n00b question about free certs

[Graham Bentley]

Hi, I hope it's ok to post generalised newby type questions here?

I recently moved web hosts for a client. The existing and new hosts are both cPanel. One of the reasons for the move was price, the other was offer of free SSL certs (Oh, and cPanel of course!) Once I actually got moved the new host said that it's not possible use free SSL certs on accounts where the A record points elsewhere [the client is using their webdevs servers for the actual site]

From what I understand [not much] the free certs *have to exist* on the destination http server regardless if referenced by IP or domain name? OK fair enough the webdevs would have to install on their server, yes?

But that got me thinking. Previous to the move we paid the existing host for a 'commercial' cert and I have no recollection of ever contacting the clients webdevs about it. In addition I still have access to the old cPanel as it hasn't expired yet, and can see the full details of the commercial cert inc 'CABUNDLE' etc

As I have actually moved hosts - how is the resolved website site still referencing the 'old' commercial certificate? Is it stored on a third party cert auth servers? I tried deleting from the browsers cert store but on refresh it still references the commercial cert?

I also checked the cPanel on the new host in SECURITY > SSL/TLS and can see details of the commercial cert. How did they get there?

Trying to round this up;

1) Does any method of certification [free or otherwise] absolutely require that certs reside on the destination http server?
2) Are there any automated processes that cPanel imports valid certs from cert authorities?

Thanks for any comments, insights, links to dummies guides or RTFM's

 

[cPRex]

Hey there! The SSL certificate itself needs to be on the server that is serving the web content. There is an entry in the Apache configuration specifying where the certificate is located.

If the site was migrated from serverA to serverB it's possible the certificate files were moved as well.

There wouldn't be a tool that pulls the SSL from the wild - you have to have the private key as well in order for the SSL to work, and that is only stored on the local server.

 

[Graham Bentley]

Thanks, that explains it, mostly. I just don't know how the new host imported the private cert from the old host? Perhaps there is a standard protocol between web hosts that they agree to?

 

[cPRex]

That's correct - you can get the SSL issued for a few different server types, but as long as it works with Apache it will likely be able to be moved to another host.

 

[Graham Bentley]

Finally found what was throwing me off the scent on this. When I moved hosts last time I was a bit impatient waiting for DNS propagation so I added the new hosts IP and the FQDN into /etc/hosts so my machine would resolved to the new hosts and not the old one.

Unknown to me [it's been a long time!] this was still present on my machine so even though I had done everything correctly I was seeing the site still as it was, and of course the existing certificate in place!

I did not realise this until I told the old host they where free to delete the service! I also did not realise that the IP for the A record was not actually pointing at the WebDevs servers but was actually on the old host! So essentially the website disappeared!!!

Then WebDevs told me they no longer maintained the site and did not have backups - Aggh!

Fortunately the old hosts where good enough to restore the service from backup otherwise my life would of been over lol!

So I wasted a few hours downloading then uploading the website and same with the SQL schema etc

In the end I got it all back working with the new host and with the SSL Now cert.

The lesson: check, check and double check. Make notes with dates. Make backups. Never ever do anything in a hurry!