The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems with SSL Cert

Discussion in 'Security' started by Chriz1977, Feb 4, 2010.

  1. Chriz1977

    Chriz1977 Well-Known Member

    Joined:
    Sep 18, 2006
    Messages:
    191
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    Im having problems installing my SSL cert that I purchased from GoDaddy.

    The problem is this. I have installed it with no problem annd its showing as NOT self signed, however, when anyone logs into whm/cpanel it says its untrusted.

    I setup the domain as xxx.com but the server name is server.xxx.com. Should I have setup the cert for server.xxx.com? Its not a wilcard SSL cert so I was worried that using server.xxx.com might cause problems. Have I got this backwards by any chance?

    Also, How should I setup whm.Tweak settings When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to: SSL Certificate Name,Hostname or Origin Domain Name?

    Another thing, If I use server.xxx.com can I install the cert for ftp,smtp,pop3,etc? The mail server uses mail.xxx.com and the ftp uses ftp.xxx.com so would this cause a problem? Should I use a self cert SSL cert for those services?

    Any help would be apreciated

    Cheers
    Chriz
     
    #1 Chriz1977, Feb 4, 2010
    Last edited: Feb 4, 2010
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    1. If you're server's primary IP address is associated with server.domain.com, then yes you want a certificate cut specifically for server.domain.com... or at least that is how I prefer it.

    2. Tweak Settings

    I prefer to have all non-SSL requests directed to the CA-signed certificate associated with the hostname of the server.

    Example: My server primary hostname is server.domain.com. I purchased a certificate from a CA (Geotrust, etc.) for server.domain.com. If my users go to http://www.theirdomain.com/cpanel (or /whm or /webmail) I want them to be redirected to https://server.domain.com:20xx (the SSL port for that service on the primary hostname, so they get a CA-signed certificate and do not get certificate warnings). if my users decide to go to http://server.domain.com/cpanel (i.e. the primary hostname but with no SSL) I also want them redirected to https://server.domain.com:20xx for the particular service.

    Under Security:

    "Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended."
    - checkmark this

    Under Redirection:

    Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.
    - checkmark this

    When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to:
    - select Hostname

    When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:
    - select SSL Certificate Name

    3. I can't comment with regard to SSL on mail.*, ftp.* other than to say that a certificate for server.domain.com would not be valid for ftp.* or mail.* but certainly would be usable. The client would have to accept that certificate regardless of warnings.

    4. Certainly you can use self-signed certificates for any/all services. It all depends on whether or not you want the clients who acccess the site to be presented with warnings because the certificate on the server is self-signed. Certainly nothing wrong with that for services such as imap / smtp / ftp. But for /whm, /cpanel and /webmail I think you may prefer to have a signed certificate. However, if you aren't forcing your customers to redirect to the SSL ports, then they will rarely think to use the SSL ports -- and when they do they probably won't care that it is a self-signed certificate. If you ARE forcing your customers to visit the SSL ports for webmail, WHM and Cpanel, then I'd certainly recommend having a signed certificate for that at the very least.

    Mike
     
    cPanelDon likes this.
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I concur with what mtindor has posted; following the suggestions regarding redirection options in WHM Tweak Settings, clients could simply use the available redirects to be forwarded to the server hostname with SSL/https included and provided the installed SSL certificate is properly signed and trusted there should be no SSL-related warnings.

    If a user does not use the available redirects and instead attempts to access cPanel directly via SSL/https while specifying the appropriate port number (e.g., 2083, 2087, 2096), if the domain entered does not match the SSL certificate then the user's browser may display a warning indicting it is not "trusted" because of a domain name mismatch; this is normal and to be expected in this specific situation. For this scenario I recommend advising users they may either manually trust the certificate in their browser configuration (or other configurations for mail and FTP client applications) or that they may also use the server hostname to avoid SSL-related warnings (assuming the installed SSL certificate is properly signed and trusted). The following are a few example URLs in reference to accessing cPanel, WHM, and Webmail, via SSL (with the applicable port numbers):
    Code:
    https://server:2083/
    https://server:2087/
    https://server:2096/
     
  4. devbau.com

    devbau.com Registered

    Joined:
    Sep 8, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Please note, you have to install for services your cert's too:

    Service Configuration > Manage Service SSL Certificates
     
Loading...

Share This Page