The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Change 'needs SNI' to yes...

Discussion in 'Security' started by fate12, Sep 1, 2014.

  1. fate12

    fate12 Active Member

    Joined:
    Oct 29, 2013
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    A client just pointed out that all sites that have no ssl certificate installed on our shared hosting servers are pointing to his site that does have a certificate.

    So there are 300+ domains pointing to his site as long as you put https:// in front of them.

    I checked in WHM -> SSL/TLS -> manage ssl hosts
    And discovered that behind his site it says 'Needs SNI: NO' wich ofcourse needs to be yes since every site is on the same shared IP.

    Ho do I solve this?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    If the account is assigned a shared IP address, and a SSL certificate is installed on that IP address, then any secure request to a domain name on that IP address will load the contents of the domain name the certificate is installed for. This is by design. You will need to assign a dedicated IP address to the account that uses the SSL certificate if you don't want that certificate applied to the other domain names on it's IP address. Or, you could generate/install a self-signed certificate for each domain name on the server (Assuming your server supports SNI). You could also make one alternate SSL certificate the primary certificate for an IP address via the "Make Primary" option in "WHM Home » SSL/TLS » Manage SSL Hosts".

    Thank you.
     
  3. roliboli

    roliboli Active Member

    Joined:
    Sep 3, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    Hi
    The workaround with "You could also make one alternate SSL certificate the primary certificate for an IP address via the "Make Primary" option" works ok. But later when you add a new certificate on an account on this IP, this new account will be show instead of the primary account. This is because the order in httpd.conf.

    Change to another primary and back the order is correct after.

    So this looks like a bug. The primary domain should be the first entry in httpd.conf so the content of this account will show.

    Can this solved?
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You can specify the default VirtualHost for an IP address using the Manage SSL Hosts feature in WHM. In the Actions column click the "Make Primary" action for the Domain you want to appear first in httpd.conf.
     
  5. roliboli

    roliboli Active Member

    Joined:
    Sep 3, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    Yes. the Host was primary (ex. webX) before and it worked. The adding a new certificate on this IP with SNI, the new virtualhost was the first entry in httpd.conf and so the content was presented from this virtualhost.

    Setting the primary to another host and than back to the first primary (webX) it worked again. So my opinion is, that adding a new virtualhost
    on the shared IP this entry is on top in httpd.conf
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If I'm understanding you correctly the defect is: when a new domain is added to an IP address it becomes the primary record (meaning the first record) in httpd.conf.

    Please let me know whether I understood that correctly.
     
  7. roliboli

    roliboli Active Member

    Joined:
    Sep 3, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    yes. That's the problem. Despite the primary (action) is set to the previous set virtualhost.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I do see a couple of internal cases that could apply to the issue you have reported (#111753 and #106685), however could you open a support ticket using the link in my signature so we can open an additional case if necessary? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. roliboli

    roliboli Active Member

    Joined:
    Sep 3, 2003
    Messages:
    37
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Switzerland
    Ticketnr is 6457661
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page