How to: install chained SSL to work WHM/Cpanel, exim, courier.

[hekri]

Hello

I read many topics on the forum but i dont find all on one thread.

If you buy low cost SSL that have cabundle file you can install it propertly to work with WHM, cPanel, smtp-ssl, pop3-ssl, imap-ssl and it will work od 99% explorers and email clients.

You should have key, SSL cert and cabundle.

First step go to the WHM/SSL/TLS/Change Server Certificates and install it.

Next go to the SSH root login:

cd /usr/local/cpanel/etc/
vi mycpanel.pem and delete key, cert and put manually key, certificate, cabundle
vi cpanel.pem and delete key, cert and put manually key, certificate, cabundle
vi mycpanel.cabundle delete cabundle and put it manually

service cpanel restart

cd /usr/lib/courier-imap/etc
vi pop3d-ssl

And change:
TLS_CERTFILE=/usr/lib/courier-imap/share/pop3d.pem

to:
TLS_CERTFILE=/usr/local/cpanel/etc/cpanel.pem
TLS_TRUSTCERTS=/usr/local/cpanel/etc/mycpanel.cabundle

the same change in imapd-ssl

service courier-imap restart

copy cpanel.pem to the /etc/ssl/private/pure-ftpd.pem and restart pure-ftpd

next go to the /etc

vi exim.crt, delete cert and put manualy certificate and cabundle
vi exim.key delete key and put manually key

service exim restart


And you hav fully working low cost SSL certificate


key words:
cpanel ssl
ssl exim
ssl courier
chained ssl
ssl install whm
install ssl

 

[cyo]

Thank you this is what I was looking for.

 

[camay123]

Is that what needs to be donbe if you want to have /whm , /cpanel url access using https ?

Im trying to find on which of my domain should I install a certificate in order for :

https://mydomain.com/whm or /cpanel to login using ssl.

Thanks

 

[gitlca]

Thanks! This worked for me after spending countless hours figuring out why my WHM cert would work fine in IE but Firefox wouldnt follow the CA bundle and kept giving validation errors.

Appreciate the post!

 

[PeteC]

This is a helpful post. However, in my experience, there is no longer any need to do this in recent versions of cPanel:

vi mycpanel.pem and delete key, cert and put manually key, certificate, cabundle
vi mycpanel.cabundle delete cabundle and put it manually

Someone please correct me if I'm wrong, but I do not think cPanel uses mycpanel.pem and mycpanel.cabundle files any longer.

 

[cPanelNick]

This is all handled for you now in WHM's service certificate manager in whm. (in EDGE & CURRENT)

 

[norelidd]

So in order to secure, /whm, /cpanel, and email for ALL of my domains, I only need to buy one ssl cert for server.mainhostdomain.com?

 

[cPanelNick]

So in order to secure, /whm, /cpanel, and email for ALL of my domains, I only need to buy one ssl cert for server.mainhostdomain.com?

You can buy just one.

They will still be secure without the cert though. You will just get a warning that the crt is not trusted.

 

[norelidd]

I understand that it's still secure, I'm just looking to get outlook to stop bothering me and my clients every time we check our mail

I have never worked with SSL before. Would I purchase the cert for the main domain (serverdomain.com) or the server's hostname (server.serverdomain.com)?

 

[orware]

Hostname I believe

I believe it would be the Hostname, since that's the actual name of the server, but I've never done this before so I think somebody who has should reply with a confirmation .

-Omar

 

[PeteC]

I understand that it's still secure, I'm just looking to get outlook to stop bothering me and my clients every time we check our mail

I have never worked with SSL before. Would I purchase the cert for the main domain (serverdomain.com) or the server's hostname (server.serverdomain.com)?

Yes, purchase it for the server's hostname.

 

[bornonline]

I'm trying to get all this setup, but I don't have this file? My cert seem fine and I did not get a cabundle with it.
What to use for the TLS_TRUSTCERTS=?
TLS_TRUSTCERTS=/usr/local/cpanel/etc/mycpanel.cabundle

I'm getting this in Outlook
The server you are connecting to is using a security cert that cannot be verified.
The certificate's CN name does not match the passed value

This cert seems fine on cpanel and whm.

 

[orware]

Where to buy?

Hi, I was just wondering...where would I buy an SSL certificate that comes with a CA Bundle?

Or they all come with one?

I've only done the SSL stuff a few times and I always wondered about that SSL issue with cPanel and IE (especially IE7 which really makes it look like the page did not load unless you read the words).

Thanks!

-Omar

 

[brianoz]

As far as I know, they all do. I know GoDaddy SSL certs come with a CA bundle.

 

[bornonline]

I can tell you that the rapid ssl cert I got through namecheap from Geotrust does not come with the bundle. That is why I asked the question above. Everything seems fine I think...lol

 

[PCZero]

--> First step go to the WHM/SSL/TLS/Change Server Certificates and install it.


My version of WHM does not have this option...

 

[PCZero]

cd /usr/local/cpanel/etc/
vi mycpanel.pem and delete key, cert and put manually key, certificate, cabundle
vi cpanel.pem and delete key, cert and put manually key, certificate, cabundle
vi mycpanel.cabundle delete cabundle and put it manually

I have none of those files at that location

 

[flash7]

I have none of those files at that location

cPanel 11 series
/var/cpanel/ssl

 

[PCZero]

Thanks... I will look there however when I ran locate *.pem I get no files found still.

 

[PCZero]

OK folks I got this all done by figuring out the correct files and paths in cPanel11. Works great now. However I did NOT do anything with the FTP part...


#
# copy cpanel.pem to the /etc/ssl/private/pure-ftpd.pem and restart pure-ftpd
#


When I went to that location, ls returned this...


#
#ftpd-rsa-key.pem -> /var/cpanel/ssl/ftp/ftpd-rsa-key.pem
#ftpd-rsa.pem -> /var/cpanel/ssl/ftp/ftpd-rsa.pem
#pure-ftpd.pem -> /var/cpanel/ssl/ftp/pure-ftpd.pem
#


I can make the change to the /var/cpanel/ssl/ftp/pure-ftpd.pem file but do I need to do anything with the rsa files as well?


Thanks...