."\n";
}

// Find the existing system-wide POP3 certificate
$rc = exec('/bin/grep "^TLS_CERTFILE" '.$pop3cfg);
if(strpos($rc, "TLS_CERTFILE=")===false) {
	echo "[ERROR] POP3 TLS certificate not found\n";
	exit(2);
}
$certpop3 = substr($rc, strpos($rc, "TLS_CERTFILE=")+13);
$certpop3path = dirname($certpop3)."/";
if($debug==true) {
	echo "[DEBUG] System-wide POP3 certificate: ".$certpop3."\n";
	echo "[DEBUG] POP3 certificate path: ".$certpop3path."\n";
}

// Start the conversion for each SSL domain
$convertedips = array();
for($i=0;$i<sizeof($domains);$i++) {
	$pos = strpos($domains[$i], ":");
	if($domains[$i]=="" || $pos===false)
		continue;

	// Load domain and the equivalent IP address
	$domain = substr($domains[$i], 0, $pos);
	$ipaddress = trim(substr($domains[$i], $pos+1));
	if($debug==true)
		echo "\t[DEBUG] Converting certificates for domain: ".$domain." with IP address: ".$ipaddress."\n";

	// Load existing private key
	$key = $keydir.$domain.".key";
	if(file_exists($key)===false) {
		echo "\t[ERROR] Private key file for domain ".$domain." not found (".$key.") - Domain skipped!\n";
		continue;
	} elseif($debug==true) {
		echo "\t[DEBUG] Private key file found for domain ".$domain."\n";
	}

	// Load existing certificate
	$cert = $certdir.$domain.".crt";
	if(file_exists($cert)===false) {
		echo "\t[ERROR] Certificate file for domain ".$domain." not found (".$cert.") - Domain skipped!\n";
		continue;
	} elseif($debug==true) {
		echo "\t[DEBUG] Certificate key file found for domain ".$domain."\n";
	}

	// Generate the final PEM files (courier IMAP/POP3)
	$pemimap = $certimap.".".$ipaddress;
	if($debug==true)
		echo "\t[DEBUG] IMAP PEM file for domain ".$domain.": ".$pemimap."\n";
	$pempop3 = $certpop3.".".$ipaddress;
	if($debug==true)
		echo "\t[DEBUG] POP3 PEM file for domain ".$domain.": ".$pempop3."\n";

	if($nochanges==false) {
		// Generate IMAP PEM file
		exec("rm -rf ".$pemimap);
		exec("touch ".$pemimap);
		exec("chown root:wheel ".$pemimap);
		exec("chmod u+rw-x,g+wr-x,o-wrx ".$pemimap);
		exec("cat ".$key." > ".$pemimap);
		exec("cat ".$cert." >> ".$pemimap);

		// Generate POP PEM file
		exec("rm -rf ".$pempop3);
		exec("touch ".$pempop3);
		exec("chown root:wheel ".$pempop3);
		exec("chmod u+rw-x,g+wr-x,o-wrx ".$pempop3);
		exec("cat ".$key." > ".$pempop3);
		exec("cat ".$cert." >> ".$pempop3);
	}
	if($debug==true)
		echo "\t[DEBUG] Combine ".$key." and ".$cert." into ".$pemimap." and ".$pempop3."\n";

	// Store the processed IP address
	$convertedips[] = $ipaddress;

	echo "\t\n";
}
if($debug==true)
	echo "[DEBUG] Converted a total of ".sizeof($convertedips)." domains\n";

// Scanning for stale IMAP PEM files
if($handle = opendir($certimappath)) {
	while(false!==($file = readdir($handle))) {
		$pos = strpos($file, "imapd.pem.");
		if($pos!==false && $pos===0) {
			$ip = substr($file, 10);
			if(strlen($ip)>0 && in_array($ip, $convertedips)==false) {
				if($nochanges==false)
					exec("rm -rf ".$certimappath.$file);
				if($debug==true)
					echo "[DEBUG] Found stale IMAP PEM file: ".$certimappath.$file."\n";
			}
		}
	}
	closedir($handle);
}

// Scanning for stale POP3 PEM files
if($handle = opendir($certpop3path)) {
	while(false!==($file = readdir($handle))) {
		$pos = strpos($file, "pop3d.pem.");
		if($pos!==false && $pos===0) {
			$ip = substr($file, 10);
			if(strlen($ip)>0 && in_array($ip, $convertedips)==false) {
				if($nochanges==false)
					exec("rm -rf ".$certpop3path.$file);
				if($debug==true)
					echo "[DEBUG] Found stale POP3 PEM file: ".$certpop3path.$file."\n";
			}
		}
	}
	closedir($handle);
}

?>

For exim, you only need to change two lines, I'm pasting a patch here instead of adding it with my script above.

Code:

--- exim.conf.orig      2011-03-30 22:47:20.000000000 +0300
+++ exim.conf   2011-03-31 13:43:00.000000000 +0300
@@ -240,13 +260,15 @@
 #sender_host_reject = +include_unknown:lsearch*;/etc/spammers
 
 
-tls_certificate = /etc/exim.crt
-tls_privatekey = /etc/exim.key
+#tls_certificate = /etc/exim.crt
+#tls_privatekey = /etc/exim.key
+tls_certificate = /usr/share/ssl/certs/${lookup{$interface_address}lsearch{/etc/domainips}{$value}{$primary_hostname}}.crt
+tls_privatekey = /usr/share/ssl/private/${lookup{$interface_address}lsearch{/etc/domainips}{$value}{$primary_hostname}}.key
 tls_advertise_hosts = *
 
 helo_accept_junk_hosts = *

[cPanelTristan]

Thank you very much, sehh. Once I've tested this out myself, I'll be happy to point people in the direction of your script posting(s) here for how to accomplish this task under our current setup.

[sehh]

Issues that you need to be aware of:

- The updatecerts.php script uses your /etc/ssldomains file which is generated and maintained by WHM. Unfortunately, this file may contain stale entries due to many bugs in the WHM code, when you delete an account many stale files are left behind, the /etc/ssldomains is one of them, thus it may contain domains/IP addresses which are incorrect.

- The updatecerts.php script makes not changes by default, if you run it as it is, it will only generate messages if what it would be doing. If you want to make real changes, just change the $nochanges to false and re-run the script.

- The exim patch uses your /etc/domainips, I am not sure but it may need to be enabled in WHM so that this file gets generated, I'm not sure. Anyway, its possible that some hosts may still not work correctly because their certificate file name may not match the domain name. For example, if the certificate is saved as "www.domain.com.key", then it will not work because exim will look for "domain.com.key". You can easily create a symbolic link to bypass the problem.

- The exim patch modifies the /etc/exim.conf file, I assume you know what you are doing, you know how to run a patch and you know that cPanel/WHM update will overwrite the file when a new config is generated. I also assume you know how to handle changes like that.

If anyone has any contributions or suggestions please post them here.

Thank you.

[sehh]

cPanelTristan, no problem I'm glad to help, since I've been getting a lot of help myself. I'm sure we can improve the scripts above so people can use them without problems. It's just hard to match every environment. Hopefully I used "universal" paths and directories and didn't brake anything.

[visskiss]

UPDATE:
I found the directories as /etc/ssl/* instead of /usr/share/ssl/*

I'm trying out your script. Having given instructions on how to so this manually in the thread ssl-certificate-all-services I thought this might simplify the procedure.

I am getting an error with /usr/share/ssl, which doesn't exist on my whm 11.3 install.

Dovecot support would be nice, but I don't know how good dovecot is compared to courier, so I can't complain too much.

[sehh]

hmm, interesting, I'm using 11.28.87 (STABLE) on CentOs, maybe your configuration is different due to a different installation or linux distro?

It shouldn't be a problem, just change the paths at the top of the file. Let me know if it works for you.

[Silent Ninja]

I know this is an old thread with some sort of "patchy" feature request, but I was wondering...

Is there any estimates for this Feature to be implemented officially on cPanel?

Since (at least by looking at the exim / php patch) it seems to be pretty easy to add, except for the dovecot part which should involve a lot of testing; and this is blocking me to use SSL for WHM and Mail services on my reseller accounts.

[cPanelDavidG]

I know this is an old thread with some sort of "patchy" feature request, but I was wondering...

Is there any estimates for this Feature to be implemented officially on cPanel?

Since (at least by looking at the exim / php patch) it seems to be pretty easy to add, except for the dovecot part which should involve a lot of testing; and this is blocking me to use SSL for WHM and Mail services on my reseller accounts.

I'll bring this feature request up for consideration the next time I meet with a developer given the popular support for this functionality.

[Silent Ninja]

I'll bring this feature request up for consideration the next time I meet with a developer given the popular support for this functionality.

That's great

The only thing that isn't contemplated here, is that the reseller's resold accounts need to use the reseller's SSL service instead of the main one, I'm not sure on how to accomplish that without editting the DNS Templates or doing some tweaking of the configuration tools.

[monarobase]

+1 for this feature

[lorio]

Is this also meant for the webmail services?

[Silent Ninja]

Is this also meant for the webmail services?

Yes, I consider it as part of the cPanel & WHM SSL.