The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 158673] SSL redirection not working

Discussion in 'Security' started by TCB13, Jan 28, 2015.

  1. TCB13

    TCB13 Well-Known Member

    Joined:
    Jul 25, 2014
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello,

    One of my machines upgraded to WHM 11.48.0 (build 5) recently and I started getting complains about SSL issues with accessing cpanel.

    Apparently the SSL Redirection Settings under Tweak Settings are no longer working. This are the current settings:

    cpanel-ssl.png

    Even if I set it as "Always redirect to SSL" if a client tries example.com/cpanel he gets sent to cpanel.example.com resulting on a certificate error.

    Before, with my config the clients were redirected to the server hostname with the right domain for the certificate. Why is this happening now?

    Thank you.
     
    #1 TCB13, Jan 28, 2015
    Last edited: Jan 28, 2015
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    This could be related to an internal case we have open (158673) with a similar description. Let us know if the following workaround helps:

    1. Browse to "WHM >> Tweak Settings" and save after each step (step order could be reversed depending on what you have enabled).

    2. Disable "Require SSL" under the "Security" tab.

    3. Disable Proxy Subdomains under the "Domains" tab.

    4. Change redirection settings under the "Redirection" tab from "Hostname" to something else Save, then back to "Hostname" again.

    5. Enable "Require SSL" under the "Security" tab.

    6. Enable "Proxy Subdomains" under the "Domains" tab.

    Thank you.
     
  3. TCB13

    TCB13 Well-Known Member

    Joined:
    Jul 25, 2014
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello,

    I followed the steps and the first time I tried to go domain.com/cpanel it redirected to the hostname with the SSL certificate, however after that it stopped working again.

    Edit: I tried it again but this time it didn't work at the first time. :(

    Thank you.
     
    #3 TCB13, Jan 30, 2015
    Last edited: Jan 30, 2015
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may need to disable proxy subdomains until the resolution is pushed out if the workaround steps listed in my previous response are not helpful.

    Thank you.
     
  5. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    When the user visits the page they still get an SSL error after the latest update. Please advise how to fix these SSL errors.
     
  6. TCB13

    TCB13 Well-Known Member

    Joined:
    Jul 25, 2014
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Yeah I'm still waiting for a fix to this issue. The steps provided didn't help, and the update had no effect on this...
     
  7. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    If your user has an SSL error on domain.com/webmail because they are taken to webmail.domain.com then I believe the correct fix is to apply the latest version and then apply this setting:

    1. - Disable Proxy Subdomains.
    2. Enable Always Redirect to SSL
    3. Enable Require SSL

    My issue is when the user visit domain.com/webmail it works perfect but when they visit webmail.domain.com they get errors from their browser.
     
  8. TCB13

    TCB13 Well-Known Member

    Joined:
    Jul 25, 2014
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    The problem is that in the past if a user went to http://cpanel.client-domain.com he was sent to https://server-hostname:cpanel-port/ and everything was perfectly fine.

    Right now that redirection is not working. And I don't want to disable proxy subdomains because people won't be able to login then...
     
    Biotron2000 likes this.
  9. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    Re: How change the webmail url in Proxy subdomains

    What is the correct setting to use if you want the user when visiting webmail.domain.com to get directed to domain.com/webmail?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This issue was addressed in cPanel version 11.48.0.7:

    Fixed case 158673: Fix proxy subdomains redirect issue in unprotected/redirect.html.

    Could you verify if the issue persists after updating to the most recent version available on your build tier? If so, please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  11. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  12. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    I have a ticket open for this, # 6106243, and I vehemently assert that the current behaviour is a bug.
     
  13. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    could you keep me updated with the outcome please
     
  14. TCB13

    TCB13 Well-Known Member

    Joined:
    Jul 25, 2014
    Messages:
    58
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Right now, the redirection settings seem to be working fine.

    However there's a small issue regarding proxy subdomains and the Require SSL for WebMail / cpanel etc featur

    If I enable Require SSL and a user tries to go http://webmail.example.com he will be sent to https://webmail.example.com causing an SSL error because the domain webmail.example.com doesn't have any valid SSL certificate...

    When enabling Proxy Subdomains and Require SSL cPanel should behave like:

    1. If the client domain example.com have a SSL certificate installed => redirect it to example.com:2096
    2. If the client domain DOES NOT have an SSL certificate installed => redirect it to hostname.server.com:2096 (witch owns a valid certificate).

    I guess the behavior described on (2) happened on a past version... It should work that way. There's no point in having a webmail.example.com if there's no valid SSL certificate there... It should first check if the client owns an SSL at their domain and redirect to the correct port, otherwise fallback to the hostname.

    Thank you.
     
  15. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    joako likes this.
  16. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Maybe this is related and needs some testing.
    I removed and reinstalled the cert last night and the redirect now works.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I believe much of this discussion centers on a feature request rather than a bug in the product. The following feature request would address most of these concerns:

    Support for per domain proxy subdomain certificates | cPanel Feature Requests

    There are two options as it stands now:

    1. Enable proxy subdomains, which forces the use of the SSL Certificate in "WHM Home » Service Configuration » Manage Service SSL Certificates".
    2. Disable proxy subdomains, and manually configure redirects for the subdomains to the proper SSL ports.

    Thank you.
     
  18. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    This is a bug, not a feature request. When using the default WHM settings the user is shown a message that states "hackers are trying to steal your credit card." In any event, the linked feature request will not resolve the issue for 99% of users.
     
    Biotron2000 likes this.
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,774
    Likes Received:
    663
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on the exact behavior that you would prefer to see? Also, you mentioned a "hackers are trying to steal your credit card" message. Is this simply part of the the "Untrusted" message issued by your browser?

    Thank you.
     
  20. joako

    joako Well-Known Member

    Joined:
    Aug 7, 2003
    Messages:
    97
    Likes Received:
    2
    Trophy Points:
    8
    The WHM server already knows which domains have and which do not have SSL certificates. It should be able to tell if the certificate is a wildcard certificate or not. 99% of domains won't have a wildcard certificate. However with WHM defaulting to use SSL it should be common best practice for any production WHM server to have a proper SSL certificate issued by a common CA to the WHM server's hostname.

    When a user attempts to access webmail, etc for e.g. by visiting webmail.domain.com the server is already parsing the request and making redirections. Unfortunately WHM has not kept up with the times and these redirections are being performed inappropriately. This causes the users to be presented with scary messages (such as: "hackers are trying to steal your credit cards") meanwhile users are trained to watch out for these errors and also for phisihing emails and other sorts of malware that attempt to steal the users's credit cards, bank details, passwords, etc, etc. So while this behaviour may not have been an issue 10 years ago when implemented, today it is. Today any software intentionally using this behaviour is considered to have a bug. Cpanel needs to fix this major bug as soon as possible.

    One solution would be instead of performing redirections to perform proxying. For e.g. if the user visits https://whm.hostname/webmail they stay on that URL and the apache server proxies the request to the appropriate place. Or if the user visits http://webmail.domain.com or http://domain.com/webmail the WHM servers checks if that particular domain has a wildcard certificate, if in the more than likeley chance it does then the server will know that the user needs to be directed to https://whm.hostname/webmail.

    This sort of functionally will be the most ideal. That way the user's data and password is protected by TLS encryption (especially important with todays mobile devices and public wifi access points), the user does not see any scary messages which increases their confidence and reduces support costs, and finally the ability to access webmail and Cpanel in situations where a restrictive firewall blocks access to the legacy Cpanel ports is also maintained.
     
Loading...

Share This Page