The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Self Signed Shared SSL in WHM

Discussion in 'General Discussion' started by nickelfault, Apr 25, 2012.

  1. nickelfault

    nickelfault Member

    Joined:
    Apr 24, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    New to the forums :) I've searched high and low for an answer to my question but so far haven't turned up any results, so I'm hoping someone here may be able to shed some light on my situation.

    I have a VPS that currently uses WHM + cPanel. I am the only user on my VPS, however I have multiple domains set up on one account. The other day I generated a self-signed certificate to use on a shared hosting package. WHM forced me to enter 'nobody' as the user for the cert or it wouldn't allow me to install it.

    I currently use SuExec so that Apache runs as my main user account for all my websites. This works great, except now that if I try to access my site over HTTPS, Apache runs as the user 'nobody' - which in turn is giving me permission errors. It still runs as the correct user when accessing my sites over HTTP.

    Is it possible to either change the username that Apache is running as over HTTPS, or somehow force a username when installing the certificate?

    I've tried entering my username and get the following:

    Since I'm the only person on my VPS, there isn't any security concern as my sites run as the same user anyway. Is there any way to force the user Apache is running as, or is SuExec just not doing its job when using HTTPS?

    Thank you in advance for any help!

    Jordan
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    The best solution to this problem is to obtain a dedicated IP address for any account that you plan to install a SSL Certificate on. If you are unable to obtain a dedicated IP address, you can install one certificate under the "nobody" username. The following thread includes steps to take to ensure there are no errors when using suPHP and a shared certificate:

    suPHP and SSL Certificate under "nobody" user

    Thank you.
     
  3. nickelfault

    nickelfault Member

    Joined:
    Apr 24, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the quick reply Michael ;)

    I know that getting a dedicated IP address is one way around the issue (and I do have one free IP), but ideally I'd like to get to this set up without having to move the site to a dedicated IP (would be a major headache as this is the main account on this shared IP). Also, I don't use suPHP because I am using APC.

    If there's no other way around it however :)() I guess I'll have no choice though. Is it possible to move the main account on a shared hosting package to it's own dedicated IP and still keep the same cPanel so that all the sites run as the same user?
     
  4. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    Nickelfault, your posts have a lot of different issues but hopefully this will help! :)

    First off, installing SSL for WHM is not installing SSL for your websites. That is all entirely different.

    You can setup a self signed certificate for WHM if you want and use port 2087 to access WHM with SSL. As you are the only user of your server from an admin perspective, I really see no reason in obtaining a signed certificate just for WHM or Cpanel access. That would be a bit pointless in your case since you can just tell you computer at home to allow the self signed certificate and your web browser never bother you again.

    Now let's talk about website SSL ...

    For your websites, any site that you want to have SSL encryption, you will need that site to have it's own dedicated IP address and you cannot have the site on the main server shared IP address (usually the first IP address on your server).

    You can only have one single domain with SSL per unique IP address.

    The steps are basically the same whether you use self-signed SSL or signed and verified SSL:
    Code:
    1.   You would make sure the website has it's own unique IP address that is not the server main shared IP
    
          *** ANY SITE WITH SSL MUST HAVE A UNIQUE DEDICATED (NOT SHARED) IP ADDRESS ***
    
    2.   In Cpanel, you would setup a 2,048 bit encryption key for the domain
    3.   You would generate a self signed certificate using the key from step #2 above
    
    If you were to change the self-signed to a full signed certificate then,
    
    4.   You would generate a CSR request and send that information to the certificate provider
    5.   The certificate provider would send you back an updated signed certificate.
    6.   You would go into the certificate installer in cpanel and replace your self signed certificate with the one provided
    
    That is really all there is to it as far as setting up SSL encryption goes!

    If you use self-signed, you will still have strong encryption but visitor's web browsers are going to continue to popup an alert telling them that your certificate is self signed and cannot be verified.

    These days obtaining full signed certificates is very inexpensive and for websites themselves, I would usually recommend that you go ahead and get a signed certificate. For WHM/Cpanel however, I really don't see the need or point and a self-signed certificate should be sufficient in most cases.

    Running SuPHP by itself alone is faster performance than running mod_php with APC.

    There is also the side footnote that mod_php is very dangerous security wise and generally speaking should be avoided at all costs.

    If you are stuck on running caching accelerators (not really advised on a VPS because of limited resources) then I would recommend looking at running FCGI but either way though definitely avoid using mod_php.

    That question does not really make any sense and I don't follow what you are asking.

    Cpanel works on every IP and every domain on your server and you can use any for access. It does not really matter what URL you use to access Cpanel or WHM as long as it is attached to your server, it will work just the same. Doesn't matter if using different IPs.

    What exactly do you mean by "all the sites run as the same user"?

    Running all your site under the same username 'nobody' if that is what you are talking about is actually something you would actually want to avoid, not the other way around.
     
    #4 NetMantis, Apr 25, 2012
    Last edited: Apr 25, 2012
  5. nickelfault

    nickelfault Member

    Joined:
    Apr 24, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the reply NetMantis. The certificate isn't FOR WHM, I was just installing it in WHM (was I doing it wrong?). SSL is working perfectly except that Apache is running as 'nobody' and I get (write) permissions errors :( Other than that I am able to browse to my site over HTTPS and use it without issue.

    It's sounding like I'm going to have to move the site and all subdomains to a dedicated IP, but it seems like it's going to be a huge headache to create a new package and get everything moved over. I'm not even sure how to do that since on the shared package my domain is the main domain.

    If only I could change that 'nobody' user it would be much easier!
     
  6. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    Not a huge headache. It's ridiculously simple to set all that up!

    You are talking about like 5 seconds work! :)

    As far as "nobody" goes, you are stuck on that and running into permission issues because you are running mod_php. I would recommend going to either SuPHP or to FCGI. You mentioned VPS so depending on your resources available and taking a guess in general without seeing your hardware limits, I would guess SuPHP would probably be the better choice for you.

    As far as SSL goes though, the only thing that can use SSL on your main shared IP is Cpanel / WHM itself. You cannot use websites that way. Even if you got it to work, it really wouldn't be working like you think.

    SSL for websites is typically also better installed from Cpanel for the site, not from WHM. Technically yes you can install it from WHM but usually does not setup correctly from that interface.

    Anyway, your so called "moving" your site is a matter of just simply selecting the new IP address. You don't really "move" anything at all! Just update the IP address, nothing more! :)
     
    #6 NetMantis, Apr 25, 2012
    Last edited: Apr 25, 2012
  7. nickelfault

    nickelfault Member

    Joined:
    Apr 24, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks again for your reply NetMantis :) I am currently using SuExec+FCGI+APC. I've read that using SuPHP with APC doesn't work properly because SuPHP spawns a new process each time.

    How can I change the IP address of the main site? I've went into WHM and tried editing the package but the "dedicated IP" checkbox is disabled. I've also tried going to "Change Site's IP Address" under IP Functions in WHM, however there is no place to change the IP, it only shows the one that is currently being used.

    If it's just a matter of selecting a new IP address that would be great, but I can't find where to do it (and I was googling that yesterday). Any help is appreciated!
     
  8. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    Don't try to setup FCGI yourself. That one really needs a bit of background experience to setup and I can tell from this conversation that is definitely not you. I'd be glad to give you a hand with that though. It's just a matter of FCGI is a bit more delicate and requires a bit more manual configuration to run correctly than the other PHP types.

    Packages have nothing to do with your web site accounts. Those are basically templates you setup for creating new accounts but once an account is created, you would edit the account itself and not the package it is in.

    The easiest way to change IPs is to go to "List Accounts" and just select a new IP right from that list.

    BE ADVISED: Because of DNS caching in your own computer and ISP, you may end up seeing the default cpanel page for up to 48 hours while the rest of the world sees the site working properly immediately after an IP change. This is because your computer remembers the old original IP address and tries to connect to that same IP for a little while.

    Based on what you just said, it sounds like you might not have a free IP address available.

    You might want to go to the WHM option for showing or displaying IP address usage and see what you have listed.

    How many IP addresses were you given by your hosting provider? Do you have that information?

    As far as "any help is appreciated", it is very clear by this conversation that you are in well over your head but that is nothing to worry or concern yourself about as I am going to hand walk you through all of this and try to teach you want you should know.

    It would be a lot easier to do that than to keep posting what is otherwise elementary cpanel basics and taking up valuable forum posting space.
     
  9. nickelfault

    nickelfault Member

    Joined:
    Apr 24, 2012
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Moved the site to a dedicated IP and re-generated the SSl certificate using my username. Working perfectly now thanks guys for your help!
     
Loading...

Share This Page