The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

please explain what I need a host ssl

Discussion in 'Security' started by phillbooth, Sep 16, 2013.

  1. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    33
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Hello, this should be ovious but when your spending $$$ then its always good to check.

    I need to get an SSL for my server host (server reference).

    Currently the URL is in this standard format server.mydomain.com

    I need to have an SSL for server wide services such as imap/ftp/pop3 and so on.

    so...

    1) would i purchase an SSL for server.mydomain.com or mydomain.com

    and

    2) Would this need to be a * whilecard SSL cert?

    Thanks
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will suggest you purchase wild card SSl for your *.mydomain.com so that you can use that SSl for your all sub-domain and your services
     
  3. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    33
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Thanks perfect answer
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Actually, that's not necessarily the correct advice. It's not possible to install service certificates across multiple domain names, so a wildcard SSL certificate is not really going to be helpful. Instead, you should purchase the certificate for the hostname of your server and then install it via:

    "WHM Home » Service Configuration » Manage Service SSL Certificates"

    Thank you.
     
  5. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    33
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Currently the VPS has a number of domains running on their own IP with their own standard SSL CA

    All I need is a certificate to replace the self signed certificate "WHM Home » Service Configuration » Manage Service SSL Certificates"

    So server wide services such as mail pop3 etc can be used with an SSL so that domains using their own SSL but sill using server wide services will pass a PCI scan.

    For example: TCP/993/imaps failed when scanning a domain with a purchased SSL ... here is the PCI result

    Description: SSL Self-Signed Certificate

    Synopsis: The SSL certificate chain for this service ends in an unrecognized self- signed certificate.

    Impact: The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.

    Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

    Data Received: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities :

    |-Subject : C=US/ST=Unknown/L=U nknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/E=ssl@server.mydomain.com

    Resolution: Purchase or generate a proper certificate for this service.

    Risk Factor: Medium/ CVSS2 Base Score: 6.4



    This is why I need an SSL for the host.

    Does a standard SSL fix this problem or do I need a more expensive wildcard SSL?
     
  6. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    33
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Right ok so I do not need a *.mydomain.com cert.

    Just to refine what I am looking for the VPS server has mutiple domains all with their own SSL and IP addresses. I am looking for a Certificate that will change the self signed cert in "WHM Home » Service Configuration » Manage Service SSL Certificates" to one that will pass a PCI scan for services such as IMAP etc.

    Here is an example:

    TCP/143/imap failed PCI scan for a domain/website using purchased SSL on the serve: the result...

    (assuming this TCP/143/imap is a server wide service)

    Description: SSL Certificate Cannot Be Trusted

    Synopsis: The SSL certificate for this service cannot be trusted.

    Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.

    First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.

    Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.

    Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize.

    If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man-in-the- middle attack against the remote host.

    Data Received: The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/E=ssl@server.mydomain.com|-Issuer : C=US/ST=Unknown/L=Unknown/O= Unknown/OU=Unknown/CN=server.mydomain.com/E=ssl@server.mydomain.com

    Resolution: Purchase or generate a proper certificate for this service.

    Risk Factor: Medium/ CVSS2 Base Score: 6.4
     
    #6 phillbooth, Sep 17, 2013
    Last edited: Sep 17, 2013
  7. phillbooth

    phillbooth Active Member

    Joined:
    Sep 9, 2013
    Messages:
    33
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    sorry double post
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, you simply need a certificate installed for the services that is not self-signed. It does not have to be a wildcard certificate.

    Thank you.
     
  9. RyanH

    RyanH Registered

    Joined:
    Feb 25, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Was this problem ever resolved successfully? I have the same issue. I've installed a certificate for the host in the form of server.domain.com but now receive the following failure:

    Description: SSL Certificate with Wrong Hostname

    Synopsis: The SSL certificate for this service is for a different host.

    Impact: The commonName (CN) of the SSL certificate presented on this service is for a different machine.

    Data Received: The identities known by SecurityMetrics are :

    hosted.com mail.hosted.com webmail.hosted.com

    The Common Name in the certificate is :

    server.domain.com

    The Subject Alternate Names in the certificate are :

    server.domain.com www.server.domain.com

    Resolution: Purchase or generate a proper certificate for this service.

    Risk Factor: Medium/ CVSS2 Base Score: 5.0

    AV:N/AC:L/Au:N/C:N/I:P/A:N

    Any suggestions?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is it a certificate that you purchased from a commercial SSL provider and installed for your services via "WHM Home » Service Configuration » Manage Service SSL Certificates"?

    Thank you.
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The hostname mismatch is a pain. I see these all the time.

    Basically I'm assuming this is your situation, as it's what I see a lot:

    your server is host.yourcompany.com, and you're scanning customerdomain.com or otherdomain.com that is a different domain than your hostnames domain.

    What happens is the e-mail, ftp, etc services (everything but apache) use the hostname SSL, where as the site itself via Apache uses its own SSL. The PCI scanner is flagging you because the hostname SSL is a different domain name than the website SSL on the same IP address.

    As far as I know there is no real fix for this, since you can't have IP specific SSL's for e-mail, ftp, etc. Someone correct me if I'm wrong. You have to appeal it to state those services operate under the hostname which uses a different domain name than the site itself.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  13. RyanH

    RyanH Registered

    Joined:
    Feb 25, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the replies everyone.

    You're absolutely right on the setup though the "otherdomain.com" site does have its own IP in this case. Will that help at all?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    No, it's not possible to have per-domain SSL certificates for services such as cPanel/WHM at this time.

    Thank you.
     
  15. RyanH

    RyanH Registered

    Joined:
    Feb 25, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page