Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hostname SSL Certificate name mismatch

Discussion in 'Security' started by Adwin Lui, Apr 17, 2017.

  1. Adwin Lui

    Adwin Lui Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Vancouver, British Columbia, C
    cPanel Access Level:
    Reseller Owner
    Hello,
    We have a SSL Certificate name mismatch for our hostname.

    This is how we are setup:
    2 Dedicated servers, one of which is Cloud, with the following hostnames:
    server.domainA.com
    cloud.domainA.com

    Using a browser, going to https://cloud.domainA.com:2087 will bring us to WHM, but shows connection as insecure.

    Using a browser, going to https://cloud.domainA.com will redirect us to the primary site xyz.com on that server. Is it possible to prevent this and show a empty page instead? (multiple websites on this shared IP)

    Comodo's SSL Analyzer shows that the certificate for our cloud.domainA.com hostname belongs to that primary site xyz.com, hence the Mismatch.

    I ran AutoSSL checkall cmd using SSH but got no output
    Code:
    /usr/local/cpanel/bin/checkallsslcerts --verbose
    In WHM > AutoSSL, Logs > no log for this latest command run using SSH

    In /usr/local/cpanel/logs/error_log:

    Code:
    [2017-04-17 10:02:59 -0700] info [xml-api] Loading default httpupdate source
    [2017-04-17 10:02:59 -0700] info [xml-api] Syncing version information from httpupdate.cpanel.net/cpanelsync/TIERS.json
    [2017-04-17 10:02:59 -0700] info [xml-api] Successfully verified signature for cpanel (key types: release).
    ==> cpsrvd 11.62.0.21 started
    ==> cpsrvd: loading security policy....Done
    ==> cpsrvd: Setting up SSL support ... Done
    ==> cpsrvd: transferred port bindings
    ==> cpsrvd: bound to ports
    ==> cpsrvd 11.62.0.21 started
    ==> cpsrvd: loading security policy....Done
    ==> cpsrvd: Setting up SSL support ... Done
    ==> cpsrvd: transferred port bindings
    ==> cpsrvd: bound to ports
    ==> cpsrvd 11.62.0.21 started
    ==> cpsrvd: loading security policy....Done
    ==> cpsrvd: Setting up SSL support ... Done
    ==> cpsrvd: transferred port bindings
    ==> cpsrvd: bound to ports
    ==> cpsrvd 11.62.0.21 started
    ==> cpsrvd: loading security policy....Done
    ==> cpsrvd: Setting up SSL support ... Done
    ==> cpsrvd: transferred port bindings
    ==> cpsrvd: bound to ports
    
    In Manage Service SSL Certificates, there is already a Cpanel cert installed:
    Domains:
    Issuer:cPanel, Inc.
    Key Size:2,048 bits (9baed34b …)
    Expiration:Apr 16, 2018 12:00:00 AM


    Please, how do I get the correct SSL certificate to show for our cloud.domainA.com hostname?

    Thank you all in advance.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's important to note the difference between the hostname SSL certificate and the certificates installed for Apache. Information about the hostname SSL certificate is documented at:

    Free cPanel-Signed Hostname Certificate - cPanel Knowledge Base - cPanel Documentation

    Do you notice any error messages when regenerating the hostname SSL certificate? You can do so via the following command:

    Code:
    /usr/local/cpanel/bin/checkallsslcerts --verbose
    Note that if you want to install this SSL certificate (once it's properly generated) for Apache so that your hostname loads over a secure URL in a web browser, then you'd need to install the cPanel-signed certificate via "WHM >> Install an SSL Certificate on a Domain".

    Thank you.
     
  3. Adwin Lui

    Adwin Lui Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Vancouver, British Columbia, C
    cPanel Access Level:
    Reseller Owner
    Hi Michael, thanks for check this out.
    From my understanding, the certificates installed for Apache are mainly for the Apache services like cpanel, webmail, etc logins... right?

    Running the command from the Cloud server ssh
    Code:
    /usr/local/cpanel/bin/checkallsslcerts --verbose
    the command runs but returns nothing.

    Does this have anything to do with it:
    On the Main server WHM server.domainA.com
    WHM > SSL Storage Manager

    upload_2017-4-17_14-28-23.png

    Top one:
    Friendly Name: server.******hosting.com and www.server.*****hosting.com
    ID: c0e27_cb57b_e1913f1c6379dd51cbd498e0978d82c7
    Resource Type: User Account SSL Resource

    Bottom one:
    Friendly Name: 2,048 bits, created 3/20/17, 7:26 AM UTC
    ID: c9c98_c9bad_9257d914a111f98f0eb410f39bfaab51
    Resource Type: User Account SSL Resource

    Still on the server.domainA.com
    WHM > Manage SSL Hosts
    upload_2017-4-17_14-41-27.png

    But here is the cloud server cloud.domainA.com
    WHM > SSL Storage Manager

    upload_2017-4-17_14-39-26.png

    If I go to Install SSL Certificate on a domain, here is what I see:

    on server.domainA.com
    upload_2017-4-17_14-50-15.png

    And on cloud.domainA.com

    upload_2017-4-17_14-52-8.png
    (cont'd)
    upload_2017-4-17_14-54-25.png

    Do the self signed certificates interfere with the Cpanel ones?

    Thank you again Michael, your help is truly appreciated.
     
    #3 Adwin Lui, Apr 17, 2017
    Last edited by a moderator: Apr 17, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    No, Apache is it's own service and is what ensures the website content is loaded. The hostname SSL certificate is intended for other services (e.g. Exim, cPanel/WHM/Webmail, FTP).

    First, browse to the following option in Web Host Manager and verify "cloud.domainA.com" is configured as the hostname for the server:

    "WHM >> Change Hostname"

    If it is, then browse to "WHM Home » Service Configuration » Manage Service SSL Certificates" and verify if the certificates installed for these services match the server's hostname. If so, check to see if any files exist to disable the free hostname SSL certificate generation:

    Code:
    stat /var/cpanel/ssl/disable_service_certificate_management
    stat /var/cpanel/ssl/disable_auto_hostname_certificate
    Thank you.
     
  5. Adwin Lui

    Adwin Lui Member

    Joined:
    Feb 10, 2015
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Vancouver, British Columbia, C
    cPanel Access Level:
    Reseller Owner
    Thank you very much Michael, sorry for my late reply.
    I confirm the correct hostnames are set for both servers.
    There are no Disable_ files present in /var/cpanel/ssl/ that may prevent auto ssl generation.

    I wish I could send you a pm with this private info, but I can't so here it is anyway could you please delete it later:
    We have ssl cert mismatch for our hostname: cloud.domain.tld
    The certificate mismatch is because of a client site which is set as Primary in Manage SSL Hosts. But I can't unselect it, because all accounts on this server are client accounts sharing the same IP. Our own business domain is on the main (non-cloud) server: server.domain.tld

    Additionally, still on cloud.domain.tld, in SSL Storage manager, we have multiple SSL certs for the hostname, is this OK so best cert may be chosen, or does it create a conflict?

    Best Regards
     
    #5 Adwin Lui, May 3, 2017
    Last edited by a moderator: May 3, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,425
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    There's a entry on this topic on our SSL FAQ document:

    My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

    Let us know if that helps to answer your question.

    Thank you.
     
Loading...

Share This Page