The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable user to install ssl on shared ip

Discussion in 'General Discussion' started by Hedloff, Mar 10, 2014.

  1. Hedloff

    Hedloff Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Hello,

    We have alot of customers installing self signed ssl on our shared ip's that are causing alot of trouble for other customers on the same server.
    How do we disable this feature so no one can install ssl on the shared ip?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can edit the feature list that's associated with the package assigned to the accounts via:

    "WHM Home » Packages » Feature Manager"

    Simply disable the following options:

    SSL Host Installer
    SSL Manager


    Thank you.
     
  3. Hedloff

    Hedloff Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Well, I know that.
    That will completely disable ssl for user. When they have dedicated ip they should be able to install ssl, but not on shared ip.
    How do we fox this high issue?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You could create a separate package for accounts with dedicated IP addresses. Ensure the package uses a separate feature list with SSL functionality enabled. Otherwise, you could open a feature request to the ability to disable SSL options for accounts assigned a shared IP:

    Submit A Feature Request

    Thank you.
     
  5. Hedloff

    Hedloff Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Can you tell me what's the meaning of customers installing their own ssl on the main (shared ip) of the server? It's just causing problems for other customers.
    Are there files we can modify to fix this issue?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Installing certificates on a shared IP address is supported as of cPanel version 11.38 if the server supports SNI (CentOS/RHEL 6+). You can't disable that functionality, but setting up a package without the SSL feature is the recommended approach if you want to prevent users from installing a certificate.

    Thank you.
     
  7. sahostking

    sahostking Well-Known Member

    Joined:
    May 15, 2012
    Messages:
    299
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cape Town, South Africa
    cPanel Access Level:
    Root Administrator
    I'm sure it can be restricted though easily so when a user tries to install the SSL on the Shared IP which is assigned under Basic Config text box for the shared IP in WHM Server Config, a popup comes up or a page stating "You are attempting to install it on a shared IP". Don't see why it is not possible and easy to perform.

    Removing the SSL Features is not really a solution as then what is the use of it being "features" in cpanel interface in first place? Might aswell just have it as WHM features only :)
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You make a good point, but in order to see that changed you would have to submit a feature request as mentioned earlier. You are welcome to post the link to that feature request to this thread so we can update the thread with the outcome.

    Thank you.
     
  9. jacksony

    jacksony Well-Known Member
    PartnerNOC

    Joined:
    Nov 30, 2005
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
  10. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    We are using following way to stop client installing ssl for shared IP.

    Home » Service Configuration » Apache Configuration » Include Editor >> Pre VirtualHost Include, add a virtualhost for each shared IP.

    Code:
    <VirtualHost shared_ip:443>
       ServerName SERVER_NAME
       DocumentRoot /usr/local/apache/htdocs
       ServerAdmin YOUR_EMAIL
    </VirtualHost>
     
    #10 garconcn, Oct 16, 2014
    Last edited by a moderator: Oct 16, 2014
  11. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    The problem with allowing this, is that it doesn't work properly. So you've added another "feature" that causes more of a problem than it solves.

    Since this change, if someone visits any domain on the server's main IP that doesn't have an SSL certificate, the first website with an SSL certificate is displayed in the browser.

    So you've only done half the job with this. If you allow cpanel users to install certificates on the main shared IP, you need to ensure at the very least, that sites using that IP which do not have certificates installed, are not replaced with the first site in the apache config that uses the same IP on port 443 when the https protocol is used to visit them.

    If you can't do that, then you shouldn't have allowed this change to go through in the first place.

    I think most people will agree that they would like to retain the ssl certificate facility in cpanel, with a tweak settings option to disallow the use of it when the account is using the main shared IP. It isn't appropriate to set up different packages, just to work around your poor implementation of this.

    We want customers on the same packages to be able to install certificates if they have a dedicated IP. I don't think anyone would suggest it is a good idea to create a new package just for a user that wants an SSL certificate and this could not be easily automated.

    The simple solution is to put it back the way it was before. Allow cpanel users to install certificates and have a toggle in tweak settings that allows us to disable the option for users that are using the main shared IP.

    Currently what you have implemented is not workable and it is unreasonable to ask people to submit feature requests for things that are simply broken. Just fix it.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's important that you add this feedback to the feature request referenced in this thread:

    Prevent the users from installing SSL on Shared IP address | cPanel Feature Requests

    I understand that you have a negative view towards the feature request system in general when it comes to changes instead of new features, but it's important to keep in mind that we utilize it when considering changes to the product. It's the best way to have a direct line of communication with our developers.

    Thank you.
     
Loading...

Share This Page