please explain what I need a host ssl

[phillbooth]

Hello, this should be ovious but when your spending $$$ then its always good to check.

I need to get an SSL for my server host (server reference).

Currently the URL is in this standard format server.mydomain.com

I need to have an SSL for server wide services such as imap/ftp/pop3 and so on.

so...

1) would i purchase an SSL for server.mydomain.com or mydomain.com

and

2) Would this need to be a * whilecard SSL cert?

Thanks

 

[24x7server]

Hello,

I will suggest you purchase wild card SSl for your *.mydomain.com so that you can use that SSl for your all sub-domain and your services

 

[phillbooth]

Thanks perfect answer

 

[cPanelMichael]

Hello

Actually, that's not necessarily the correct advice. It's not possible to install service certificates across multiple domain names, so a wildcard SSL certificate is not really going to be helpful. Instead, you should purchase the certificate for the hostname of your server and then install it via:

"WHM Home » Service Configuration » Manage Service SSL Certificates"

Thank you.

 

[phillbooth]

Currently the VPS has a number of domains running on their own IP with their own standard SSL CA

All I need is a certificate to replace the self signed certificate "WHM Home » Service Configuration » Manage Service SSL Certificates"

So server wide services such as mail pop3 etc can be used with an SSL so that domains using their own SSL but sill using server wide services will pass a PCI scan.

For example: TCP/993/imaps failed when scanning a domain with a purchased SSL ... here is the PCI result

Description: SSL Self-Signed Certificate

Synopsis: The SSL certificate chain for this service ends in an unrecognized self- signed certificate.

Impact: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Data Received: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities :

|-Subject : C=US/ST=Unknown/L=U nknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/[email protected]

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 6.4


This is why I need an SSL for the host.

Does a standard SSL fix this problem or do I need a more expensive wildcard SSL?

 

[phillbooth]

Right ok so I do not need a *.mydomain.com cert.

Just to refine what I am looking for the VPS server has mutiple domains all with their own SSL and IP addresses. I am looking for a Certificate that will change the self signed cert in "WHM Home » Service Configuration » Manage Service SSL Certificates" to one that will pass a PCI scan for services such as IMAP etc.

Here is an example:

TCP/143/imap failed PCI scan for a domain/website using purchased SSL on the serve: the result...

(assuming this TCP/143/imap is a server wide service)

Description: SSL Certificate Cannot Be Trusted

Synopsis: The SSL certificate for this service cannot be trusted.

Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man-in-the- middle attack against the remote host.

Data Received: The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/[email protected]|-Issuer : C=US/ST=Unknown/L=Unknown/O= Unknown/OU=Unknown/CN=server.mydomain.com/[email protected]

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 6.4

 

[phillbooth]

sorry double post

 

[cPanelMichael]

Yes, you simply need a certificate installed for the services that is not self-signed. It does not have to be a wildcard certificate.

Thank you.

 

[RyanH]

Was this problem ever resolved successfully? I have the same issue. I've installed a certificate for the host in the form of server.domain.com but now receive the following failure:

Description: SSL Certificate with Wrong Hostname

Synopsis: The SSL certificate for this service is for a different host.

Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Data Received: The identities known by SecurityMetrics are :

hosted.com mail.hosted.com webmail.hosted.com

The Common Name in the certificate is :

server.domain.com

The Subject Alternate Names in the certificate are :

server.domain.com www.server.domain.com

Resolution: Purchase or generate a proper certificate for this service.

Risk Factor: Medium/ CVSS2 Base Score: 5.0

AV:N/AC:L/Au:N/C:N/I:P/A:N​

Any suggestions?

 

[cPanelMichael]

Is it a certificate that you purchased from a commercial SSL provider and installed for your services via "WHM Home » Service Configuration » Manage Service SSL Certificates"?

Thank you.

 

[quizknows]

The hostname mismatch is a pain. I see these all the time.

Basically I'm assuming this is your situation, as it's what I see a lot:

your server is host.yourcompany.com, and you're scanning customerdomain.com or otherdomain.com that is a different domain than your hostnames domain.

What happens is the e-mail, ftp, etc services (everything but apache) use the hostname SSL, where as the site itself via Apache uses its own SSL. The PCI scanner is flagging you because the hostname SSL is a different domain name than the website SSL on the same IP address.

As far as I know there is no real fix for this, since you can't have IP specific SSL's for e-mail, ftp, etc. Someone correct me if I'm wrong. You have to appeal it to state those services operate under the hostname which uses a different domain name than the site itself.

 

[cPanelMichael]

Yes, that is correct. There is an open feature request to have individual SSL certificates on services:

SSL certificate per domain on all services | cPanel Feature Requests

Thank you.

 

[RyanH]

Thanks for the replies everyone.

The hostname mismatch is a pain. I see these all the time.

Basically I'm assuming this is your situation, as it's what I see a lot:

your server is host.yourcompany.com, and you're scanning customerdomain.com or otherdomain.com that is a different domain than your hostnames domain.

You're absolutely right on the setup though the "otherdomain.com" site does have its own IP in this case. Will that help at all?

 

[cPanelMichael]

You're absolutely right on the setup though the "otherdomain.com" site does have its own IP in this case. Will that help at all?

No, it's not possible to have per-domain SSL certificates for services such as cPanel/WHM at this time.

Thank you.

 

[RyanH]

Dang. Has anyone had luck with the following workaround?

SSL certificate per domain on all services | cPanel Feature Requests