Wildcard SSL - Subdomains through cPanel

[nurseryboy]

We have a site with multiple subdomains - that we set up through cPanel (rather than through WHM as their own accounts, because we need the subdomain files to be in the main site's account and owned by the main account). We need the both the main site (www.example.com), and all the subdomains (sub1.example.com, sub2.example.com, etc) to all be SSL protected.

What I'm not sure about, though, is how to get it all set up. We have a wildcard cert for *.example.com, but none of the subdomains work (sub1.example.com brings up www.example.com). I believe this is because sub1.example.com doesn't have it's own IP address? If this is the case, how do we set up the subdomain to be on it's own IP address, without making it a separate account? Again, we need the subdomains to be in the main account (files and ownership). Any way to do this and not mess up cPanel?

Thanks.

[Polyack]

Any updates on this?

I'm experiencing similar issues.
Seems to be an issue with WHM 11.

The following thread states this problem. In that thread they also mention that the hosting provider had to do some "manual changes". I'm wondering what these changes are. Anyone knows?
Any alternative workarounds that don't require unique accounts and IPs?
"Ref: http://www.jaguarpc.com/forums/showthread.php?p=135507

Yes that is weird. Jag support have been in touch with cPanel support and have now reached the conclusion that the only way to get a wildcard certificate working is to create the 'subdomains' as stand-alone accounts (so they aren't subdomains at all), dedicate an IP to each, manually create the entry and then rebuild Apache. That's convenient then.

It is now working, but support had to make changes manually. We no longer have subdomains, however - each 'subdomain' has to have it's own account and dedicated IP. Below is support's 'how to' guide:

1.
Copy the file for one of already installed certs e.g. in this case I copied file '/var/cpanel/userdata/myusername1/mysubdomain1.mydomain.net_SSL' to '/var/cpanel/userdata/myusername2/' .

/var/cpanel/userdata/ is the path where each account has a folder with its apache and cpanel configuration files. The _SSL file is the one which contains the entries for ssl vhost for any domain.

2.
Rename that according to subdomain i.e. in this case rename '/var/cpanel/userdata/myusername2/mysubdomain1.mydomain.net_SSL' to '/var/cpanel/userdata/myusername2/mysubdomain2.mydomain.net_SSL'.

3.
Edit the file '/var/cpanel/userdata/myusername2/mysubdomain2.mydomain.net_SSL' and update user name to myusername2 where there is old username and update IP, viewing this file will clear any confusion.

4.
Run : /usr/local/cpanel/bin/build_apache_conf
to rebuild apache configuration from the newly created file.

5.
Then restart apache to make it load newly built configuration."

[cpanelkenneth]

Apply wildcard SSL Certificates to existing (or newly created) subdomains should work properly in 11.23

[Polyack]

Apply wildcard SSL Certificates to existing (or newly created) subdomains should work properly in 11.23

Is it still required to create a separate account for every subdomain (every subdomain that I wish share the same (Wildcard SSL Certificate)? And a unique IP-adress for each of them as well?

[cpanelkenneth]

Is it still required to create a separate account for every subdomain (every subdomain that I wish share the same (Wildcard SSL Certificate)? And a unique IP-adress for each of them as well?

My Original Post needs ammended.

It is not required to have a separate account for each subdomain, however there is apparently a limitation in cPanel/WHM that results in forcing each subdomain to have it's own IP address in order to install the Cert on separate subdomains. One can apparently work around this by using mod rewrite to redirect requests.

[Polyack]

Thank you Kenneth for clarifying this matter.

I'm wondering if wildcard certificates can be made using the "SSL Certificate creation wizard" builtin WHM version 11.23? If it's not
then I simply create the certificate using the command-line, but it would be nice to know if it's supported as well.

[merlinpa1969]

are there any updates to this limitation in cPanel/WHM

[cpanelkenneth]

are there any updates to this limitation in cPanel/WHM

Which limitation do you mean?

[merlinpa1969]

My Original Post needs ammended.

It is not required to have a separate account for each subdomain, however there is apparently a limitation in cPanel/WHM that results in forcing each subdomain to have it's own IP address in order to install the Cert on separate subdomains. One can apparently work around this by using mod rewrite to redirect requests.

this is the limitation that I mean,

[cpanelkenneth]

this is the limitation that I mean,

That is more a limitation of OpenSSL and the Browsers than WHM. Due to that limitation, we currently enforce the multiple IP address/Sub domain method of using the wild card SSL certificate.

[merlinpa1969]

and see your tech people lastnight said it was an apache issue and instructed me to use a redirect for this process.

How is this a browser and openSSL limitation?

also how are other control panels able to not have this limitation

[cpanelkenneth]

and see your tech people lastnight said it was an apache issue and instructed me to use a redirect for this process.

How is this a browser and openSSL limitation?

also how are other control panels able to not have this limitation

Except for the absolutely latest version of OpenSSL, only one SSL VirtualHost can be configured per IP Address. Apache relies upon OpenSSL for its SSL Support.

You can read a nice description of the problem and what will be the eventual solution here: http://daniel-lange.com/plugin/tag/sni

For SNI to work, both Apache (via OpenSSL) and the browser must support it. At this time, the majority of browsers do not support this spec.