SSL certs wildcard domains across different hosts

[brentc]

Okay, the server I'm working on DOES have a wildcard SSL. I did not generate the CSR, or install the certificate, I'm just the one lucky enough to try and fix this.

Here's basically what I've come to find:

The SSL Key/Crt Manager tool in WHM there are a few entries.

Listed under Keys there is *.domainname.tld with a matching Signing Request, and since this client has multiple certificates, under Certificates there are multiple entires; including one for *.domainname.tld. As far as I can tell, this should all be correct.

When I followed the directions above to update the owner of the SSL from nobody to username, I find no corresponding file at /var/cpanel/userdata/nobody/*.domainname.tld_SSL, so I copied the domainname.tld_SSL from /var/cpanel/userdata/username and updated the values to sort of act like the file as it's supposed to exist at /var/cpanel/userdata/nobody. This doesn't seem to work.

At this point I am starting to think the SSL installation was done differently than what we're expecting should have happened so that I can follow the instructions here. Am I too far gone with this to be to fix it manually, or should we be doing a reinstall of the certificate somehow?

[cPanelTristan]

Is there a wildcard certificate in /etc/ssl/certs/ location named *.domainname.tld.crt ? If there is not, then that needs to exist first in order for anything else to work.

[brentc]

Yes, there is the .crt and .csr in this location. But, I am also seeing that I guess they were trying to cover all the bases and there are also entries for TheSubDomainIWant.domainname.tld.crt (&.csr) and just domainname.tld.crt (&.csr). Could this be possibly causing a conflict? What I don't see for the wildcard is the *.domainname.tld.cabundle.

[cPanelTristan]

You'd need the .cabundle file for the wildcard. Do you still have the certificate? If so, why not simply reinstall it using the user nobody like the guide and follow the steps then? You probably want to uninstall the other certificate while you are at it (please ensure to make copies of /etc/ssl folder before making any changes with "cp -R /etc/ssl /etc/ssl.bak110901" first).

[brentc]

Ah man. I think I've over-thought this.

My client has already tried to create the SSL a few different ways so everything's getting all confused here. I am not finding the best way to "undo" what he's done so I can get a truly clean install of the SSL as if it was the first time. When I've done everything I think I was supposed to do, and I rebuild httpd, I'm getting errors that there's already an SSL VirtualHost entry, etc etc...

warn [rebuildhttpdconf] SSL VirtualHosts with identical IP/Port detected: subdomain.domainname.tld_SSL and *.domainname.tld_SSL ... defaulted to subdomain.domainname.tld_SSL
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.1314914985
Error:
An error occurred while running: /usr/local/apache/bin/httpd -DSSL -t -f /usr/local/apache/conf/httpd.conf.1314914985
Exit signal was: 0
Exit value was: 1
Output was:
---
Syntax error on line 260 of /usr/local/apache/conf/httpd.conf.1314914985:
<VirtualHost> directive requires additional arguments
---

Whereas at line 260 of httpd.conf.1314914985, it's like an empty conf entry.

I guess now I'm at, How do I uninstall everything this customer did before I touched it? Unless you have a better suggestion.

[cPanelTristan]

How about opening up a ticket so we can get all of these removed and a proper configuration setup. A ticket could be opened in WHM > Support Center > Contact cPanel or using the link in my signature.

[brentc]

Thanks dude. I've submitted a ticket.

[brentc]

It appears (so far) as if my wildcard SSL was configured correctly, but what I have ultimately been setting up is a portal-style login page for WHMCS using https://subdomain.domainname.tld and evidently there are additional settings in WHMCS that allow/deny using https://, though I am still awaiting confirmation from WHMCS support.

[abturnbull]

warn [rebuildhttpdconf] SSL VirtualHosts with identical IP/Port detected: subdomain.domainname.tld_SSL and *.domainname.tld_SSL ... defaulted to subdomain.domainname.tld_SSL
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.1314914985
Error:
An error occurred while running: /usr/local/apache/bin/httpd -DSSL -t -f /usr/local/apache/conf/httpd.conf.1314914985
Exit signal was: 0
Exit value was: 1
Output was:
---
Syntax error on line 260 of /usr/local/apache/conf/httpd.conf.1314914985:
<VirtualHost> directive requires additional arguments
---

Whereas at line 260 of httpd.conf.1314914985, it's like an empty conf entry.

I used this solution for 1 domain, but the client has 4 Wildcard SSL's on the same server, All using different Dedicated IP.

Now I setup this to allow.

https://domain1.com
https://sub.domain1.com

but when
https://domain2.com <- ok as this is setup by default.
https://sub.domain2.com <- as soon as I set this up using the method above it comes up with the same error as above.

Thanks

[jkoconnell]

I have tried to follow the various threads about wildcard SSL certs with no luck. I can manually edit httpd.conf to add subdomain.mydomain.tld:443 stanza, but that breaks as soon as http rebuilds.

I have a wildcard cert for *.mydomain.tld.
There are a number of subdomain.mydomain.tld sites.
All share dedicated IP (not the main IP).
All owned by user mydomain.
(www.)mydomain.tld has document root: /home/mydomain/public_html
Subdomains have documentroot: /home/mydomain/public_html/subdomain.mydomain.tld

I need to create a configuration that will still work after rebuildhttpdconf is run.

I still get error likesubdomain.mydomain.tld uses an invalid security certificate

WHM 11.30.4 (build 6)
CENTOS 5.7 x86_64 standard

Ideas?

[jaywire]

Curious, why is a re-build of the config necessary? shouldn't a restart of apache be enough?

Thank you in advance.

[jaywire]

Also, how does this work with Cname redirects...

xyz.domain.com redirects to xyz.Otherdomain.com while the url still looks like xyz.domain.com all under ssl... so - https://xyz.domain.com

does the ssl directions you provided cover this scenario?