The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel certificates self-signed?

Discussion in 'Security' started by ItsMattSon, Sep 11, 2016.

  1. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi cPanel/all,

    Are cPanel certificates self-signed?

    My cPanel license is valid, my hostname is an FQDN (though I can't get to my server by hostname for some reason...), all looks okay? Secureserver.net is GoDaddy's of course.

    Can anyone tell me why I see this? The cPanel Documentation implies that the cPanel cert is not self-signed?


    IMAGE:
    selfsigned.png

    I did search for related threads and some came close but they didn't mention their certs were self-signed by cPanel.
     
  2. SysSachin

    SysSachin Well-Known Member

    Joined:
    Aug 23, 2015
    Messages:
    324
    Likes Received:
    24
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,
    Do you have purchased SSL and installed on your server hostname ?
     
  3. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi SysSachin,

    I have an EV SSL for the domain that I want to host on my VPS, but not sure that will help me here.

    The way I understood it from the documentation was that as long as you have a valid FQDN and valid cPanel license, my VPS Services should get issued cPanel-signed SSL certificates? They don't appear to be signed correctly, or maybe they're not the cPanel issued certs?

    Manage Service SSL Certificates - Documentation - cPanel Documentation
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,736
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I recommend consulting with your hosting provider to determine if cPanel-signed hostname certificates are enabled for their VPS accounts. If so, it's possible this relates to the automatically generated hostname. Are you able to configure your hostname with a domain name that you control, as opposed to the one utilized by your hosting provider? For example, if you own domain.com, try setting the hostname to "server1.domain.com" and then running "/usr/local/cpanel/bin/checkallsslcerts" to see if the signed certificates are then generated.

    Thank you.
     
  5. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Thanks Michael - I'll check with my VPS host to determine if cPanel-signed hostname certificates are enabled for their VPS accounts :)

    Tried what you said but I obviously have a misconfiguration somewhere. Not sure where though.. Would this error below be at the Namecheap Registrar-end or the VPS WHM-end?

    srvresolve.png
     
  6. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Disregard the query above - It was a misconfiguration at the NameCheap end.

    Additionally, here's the resolution. It told me exactly what you said so you were right again haha.

    denied.png
     
  7. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    I spoke with one of the staff in the GoDaddy server chat and they said that free cPanel hostname certs are allowed, so the error in my previous post confounds me.

    Is there any more info from a cPanel point of view how to troubleshoot this further?

    GoDaddy additionally advised that the free cPanel services certs are "self-signed", but I thought they weren't supposed to be? Could this be confirmed? Thanks
     
  8. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
  9. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi NixTree,

    I read your document. Thanks

    Any chance you'd know though why my services are getting self-signed certificates instead of the free cPanel ones I think I should be getting?
     
  10. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    What is the cpanel version you are having at the moment ? If it is not the latest, then upgrade to the latest. Then you can try reset the cert and then see if that is showing proper certificate.
     
  11. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi NixTree,

    I'm afraid that my WHM/cPanel version is WHM 58.0 (build 28) which I believe is current, so I'm not sure that's why.

    I've got a fully qualified domain name as my hostname (srv.domain.com), but as per my first post in this thread it seems I'm not getting a proper signed certificate, it's a self-signed one and no matter how many times I click 'reset' it doesn't change that.

    The error I get when i run /usr/local/cpanel/bin/checkallsslcerts is that "The cPanel Store returned an error (X::PermissionDenied) in response to the request POST ssl/certificate/whm-license: free hostname certs are not allowed by this partner".

    According to GoDaddy, they are allowed, so would this be a PHP function that's disabled or maybe firewall or something else? I'm at a loss here, as I'm not sure where to look - whether it's even my VPS or the host node's issue too.

    Any guidance would be appreciated.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,736
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You will not receive the cPanel-signed certificates when encountering that message. Please reach out to your provider again and paste the following message:

    Let them know this indicates that hostname certificates are disabled by the license provider.

    Thank you.
     
  13. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Spent 40 minutes on the phone with GoDaddy server folks and they advised that the certificates "should" be allowed so they're not sure why I'd be seeing that.

    They actually told me to come back to cPanel and ask the question of how they can confirm hostname certificates and free cPanel certificates *are* allowed and whether there is a setting to disable them that they could look into.

    Do you think you could help me with that?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,736
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This setting is configured in cPanel's Manage2 interface with the "Update Company Information" option:

    "Manage 2 Dashboard >> Company >> Update Company Information"

    Thank you.
     
  15. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Thanks Michael!

    Using your post above I found the exact steps I'll need to give them on this Manage2 KB: How to Disable the cPanel Store as an SSL Certificate Provider in WHM

    I'm not sure if they'll be able to help me but at least I'll be able to confirm whether it has been blocked or not. I'll call them today and ask if they can investigate for me, then I'll update this thread with the outcome :)
     
  16. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi cPanelMichael,

    I called GoDaddy and after a short 20 minute call the support staff advised that he checked with all the departments he could that they do not allow free cPanel hostname certificates. They didn't confirm that the "Block servers with your company ID from getting free hostname certificates from the cPanel Store" checkbox in Manage2 was actually 'checked' because I'm not sure anyone in any of those departments knew how to get into it but I guess that answer will have to suffice.

    If anyone else reads this thread after trying to get free cPanel certs for services and are hosted with GoDaddy - Good luck. Looks like I'll have to buy my own certificate and sort that myself.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,736
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @ItsMattSon,

    Thank you for updating us with the outcome. One alternative to consider is to create a subdomain under an existing account (e.g. cpanel.yourdomain.com) and then utilize the AutoSSL feature to generate a free cPanel-signed certificate for that subdomain. Once it's generated and issued, you could then install it for your services via "WHM Home >> Service Configuration >> Manage Service SSL Certificates". Keep in mind you may need to create an empty "/var/cpanel/ssl/disable_auto_hostname_certificate" file to avoid the automatic replacement of the certificate during updates:

    Code:
    touch /var/cpanel/ssl/disable_auto_hostname_certificate
    Thank you.
     
  18. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    Attempted to do that but not sure if I've done something wrong here. Is this simple to resolve?

    autosslfailed.png
     
    #18 ItsMattSon, Sep 22, 2016
    Last edited by a moderator: Sep 22, 2016
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,736
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  20. ItsMattSon

    ItsMattSon Well-Known Member

    Joined:
    Sep 5, 2016
    Messages:
    72
    Likes Received:
    16
    Trophy Points:
    8
    Location:
    Perth
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    Looks like you were right. It works now!

    ConfigServer Firewall had 443 in TCP inbound but not TCP outbound. Suspect it needs 443 TCP outbound open?

    If that's the case, would you expect the How to Configure Your Firewall for cPanel Services needs to be updated with a tick in the TCP outbound space for 443? (as I followed this in the first place to ensure 443 was only in TCP inbound).
     
Loading...

Share This Page