1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Installing SSL SAN certificate

Discussion in 'Security' started by shacker23, Sep 21, 2011.

  1. shacker23

    shacker23 Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    16
    We have the following setup:

    Account "foo" with a primary domain and an "intranet." subdomain, both on the same IP (obviously, since that's a cPanel limitation). We have been issued an SSL SAN certificate which should cover both the domain and the subdomain (both will need https protection in places). Since they're both on the same IP, the certificate should cover both just fine.

    We temporarily installed a self-signed cert on the intranet subdomain. Now we want to install the real cert so that it covers both domains.

    What is the correct procedure for this?

    Thanks.
     
  2. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    Is an SSL SAN certificate the same as a wildcard certificate or a UCC certificate?
     
  3. shacker23

    shacker23 Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    16
    Hi Tristan - Essentially, yes, though I'm no expert on this. From the FAQ:

    https://wikihub.berkeley.edu/display/calnet/CalNet+InCommon-Comodo+Certificate+Service
     
  4. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    Does the account have a dedicated IP or it is using the shared IP? If it is a dedicated IP, simply install that new certificate in WHM > SSL/TLS > Install a SSL Certificate and Setup the Domain area.

    If you wish to remove the prior certificate, you could remove it in WHM > SSL/TLS > Manage SSL Hosts area. Please ensure to have the CSR, key, crt and cabundle files before removing the existing certificate.

    After installation, ensure to copy the /var/cpanel/userdata/username/domain.com_SSL file to /var/cpanel/userdata/username/intranet.domain.com_SSL location and revise as appropriate for the home directory path. After revising, you would then rebuild Apache and restart it:

    Code:
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak110922
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
     
  5. shacker23

    shacker23 Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for this response Tristan. What I'm seeing when running rebuildhttpdconf is this:

    warn [rebuildhttpdconf] Failed to resolve duplicate SSL VirtualHosts: intranet.domain.edu_SSL and domain.edu_SSL
    Built /usr/local/apache/conf/httpd.conf OK

    After restarting apache, the site is not available. I modified the documentroot, the homediar, the serveralias and the servername.

    Any ideas there? Thanks.
     
  6. cPanelTristan

    cPanelTristan Active Member
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,621
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    Which site is not available? Both sites or just one of them, and by not available do you mean on http or https or both? Also, do they have entries in /usr/local/apache/conf/httpd.conf for the 443?

    Also, you should compare the settings in intranet.domain.edu to what you put into intranet.domain.edu_SSL to ensure they match for those options. If they do not match, revise the intranet.domain.edu_SSL to match those of intranet.domain.edu rather than what you previously used.
     
  7. shacker23

    shacker23 Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    16
    Ah, I didn't look at the file intranet.domain.edu. Will follow up on this tomorrow. Thanks.
     
  8. shacker23

    shacker23 Member

    Joined:
    Feb 20, 2005
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    16
    Thanks Tristan! That did the trick - had to modify both files to have unique homedirs and other identifying data, while leaving the path to the cert and key files identical. Wonderful - one cert covering two domains on the same IP, like magic.

    Note for others: the rebuild step still issues the warning:

    warn [rebuildhttpdconf] Failed to resolve duplicate SSL VirtualHosts: intanet.domain.edu_SSL and domain.edu_SSL

    but after restarting apache, it does work just fine.

    Would be nice to see WHM make this a bit easier to configure, though it's probably not a very common use case.

    I appreciate your help.

    ./s
     
    #8 shacker23, Sep 23, 2011
    Last edited: Sep 23, 2011

Share This Page