The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Migrate SSL Certs from one server to another

Discussion in 'General Discussion' started by netarus, May 30, 2007.

  1. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Anyone have any recommendations for migrating SSL certs from one server to another for a particular domain without having to completely reissue the certs for the new server?

    BTW, this is a cpanel to cpanel move.

    Any guidance would be appreciated.

    Thanks,

    Chris
     
  2. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    As long as you have the Private Key and the Certificate files you should be fine. Only time you would run into major problems is when switching between different types of webservers, ie Apache and IIS. But I've had excellent success using Transfer Accounts/pkgacct and it always copies the certs for me, no manual intervention required.
     
  3. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    when you do the cpmove, do you assign the domain a dedicated IP? What happens if you move it first to the share IP on the new server and then assign the domain a dedicated IP? Will the cert still work?
     
  4. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    That I'm not positive on, but I want to say that the IP information doesn't matter, cpmove should still setup the certs.
     
  5. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    List SSL Hosts

    When I go into WHM after the transfer, the following is show when I click on 'List SSL Hosts ':

    There are no ssl hosts setup!

    I did this after transfering a domain that I know has a cert associated with it.
     
  6. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    When you transferred it, did you the domain up on it's own IP?

    Check to see if you see any certificate files for the domain under /usr/share/ssl/certs and /usr/share/ssl/private.
     
  7. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    On our new server, the directory /usr/share/ssl does not even exist on the server.

    I'm running CentOS 4.

    However, on the old server, I can see all of the certs under /usr/share/ssl.

    Would copying them directly from the one server to the other be a good idea?

    Thanks!
     
  8. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    Are you sure openssl is installed properly? The openssl-0.9.7a-43.16 package provides that directory on my box which is CentOS 4.5.
     
  9. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Well, I see two SSL keys under:

    /etc/ssl/private

    hrmmm... openssl seems fine. I'm out of ideas.
     
  10. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    What keys do you have in /etc/ssl/private? Are you by chance running on 64-bit?

    Otherwise I don't know why you wouldn't have a /usr/share/ssl directory... maybe try re-installing the openssl package, but there definitely should be structure under /usr/share/ssl that's created when installing the package. I verified on a test system that installing the package did in fact create that directory (and a number of others under it)
     
  11. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    There are two keys under /etc/ssl/private

    .. and that is actually kind of interesting... we are running 64-bit. Is there an issue with 64-bit.

    Chris
     
  12. jrehmer

    jrehmer Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Denver, CO
    I honestly don't know of specific differences, but it would account for why you don't have /usr/share/ssl (the 64-bit version must store it somewhere else). Do a find command to locate the "cert" folder and see what you come up with.
     
  13. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Sometimes that is the best/easiest way. :)

    As SSL certs are somewhat generic in nature, you could do the following.

    On the new Server and for each account that had an SSL Cert, give a Dedicated IP.

    On the old Server, run this command:
    tar zfc ssl_old.tar.gz /usr/share/ssl/

    Transfer the file to new Server and run:
    tar zfx ssl_old.tar.gz /usr/share/ssl/

    Then, to make sure things are correct, on the new Server run these commands:
    /usr/local/apache/bin/httpd -t
    - make sure no problems with your httpd file, correct any that show

    service httpd stop
    ... then wait about 5 seconds
    service httpd startssl

    Now check WHM for "List SSL Hosts" and try any of the accounts using an 'https' URL.
     
Loading...

Share This Page