Disable user to install ssl on shared ip

[Hedloff]

Hello,

We have alot of customers installing self signed ssl on our shared ip's that are causing alot of trouble for other customers on the same server.
How do we disable this feature so no one can install ssl on the shared ip?

 

[cPanelMichael]

Hello

You can edit the feature list that's associated with the package assigned to the accounts via:

"WHM Home » Packages » Feature Manager"

Simply disable the following options:

SSL Host Installer
SSL Manager

Thank you.

 

[Hedloff]

Well, I know that.
That will completely disable ssl for user. When they have dedicated ip they should be able to install ssl, but not on shared ip.
How do we fox this high issue?

 

[cPanelMichael]

You could create a separate package for accounts with dedicated IP addresses. Ensure the package uses a separate feature list with SSL functionality enabled. Otherwise, you could open a feature request to the ability to disable SSL options for accounts assigned a shared IP:

Submit A Feature Request

Thank you.

 

[Hedloff]

Can you tell me what's the meaning of customers installing their own ssl on the main (shared ip) of the server? It's just causing problems for other customers.
Are there files we can modify to fix this issue?

 

[cPanelMichael]

Installing certificates on a shared IP address is supported as of cPanel version 11.38 if the server supports SNI (CentOS/RHEL 6+). You can't disable that functionality, but setting up a package without the SSL feature is the recommended approach if you want to prevent users from installing a certificate.

Thank you.

 

[sahostking]

I'm sure it can be restricted though easily so when a user tries to install the SSL on the Shared IP which is assigned under Basic Config text box for the shared IP in WHM Server Config, a popup comes up or a page stating "You are attempting to install it on a shared IP". Don't see why it is not possible and easy to perform.

Removing the SSL Features is not really a solution as then what is the use of it being "features" in cpanel interface in first place? Might aswell just have it as WHM features only

 

[cPanelMichael]

You make a good point, but in order to see that changed you would have to submit a feature request as mentioned earlier. You are welcome to post the link to that feature request to this thread so we can update the thread with the outcome.

Thank you.

 

[jacksony]

Yes, this is causing big problem for us as users does not have any idea and thought they can install on shared IP. cPanel please help us by solving this issue. Creating 2 similiar package just for this is not workable for many of us. Vote for the feature here: Prevent the users from installing SSL on Shared IP address | cPanel Feature Requests

 

[garconcn]

We are using following way to stop client installing ssl for shared IP.

Home » Service Configuration » Apache Configuration » Include Editor >> Pre VirtualHost Include, add a virtualhost for each shared IP.

<VirtualHost shared_ip:443>
   ServerName SERVER_NAME
   DocumentRoot /usr/local/apache/htdocs
   ServerAdmin YOUR_EMAIL
</VirtualHost>

 

[4u123]

Installing certificates on a shared IP address is supported as of cPanel version 11.38 if the server supports SNI (CentOS/RHEL 6+). You can't disable that functionality, but setting up a package without the SSL feature is the recommended approach if you want to prevent users from installing a certificate.

Thank you.

The problem with allowing this, is that it doesn't work properly. So you've added another "feature" that causes more of a problem than it solves.

Since this change, if someone visits any domain on the server's main IP that doesn't have an SSL certificate, the first website with an SSL certificate is displayed in the browser.

So you've only done half the job with this. If you allow cpanel users to install certificates on the main shared IP, you need to ensure at the very least, that sites using that IP which do not have certificates installed, are not replaced with the first site in the apache config that uses the same IP on port 443 when the https protocol is used to visit them.

If you can't do that, then you shouldn't have allowed this change to go through in the first place.

I think most people will agree that they would like to retain the ssl certificate facility in cpanel, with a tweak settings option to disallow the use of it when the account is using the main shared IP. It isn't appropriate to set up different packages, just to work around your poor implementation of this.

We want customers on the same packages to be able to install certificates if they have a dedicated IP. I don't think anyone would suggest it is a good idea to create a new package just for a user that wants an SSL certificate and this could not be easily automated.

The simple solution is to put it back the way it was before. Allow cpanel users to install certificates and have a toggle in tweak settings that allows us to disable the option for users that are using the main shared IP.

Currently what you have implemented is not workable and it is unreasonable to ask people to submit feature requests for things that are simply broken. Just fix it.

 

[cPanelMichael]

Hello

It's important that you add this feedback to the feature request referenced in this thread:

Prevent the users from installing SSL on Shared IP address | cPanel Feature Requests

I understand that you have a negative view towards the feature request system in general when it comes to changes instead of new features, but it's important to keep in mind that we utilize it when considering changes to the product. It's the best way to have a direct line of communication with our developers.

Thank you.