The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

One IP address, many SSL certificates (SNI not working?)

Discussion in 'General Discussion' started by Mozai, Oct 21, 2014.

  1. Mozai

    Mozai Member

    Joined:
    Oct 21, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    CENTOS 6.5 - WHM 11.44.1 (build 18), so SNI should be supported.

    I have one domain (account?) but it needs to serve the same content for six different hostnames. (let's call them alpha, beta, gamma, delta, epsilon, zeta). DNS for alpha - zeta will all point to the same IP address ( A records, not CNAMEs).

    I have six signed SSL certificates, one for each of alpha, beta, ... zeta. I'm told by my ISP that I must use SNI to serve multiple certs on the same IP address, and that WHM can support this. Searching cPanel documentation and official blogs tell me "yes it can be done" but not how.

    What I've done so far:
    - I have one domain (acccount?) named "hostname.com"
    - I have added six parked domains ("Home »DNS Functions »Park a Domain"), one for each of alpha, beta, ... zeta, all parked on "hostname.com"
    - I go to "Home »SSL/TLS »Install an SSL Certificate on a Domain" where I fill in these fields:
    - domain: alpha
    - ip address: xxx.xxx.xxx.xxx ("shared")
    - certificate, key, and certificate authority bundle are entered and validated by the interface

    If I go to "Home »SSL/TLS »Manage SSL Hosts" I see that the certificate is installed, and the 'domains' field shows all of "hostname.com", "alpha", "beta", ... "zeta". the "Needs SNI?" field says "no" and I don't know how to change this.

    - I go to "Home »SSL/TLS »Install an SSL Certificate on a Domain" where I fill in these fields:
    - domain: beta
    - ip address: xxx.xxx.xxx.xxx ("shared")
    - certificate, key, and certificate authority bundle are entered and validated by the interface

    If I go to "Home »SSL/TLS »Manage SSL Hosts" I see that the certificate for alpha is gone, and now the certificate for beta i, and the 'domains' field shows all of "hostname.com", "alpha", "beta", ... "zeta". the "Needs SNI?" field says "no" and I don't know how to change this.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,787
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Parked domains cannot have their own SSL certificates because they do not have their own Virtual Host. However, you could configure the domain names as "Addon Domains" and that will allow them to have their own Virtual Host entry in the Apache configuration file.

    Thank you.
     
  3. Mozai

    Mozai Member

    Joined:
    Oct 21, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    (forums.cpanel.net was giving me blank pages when I tried to post, and cut off the last part when it finally did)

    My end result should be:
    - https://alpha has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html
    - https://beta has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html
    - https://gamma has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html
    - https://delta has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html
    - https://epsilon has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html
    - https://zeta has a valid SSL cert, on ip address abc.def.fed.cab, and shows the content for ~user1/public_html

    Before someone tells me I'm asking for the wrong thing: this is one website, with multiple languages, and the hostname is different in different languages. The content is translated by the CMS, documents are in one place and uses the same pathnames on-disk.
     
  4. Mozai

    Mozai Member

    Joined:
    Oct 21, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    > you could configure the domain names as "addon Domains"

    According to the cPanel documentation: https://documentation.cpanel.net/display/ALD/Addon+Domains
    > An addon domain allows a new domain name to link to a subdirectory of your account. The system stores the addon domain’s files in a subdirectory of your public_html (Document Root) directory.
    and on the same page near the bottom:
    > The main domain appears in the address bar. (addon domain) yes
    > This type of domain is ideal for multiple domains that share the same address. (addon domain) No

    The content to be served is not in a subdirectory, they're in the same place. All six hostnames with signed SSL certificates must serve the documents in ~user1/public_html .
    I need "alpha", "beta", etc to apperar inthe address bar, not "hostname" nor "user1"
    This is explictly multiple domain-names using the same IP address, which your documentation says is "not ideal."


    Furthermore, the documentation
     
  5. Mozai

    Mozai Member

    Joined:
    Oct 21, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I just tried adding an Addon Domain using cPanel for the domain/account, because I wasn't able to find an Addon Domain feature in WHM.

    > Sorry, the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server. Please transfer the domain to this servers nameservers or have your administrator add one of its nameservers to /etc/ips.remotedns and make the proper A entries on that remote nameserver.

    I have to configure this before we launch. But cPanel wont' let me configure it until after we launch. So does that mean I can't use addon domains for this? I hope I don't need to resort to editing apache configs by hand, because I'm certain that will cause havoc with cPanel as it and I wrestle for control.
     
  6. Mozai

    Mozai Member

    Joined:
    Oct 21, 2014
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I wish I could edit previous posts to wipe out mistakes or typos caused by "connection to forms.cpanel.net timed out"

    Found the source of the error in cPanel: I had to
    • return to WHM, go to "Home »Server Configuration »Tweak Settings" and change "Allow Remote Domains [x] On".

    This is weird because (a) there's already an entry in /etc/hosts for the hostname I'm trying to make an addon domain, pointing to this machine, and (b) there is no DNS A record yet for the hostname, so it shouldn't resolve to anybody else's machine even if cPanel ignores /etc/resolv.conf and /etc/hosts for some reason. "Allow unregistered domains [x] On" was already turned on, but I needed to turn on 'allow remote domains' too.

    So I flip those switches in WHM, then
    • go to cPanel to "Domains » Addon Domains",
    • enter the alternate hostname where it asks for a domain name
    • use garbage for username and password
    • leave the "Document Root" as default, because I want it NOT to destroy files that are already there.
    • click "add domain"
    • cilck "go back"
    • find the new addon domain in the table at the bottom of the page
    • click on the pencil-and-envelope icon in the Document Root column, and change it to '/public_html'.
    • Then go back to WHM, "Home »SSL/TLS »Install an SSL Certificate on a Domain",
    • type in the name of the addon domain,
    • explicitly select the IP address,
    • paste in the site's *.crt file, the *.key file, and the intermediate *.crt.
    • click "install"

    I think I've got it now, but what I've done seems to contradict what I've read in official documentation. It seems Addon Domains *don't* make the main domain appear in the address bar, and *do* work well for multiple domain-names that share the same IP address.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,787
    Likes Received:
    665
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, addon domain names should be suitable for your requirements. The primary domain name associated with the account does not appear in the address bar and you can update the document root to the public_html directory itself.

    Thank you.
     
Loading...

Share This Page