SSL certificate for all services

[sehh]

Currently, when a virtual host installs an SSL certificate, it only works for HTTPS. Is it possible to install that certificate for all other services, like cPanel access, FTP, POP3/Imap, etc?

Thank you.

[cPanelDavidG]

Currently, when a virtual host installs an SSL certificate, it only works for HTTPS. Is it possible to install that certificate for all other services, like cPanel access, FTP, POP3/Imap, etc?

Thank you.

Are you referring to something like WHM -> Service Configuration -> Manage Service SSL Certificates ?

[sehh]

I've done that, but all it does is install system-wide certificates.

I'm talking about per-host certificates, so a virtual domain (with a dedicated IP) can install its SSL certificate and have it work in Exim as well.

Currently, my hosted domains with SSL certificates see their own certificate when they access the server via HTTPS, but see the system-wide certificate for other services (ftp, pop3, etc), which means that they get a popup for a mismatched domain/certificate.

[cPanelDavidG]

I've done that, but all it does is install system-wide certificates.

I'm talking about per-host certificates, so a virtual domain (with a dedicated IP) can install its SSL certificate and have it work in Exim as well.

Currently, my hosted domains with SSL certificates see their own certificate when they access the server via HTTPS, but see the system-wide certificate for other services (ftp, pop3, etc), which means that they get a popup for a mismatched domain/certificate.

I recall a recent discussion on these forums requesting that cPanel support such functionality. However, it does not appear that anyone submitted an official feature request for that functionality yet.

Feel free to submit this as a feature request to http://bugzilla.cpanel.net

I'm sure if there's a manual way of doing (as it's not supported by cPanel/WHM itself at this time) this that someone here on the forums may be able to address that for you.

[sehh]

To tell you the truth, i don't have much confidence in the bugzilla, because requests in there are left unanswered for years, left as "NEW" with no further comment from the developers and generally seem to be ignored.

Don't take this wrong, i'm sure the developers have enough things to do already, its just that looking at the bugzilla ticket status, it doesn't seem like opening a ticket actually means anything.

[cPanelDavidG]

To tell you the truth, i don't have much confidence in the bugzilla, because requests in there are left unanswered for years, left as "NEW" with no further comment from the developers and generally seem to be ignored.

Don't take this wrong, i'm sure the developers have enough things to do already, its just that looking at the bugzilla ticket status, it doesn't seem like opening a ticket actually means anything.

Note that every new bugzilla entry is reviewed by a member of our Quality Assurance staff. While they rarely provide input after reviewing the bug submission/feature request other than modifying to enhancement or confirmed, that doesn't mean it goes unnoticed. Many of these entries are acted upon, especially those with a substantial number of votes and CC's indicating popular support among the user community.

For what it's worth though, your feature request is more likely to be acted upon if submitted to http://bugzilla.cpanel.net than it is by a simple forum post in a forum not routinely monitored by the QA and development staff.

[MaraBlue]

http://bugzilla.cpanel.net/show_bug.cgi?id=5982

[brumie]

any updates?

I vote this one too, lots customer asking for this as they always get DOMAIN MISMATCH, NOT VALID, and they're angry about their certificate being recognized as not valid by Apple Mail and others mail application

we need user's SSL can be use for other services too

[sehh]

its definitely a missing feature and an important one!

most people don't notice but all communications (pop3/smtp/etc) are unencrypted.

if this feature was implemented then we would be able to offer greater security and prevent man-in-the-middle sniffing of data.

[visskiss]

Hi,

Has anyone figured out a wa of doing this manually? Via stunnel/IMAP config perhaps?

I also vote this in...

[sehh]

Nope, cPanel doesn't support per-domain SSL certificates for any services other than HTTPS.

[visskiss]

There is a workaround, at least for IMAP. Haven't looked into other services yet (but POP is exactly the same).

...as long as you have access to WHM.

Here goes...

1. Go into WHM and install the certificate under 'Install a SSL certificate and setup a domain'. You may also install the certificate in cPanel.
2. Once it's installed, go to 'Manage Service SSL Certificates' under 'service configuration.
3. Click on 'Install a new certificate' next to IMAP
4. Select the certificate you installed in step 1.
5. Test that it works for the mail client.
6. Now, the key file you need is '/var/cpanel/ssl/courier/myimapd.pem'. It's always called that and is linked to by the file '/usr/lib/courier-imap/share/imapd.pem'
7. Now you need to copy that file '/var/cpanel/ssl/courier/myimapd.pem' to /etc/ssl/certs/www.mydomain.com.pem using

Code:

cp /var/cpanel/ssl/courier/myimapd.pem /etc/ssl/certs/www.mydomain.com.pem

8. Now you need to create a ln to that file in /usr/lib/courier-imap/share/ in the form imapd.pem.<ip-address-of-mydomain>. Yes, it only works by IP address so you need a dedicateed one for each host...as with apache.

Code:

ln --symbolic /etc/ssl/certs/www.mydomain.com.pem /usr/lib/courier-imap/share/imapd.pem.xxx.xxx.xxx.xxx

where the x's are your ip address.
9.Now, go back to WHM and reinstall the original certificate for IMAP (steps 2 and 3) or just reset the certificate.
10.That's it.

Enjoy!

[sehh]

Someone else already did that for IMAP and POP3 (but not for SMTP):

http://www.jaguarpc.com/forums/forumdisplay.php?f=88

[visskiss]

I think the thread you're referring to is

http://www.jaguarpc.com/forums/showthread.php?t=20765

I have also done it for SMTP now. It is a similar process. Key to this process (and the IMAP process above) is picking the domain name for the certificate: it shouldn't be www.mydomain.com but just 'mydomain.com' or 'secure.mydomain.com'. when you install the cert, you'll be using https://mydomain.com for secure web services and mydomain.com as the incoming server and smtp server.

1. If you haven't installed the certificate, go into WHM and install the certificate under 'Install a SSL certificate and setup a domain'. You may also install the certificate in cPanel.
2. Once it's installed, go to 'Manage Service SSL Certificates' under 'service configuration.
3. Click on 'Install a new certificate' next to EXIM. This creates the correct certificates (I don't know how to do that manually).
4. This creates a link inside /etc called exim.crt and exim.key which point to the .crt and .key files that whm just created for you.
5. Copy the target files exim.mydomain.com.crt and exim.mydomain.com.key and leave them where they are. The code:

Code:

cp /var/cpanel/ssl/exim/myexim.key /var/cpanel/ssl/exim/exim.mydomain.com.key
cp /var/cpanel/ssl/exim/myexim.crt /var/cpanel/ssl/exim/exim.mydomain.com.crt

6. Go to WHM 'Exim Configuration Editor' and click 'Advanced Editor' and add the following in the first box

tls_certificate = /etc/$received_ip_address.exim.crt
tls_privatekey = /etc/$received_ip_address.exim.key

and click 'save'.

7. Create a new link for each IP address in the /etc folder

Code:

ln -s /var/cpanel/ssl/exim/exim.mydomain.com.crt /etc/xxx.xxx.xxx.xxx.exim.crt
ln -s /var/cpanel/ssl/exim/exim.mydomain.com.key /etc/xxx.xxx.xxx.xxx.exim.key

8. Now to reset the original certificate for the other IP address(es)

Code:

cp exim.crt xxx.xxx.xxx.xx2.exim.crt
cp exim.key xxx.xxx.xxx.xx2.exim.key

where the xxxs are the two different IP addresses (or as many as you are using). This ensures the original cert is used for connection to the original IP address.

9. Now make sure the permissions are ok

Code:

cd /var/cpanel/ssl/exim
chown mailnull exim.mydomain.*
chgrp mail exim.mydomain.*
chmod 660 exim.mydomain.*

10. That's it... it should all be fine....

NB these instructions were updated with later comments...

I hope that it will be added soon as it's a pretty glaring hole...

[sehh]

hmm interesting, but does it work properly on single-certificates?

since the user connects to mail.somedomain.com and most HTTP certificates don't offer wildcard support for subdomains (only the very expensive ones), so they should get an error for a mismatched domain.