Wildcard SSL Certificates - my solution

[kmwebb]

I was having problems using my wildcard certificate as others had mentioned in the past. I am posting my solution, even though it cannot be done through the web interface -- all of this is done from the command line.

Scenario:
1. SSL Wildcard Certificiate for *.mydomain.com
2. Need it to work for www.mydomain.com and pilot.mydomain.com, but each are different accounts (and they need to be separate accounts).
3. Apache 2 (but this can be adapted to Apache 1.3).

Solution Overview:
1. Use the Customized Vhost definition option of CPanel (custom_vhost_template_ap2).
2. Manually replace the SSL and IP address inside of the customized Vhost definition.

Solution Details:
1. Add the customization directive:
custom_vhost_template_ap2: /usr/local/apache/conf/mydomain_vhost.conf
** This could point to any location, though.

2. Copy the default template (ssl_vhost.default) to the file identified in Step One.

3. Edit the file:
* Manually replace the IP address instead of relying on the symbol/variable/IF substitution.
<VirtualHost 11.22.33.44:443>

* Replace the IF blocks with the SSL directives (as usually documented by SSL certificate vendors):

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/client_wildcard.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/client_wildcard.key

* Replicate the entire block and define for non-SSL (port 80, usually), omitting the SSL directives.
<VirtualHost 11.22.33.44:80>

* This means that each "build" generate to "vhost" blocks.

4. Create the files referenced in the SSL directives in step 3.

5. Run the CPanel rebuild script
/usr/local/cpanel/bin/build_apache_conf

* This should build a new version of httpd.conf.
* Inspect it to be sure the entries look like what is suggested by the certificate vendor (or what you have seen in the past).

6. Run the Apache config tester:
/usr/local/apache/bin/apachectl configtest

7. If no errors, stop and restart Apache.

8. Repeat for the second (additional hosts), but each refers to the same Certificate and Key files described in Step 3.
* You have to run the CPanel build script.
* You should run the Apache config tester.

I hope this helps. This was the only solution that even came close to solving my problem that way I needed. I just kept experimenting until I got the "native" httpd.conf file similar to what I had on the non-CPanel host. It's been running fine for about a week now.