Change 'needs SNI' to yes...

F

fate12

Active Member
Oct 29, 2013
41
2
8
cPanel Access Level
Root Administrator
A client just pointed out that all sites that have no ssl certificate installed on our shared hosting servers are pointing to his site that does have a certificate.

So there are 300+ domains pointing to his site as long as you put https:// in front of them.

I checked in WHM -> SSL/TLS -> manage ssl hosts
And discovered that behind his site it says 'Needs SNI: NO' wich ofcourse needs to be yes since every site is on the same shared IP.

Ho do I solve this?
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Hello :)

If the account is assigned a shared IP address, and a SSL certificate is installed on that IP address, then any secure request to a domain name on that IP address will load the contents of the domain name the certificate is installed for. This is by design. You will need to assign a dedicated IP address to the account that uses the SSL certificate if you don't want that certificate applied to the other domain names on it's IP address. Or, you could generate/install a self-signed certificate for each domain name on the server (Assuming your server supports SNI). You could also make one alternate SSL certificate the primary certificate for an IP address via the "Make Primary" option in "WHM Home » SSL/TLS » Manage SSL Hosts".

Thank you.
 
R

roliboli

Well-Known Member
Sep 3, 2003
48
2
158
Switzerland
Hi
The workaround with "You could also make one alternate SSL certificate the primary certificate for an IP address via the "Make Primary" option" works ok. But later when you add a new certificate on an account on this IP, this new account will be show instead of the primary account. This is because the order in httpd.conf.

Change to another primary and back the order is correct after.

So this looks like a bug. The primary domain should be the first entry in httpd.conf so the content of this account will show.

Can this solved?
 
cPanelKenneth

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
roliboli said:
Hi
The workaround with "You could also make one alternate SSL certificate the primary certificate for an IP address via the "Make Primary" option" works ok. But later when you add a new certificate on an account on this IP, this new account will be show instead of the primary account. This is because the order in httpd.conf.

Change to another primary and back the order is correct after.

So this looks like a bug. The primary domain should be the first entry in httpd.conf so the content of this account will show.

Can this solved?
Click to expand...
You can specify the default VirtualHost for an IP address using the Manage SSL Hosts feature in WHM. In the Actions column click the "Make Primary" action for the Domain you want to appear first in httpd.conf.
 
R

roliboli

Well-Known Member
Sep 3, 2003
48
2
158
Switzerland
Yes. the Host was primary (ex. webX) before and it worked. The adding a new certificate on this IP with SNI, the new virtualhost was the first entry in httpd.conf and so the content was presented from this virtualhost.

Setting the primary to another host and than back to the first primary (webX) it worked again. So my opinion is, that adding a new virtualhost
on the shared IP this entry is on top in httpd.conf
 
cPanelKenneth

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
80
458
cPanel Access Level
Root Administrator
roliboli said:
Yes. the Host was primary (ex. webX) before and it worked. The adding a new certificate on this IP with SNI, the new virtualhost was the first entry in httpd.conf and so the content was presented from this virtualhost.

Setting the primary to another host and than back to the first primary (webX) it worked again. So my opinion is, that adding a new virtualhost
on the shared IP this entry is on top in httpd.conf
Click to expand...
If I'm understanding you correctly the defect is: when a new domain is added to an IP address it becomes the primary record (meaning the first record) in httpd.conf.

Please let me know whether I understood that correctly.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
roliboli said:
yes. That's the problem. Despite the primary (action) is set to the previous set virtualhost.
Click to expand...
I do see a couple of internal cases that could apply to the issue you have reported (#111753 and #106685), however could you open a support ticket using the link in my signature so we can open an additional case if necessary? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Hello,

To update, our analysts were unable to reproduce the issue, and the user is no longer experiencing this issue.

Thank you.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
M ibtmp1 file rapid change is size Security 2
K SSL/TLS Weak Key Exchange Supported? Security 6
JIKOmetrix SOLVED kex_exchange_identification: read: Connection reset by peer Security 3
S whm/cpanel password change Security 4
D Seriously, why was AutoSSL changed? Security 3
Similar threads
ibtmp1 file rapid change is size
SSL/TLS Weak Key Exchange Supported?
SOLVED kex_exchange_identification: read: Connection reset by peer
whm/cpanel password change
Seriously, why was AutoSSL changed?
Top Bottom