Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to: install chained SSL to work WHM/Cpanel, exim, courier.

Discussion in 'General Discussion' started by hekri, Jan 31, 2007.

  1. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    64
    Likes Received:
    1
    Trophy Points:
    158
    Still needed this thread for cPanel 11

    cPanel 11 still did not work with our SBS certificate. With the new file location of /var/cpanel/ssl, and overriding the cpanel.pem and the mycpanel.pem with the same content...that is the key, crt, and the cabundle contents from the cert provider, we don't get an invalid certificate errors on cpanel/whm any longer!

    Now I'm just not clear on what other manual changes to make to accommodate the other services (imap, pop, exim, etc.). I had been using the "Manage Service Certificates" and pasting the cert chain (cabundle) in the last box and applying the changes, but kept getting "invalid certificate" errors on all browsers when going to https://myserver.domain.com.

    When I cloned the mycpanel.pem and cpanel.pem with my key, cert, AND bundle the browser errors went away...this tells me that, for the server itself, the cabundle is not getting linked to the cert in the http services for WHM/cPanel.

    I realize cPanel 11 is not in full release as of yet, but can someone from cPanel help me (us?) understand what we should do for the interim?

    Thanks everyone on this thread for the info on this...we've been working on this for over a week!!
     
  2. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    I have just set this up on a FreeBSD 6.2 box with WHM 11 (WHM 11.1.0 cPanel 11.2.19-C12737)using a SecureTrust wildcard cert.

    The first step was to install the certificates by going to "Service Configuration" and "Manage Service Certificates".

    I installed the cert, key and cabundle provided into all services. WHM was the only service which did not automatically set up the cabundle properly.

    All I had to do was open up /var/cpanel/ssl/cpanel/mycpanel.pem in vi and drop the cabundle cert onto the end of the file. Restart the WHM/Cpanel service (or the whole server) and bob's your mother's brother.

    I checked all the other service certs and the cabundle was to be found similarly appended to the following files:

    /var/cpanel/ssl/courier/myimapd.pem
    /var/cpanel/ssl/courier/mypop3d.pem
    /var/cpanel/ssl/exim/myexim.crt
    /var/cpanel/ssl/ftp/myftpd-rsa.pem

    I would suggest that you do not need to fiddle anywhere else and just drop the cabundle onto the end of these files in your install as it all automagically worked for me (not sure if there are any difference with minor revisions of WHM doing this better).

    Also note that in doing this, it will not automatically install the cert to apache so to do that you will still have to go through "SSL/TLS" -> "Install a SSL Certificate and Setup the Domain".

    Incidentally, I found that cPanel apparently doesn't understand wildcard certs so I had to fix httpd.conf manually but that is something completely different.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    64
    Likes Received:
    1
    Trophy Points:
    158
    Apache

    bedoo,

    Thanks...yes, the service cert manager in cp 11 does seem to work for everything but cPanel. It should be a simple matter to fix this before the release.

    Just a quick follow-up to help me if you don't mind...
    We're not using a wildcard cert...we did install the cert for Apache for the root domain of our hosting account and that was working fine. Should we also install the server's hostname cert using this method as well? Or won't that override the cert we have for www.domain.com ??

    Thanks much,

    Kevin
     
  4. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    What certificates you install are your choice. From the sounds of it, you have two separate certs:

    hostname.domain.tld and domain.tld

    Unless you plan on serving https through Apache on hostname.domain.tld you won't need to install it into Apache. Installing more than one cert should not overwrite anything as the two are for different common names so if you were to install both to Apache you would be setting up two different SSL hosts (and therefore require two IP addresses)

    My point in mentioning it was not about different hostnames really or even wildcard certs but just to make it clear that installing using "Manage Service Certificates" will only install the cert for cpanel services and to set up a website with Apache must be done separately if you wish to use the same cert.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    By chance are you using stunnel? I recall hearing something about there still being an issue with chained certificates and stunnel. However it might be the other way around and the problem is with native ssl and it works ok with stunnel.
     
  6. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    64
    Likes Received:
    1
    Trophy Points:
    158
    not running stunnel

    No, we have stunnel on the server, but its not running. Everything is straight ssl as far as I can tell.

    I've repeated the SSL cert process after updating the CP11 release this afternoon, and get the same results. We're currently on 11.4.19-R14379. The cabundle is not appended to the mycpanel.pem.

    Question...the start of this thread had made the cpanel.pem the same as mycpanel.pem...can someone tell me what the two files are for and if we could have just left cpanel.pem.
     
  7. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    I'm waiting for a new chained ssl to test this with. As soon as I have it I'll see what I can do to get this sorted.
     
  8. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    I think cpanel.pem is the cert generated during install. The one currently one my server has not been modified for a while I guess the presence of mycpanel.pem means that whm/cpanel ignores the cpanel.pem file.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,216
    Likes Received:
    10
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Correct. cpanel.pem is what is bundled with the software, whereas mycpanel.pem would be your own certificate.
     
  10. cPanelNick

    cPanelNick Administrator Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,486
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    There were definitely some issues with this in previous builds. Try reinstall the crt with builds EDGE&CURRENT 14823+ .
     
  11. opt2bout

    opt2bout Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    64
    Likes Received:
    1
    Trophy Points:
    158
    Well, I was staying at RELEASE, but I went ahead...yes, it works great! The mycpanel.pem properly appended the ca bundle.

    Thanks!!

    BTW: When is 11 going to be released? I heard June...but was just curious. Tks Again!
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,216
    Likes Received:
    10
    Trophy Points:
    313
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The cPanel 11 Stage 1 and 2 release schedule is available at: http://www.cpanel.net/cpanel11
     
  13. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    98
    Likes Received:
    11
    Trophy Points:
    158
    Hi,

    In cPanel 11 go to WHM => Service Configuration => Manage Service Certificates. Here You can install a valid SSL certificate for select services.

    Mike
     
  14. JIKOmetrix

    JIKOmetrix Well-Known Member

    Joined:
    Apr 3, 2007
    Messages:
    98
    Likes Received:
    11
    Trophy Points:
    158
    Hi,

    How does cpanel calculate bandwidth usage? I have about 20 users in different account that have asked for SSL enabled email. I have only the one certificate for the VPS. If 20 user in different accounts use the one domain on the certificate will cPanel calculate usage based on the account login or the domain they connect to? This would be for both IMAP and POP3 email.

    Mike
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice