Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Setting Service SSL Certificate as Primary

Discussion in 'Security' started by timmmmyboy, May 26, 2019.

  1. timmmmyboy

    timmmmyboy Member

    Joined:
    Aug 26, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Fredericksburg, Virginia
    cPanel Access Level:
    Root Administrator
    Twitter:
    We occasionally get a ticket from users that apparently still have non-SNI compliant systems and cannot properly load cPanel. Usually they are worried they've been hacked because they are presented with an SSL certificate for another website alltogether, the one automatically listed as primary under SSL Hosts. In our ideal world the fallback for a non-SNI enabled system would be to use the service SSL certificate that matches our hostname, at least then it's clear that the certificate is our own rather than exposing the domain of another user on the system (and making the user think there has been an exploit because of the mismatch). However setting the primary domain under SSL Hosts only shows domains hosted properly as cPanel accounts, not the hostname of the server. What is the best course of action here?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    You should be able to manage the redirection location from WHM>>Server Configuration>>Tweak Settings under the Redirection tab.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. timmmmyboy

    timmmmyboy Member

    Joined:
    Aug 26, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Fredericksburg, Virginia
    cPanel Access Level:
    Root Administrator
    Twitter:
    I don't think a redirect would apply in this case. Our server hostname certificate is valid for cpanel.hostname as a URL. The issue is that when someone has an issue with SNI or some other odd bug, the certificate they see is not our own, but the primary certificate on the server which is another customers. Seems like an odd security bug to expose a customer's domain and certificate to users unless we setup an additional account with a random self-signed certificate. For an example of this see certificate #2 at <Link to 3rd party removed> We would ideally like the server hostname to be the primary certificate on the server, but the hostname is not an option under SSL Hosts in WHM and something has to be primary so it ends up being a random customer.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    In this instance is the hostname cpanel.yourdomain.tld or is it kraftwerk.yourdomain.tld? This certificate has no issue per the check with the exception of forward secrecy which is capping you to a B due to cipher issues which is discussed here: https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update?_ga=2.249869902.993350384.1559069809-413614920.1559069809

    Service subdomains like cpanel.domain.tld or webmail.domain.tld are essentially aliases to the hostname and use the hostname SSL
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. timmmmyboy

    timmmmyboy Member

    Joined:
    Aug 26, 2013
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Fredericksburg, Virginia
    cPanel Access Level:
    Root Administrator
    Twitter:
    Our hostname is kraftwerk.yourdomain.tld and we use a certificate that secures the cpanel subdomain alias for our hostname as we prefer those URLs for users accessing cPanel versus non-standard ports, so https://cpanel.kraftwerk.yourdomain.tld would be the URL structure and that works 99% of the time because as you mentioned the cert is valid. But when it doesn't due to SNI failure, a random customer's SSL certificate shows up which is less than ideal. If a user doesn't have a browser that supports SNI it seems the fallback is the primary certificate chosen in SSL Hosts, which there has to be one and none of the hosts there are our own, they are all customers on the server. From what it sounds like I guess we need to set some kind of account on every server that we own and make that primary to avoid the exposure of other customer's domains. I'm mostly curious how other hosts handle the "Primary" option in WHM > Manage SSL Hosts. Just leave it and field the random ticket where someone is seeing a certificate that isn't their own? Feels like something we should be able to just fallback to the service SSL certificates for.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,466
    Likes Received:
    505
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    I think there's some confusion here. Manage SSL hosts will not manage the hostname SSL. The "Make Primary" function is primarily to set what site will be the primary (first SSL VirtualHost in the apache configuration) on systems with multiple IP's.

    In your case what seems to be happening is either one of two things:

    1. The redirection for sites with no SSL certificate is not set to go to the hostname which can be managed in Tweak Settings as I noted before

    or

    2. The sites that are getting random sites when attempting to access over SSL are on a different IP address than the hostname and are getting the first domain with an SSL VirtualHost for that IP in the Apache configuration. The workaround for this would be to ensure that all domains, including those without SSL's have an SSL VirtualHost which can be achieved by installing a Self-Signed SSL certificate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice