Installing SSL Cert for cPanel/WHM Itself

[jonwatson]

Hello,

I am attempting to install a proper cert for WHM and cPanel. I ordered a cert in the name of server.mydomain.com and plunked it into WHM. However, browsers are still coming up with the original self-signed cert that WHM generates upon install.

I notice that if I go to https://server.mydomain.com there are no warnings and the cert behaves as expected. However, as soon as I try to go to https://server.mydomain.com:2087 or https://server.mydomain.com/whm, the self-signed certificate warning shows up again.

I assume from this that WHM is running on a different instance of Apache than my accounts. Is this true? And if so, how do I go about installing a certificate for WHM itself?

Thanks!

Jon

[cPanelDavidG]

Hello,
I assume from this that WHM is running on a different instance of Apache than my accounts. Is this true? And if so, how do I go about installing a certificate for WHM itself?

Yes, this is true. But it isn't so much a separate instance of Apache so much as a completely separate web server.

User installed cert and cabundle are stored in:
/usr/local/cpanel/etc/mycpanel.pem
/usr/local/cpanel/etc/mycpanel.cabundle

While you will likely see the default cpanel.pem file, I would recommend you not overwrite it with your own. Just upload/copy the cert as mycpanel.pem

Edit: in cpanel 11 they are in /var/cpanel/ssl/cpanel

[jonwatson]

Hi David,

Thanks for the quick response.

When I create a mycpanel.pem file and paste my crt into it, I can no longer get at cPanel or WHM. Attempting to do so results in an 'unexpected error'.

Is there anything else I need to do?

Thanks!

[cPanelDavidG]

Hi David,

Thanks for the quick response.

When I create a mycpanel.pem file and paste my crt into it, I can no longer get at cPanel or WHM. Attempting to do so results in an 'unexpected error'.

Is there anything else I need to do?

Thanks!

If you purchased your license directly from us, at this time I would recommend you submit a support ticket into our ticket system so our techs can look into it for you.

[jonwatson]

If you purchased your license directly from us, at this time I would recommend you submit a support ticket into our ticket system so our techs can look into it for you.

No, it's not yours. Didn't even know you sold them.

OK, well, I have a 7-day return policy on it so I will return it and then buy one from you

Edit: Ergh..how do I buy a cert from you?

[cPanelDavidG]

No, it's not yours. Didn't even know you sold them.

OK, well, I have a 7-day return policy on it so I will return it and then buy one from you

Edit: Ergh..how do I buy a cert from you?

I meant the cPanel License, not the cert. Sorry for the confusion.

You should contact whoever you purchased your cPanel license from. At the worst case, your provider's techs can talk to our techs to resolve the issue.

If you purchased your license directly from us then you can talk directly to our techs. Just login to your account on cPanel.net and submit a support ticket.

I don't know the instructions for the various other cPanel license providers, so if you need assistance on how to submit a tsupport icket with them, you may want to drop them an e-mail.

[jonwatson]

Ah, OK. Thanks!

[jonwatson]

Turns out that both the crt and key have to be in that pem file. Further, it's not necessary to do it from the shell. WHM -> SSL/TLS -> Change Server Certificates.

Neat-O easy-O.

[vmann]

WHM -> SSL/TLS -> Change Server Certificates.

This option appears to have been removed from WHM 11.2.0... what is the new location to change the WHM server certificates in WHM 11?

[cpanelnick]

This option appears to have been removed from WHM 11.2.0... what is the new location to change the WHM server certificates in WHM 11?

Its under Service Configuration => Manage Service Certificates

[holodyn]

I've spent days finding this solution so here is the result - thanks to this thread!!

How to Setup WHM and CPANL so clients will be redirected to a valid SSL Certificate when logging in.

Instructions based on WHM v11.15.0

1) Purchase / Install the Certificate for your fully qualified domain (ie: server.domain.com)

SSL / TLS >> Install a SSL Certificate and Setup the Domain

2) Test your new CERT

https://server.domain.com/
should resolve and the cert should function properly before moving forward.

https://server.domain.com:2087/
should be giving you an invalid certificate error

3) Install the CERT for the WHM and CPANEL Service (this is the step you don't think about!!)

Service Configuration >> Manage Service SSL Certificates
> Select "Install New Certificate" for the "cPanel/WHM/Webmail Service"
> Select Domain this CRT is for "Browse"
> Pick the full server cert you installed "server.domain.com"
> Press "Submit" to install

4) Test your Service Certificate

https://server.domain.com:2087/
should now be working !! WHOOOO

** Once your done, you may choose to install the same cert for your SMTP, POP, and FTP accounts so that the option is available and functioning properly

!! DONE - CONGRATS - You are the Winner !!

Error with SSL and Port 2087
Error with SSL and Port 2083
Error with WHM SSL
Error with CPANEL SSL

[bradandersen]

Okay,

So you have a server and you want to put a valid SSL certificate on it so when users go to /cpanel or /whm they don't get an annoying warning. Here are two methods depending on how big your server farm is:

*You only have one server (e.g. www.domain.com & server.domain.com and they are the same box)
-First & foremost Generate a SSL Certificate & Signing Request
-Enter all of the info and press Create
-Copy they CSR (Certificate Signing Request) and paste it into the request in the next step.
-Get your SSL certificate (www.godaddy.com is the cheapest by far)
-Install it on your regular webhosting domain (www.domain.com)
-SSL/TLS -> Install a SSL Certificate and Setup the Domain -> Type your domain (make sure it is www.domain.com)
-Paste your .crt file and CA Bundle that you received from your SSL certificate provider
-Now install it on your various services (Service Configuration -> Manage Service Certificates)
-Install the new certificate for each service (simply enter the domain www.domain.com (tab) and it will auto load the certificate that is already on the server)

-Now for the magic (Networking Setup -> Hostname)
-Change this to www.domain.com (not server.domain.com)
-Now when you got to /cpanel or /whm you will be redirected to www.domain.com:xxxx instead of server.domain.com/xxxx and the certificate will be valid.
-Reboot the server


*If you have multiple servers then you will need a global certificate (e.g. *.domain.com) or a cert that allows multiple server names (e.g. www1.domain.com, www2.domain.com, www3.domain.com).
-Simply follow the rules above but each server cannot have the same hostname and you must match the proper certificate to the proper hostname.
-If you have multiple servers I will assume that you are intelligent enough to understand that last statement - if not, please contact me.

Good luck,
Brad

[robb3369]

I followed holodyn's advice and it didn't work until the server was rebooted... Not sure why, but it worked after a full reboot.

Now to get rid of the port numbers... and go straight port 443...

[natong]

I faced the same problem. I spent 20 hrs. to fix and found this article is very usefull.

It does work!!!!

- Go to Service Configuration >> Manage Service SSL Certificates


WHM not allow to change to www.domain.com

[atechstl]

Great instructions. They worked as intended. My question is if I apply this to POP3, SMTP, IMAP, and FTP, it will only apply for server.domain.com. What about all the hosts on this server? They use these protocols but they use mail.theirdomain.com as an example. If they enabled SSL for to POP3 and SMTP, this wouldn't work would it?