The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shared SSL & Dedicated IP

Discussion in 'Security' started by eglwolf, Sep 16, 2012.

  1. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    I currently have a VPS server that has NO shared SSL for my users. The hostname for this server is "server.mydomain.com"

    I have 3 IPs on the server. Two are for the server & DNS. The third is for my website at mydomain.com and I have an SSL installed on that server.

    The issue is that the hostname server.mydomain.com and my commerce site (on it's own dedicated IP) use the same domain name (mydomain.com) So should I change my hostname to another domain and get an ssl or wildcard ssl to use for the server, or can I have the wildcard SSL be the only one I need and move my ecommerce site back to the main server IP and everything will work.

    I hope I am not confusing anyone.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    You could do one or the other, so it's up to you. If you purchase a wildcard SSL, you'll need to make changes on the backend or use a script like the following for it to be properly installed onto the subdomains:

    Wildcard SSL Installation Script :: The cPanel Admin

    Since we don't support within cPanel / WHM wildcard SSLs at this time, any issues you have would need to be posted here rather than submitted via a ticket.

    If you choose to get an SSL onto the hostname, you can purchase one for the hostname name itself. It doesn't matter it is a subdomain on the main domain, since anything besides www.domain.com and domain.com would be a separate SSL for a non-wildcard one. This means you can install a purchased SSL you configure for the hostname onto the user nobody on the main, shared IP and still have the main domain on the dedicated IP using the existing SSL.

    Thanks!
     
  3. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Tristan,

    I opted to buy a SSL for the hostname. I installed it using WHM for user nobody and set it up to share under manage SSL's.

    However when I run my PCI scan I get this failed notice still:


    Description: SSL Certificate Cannot Be Trusted Synoposis: The SSL certificate for this service cannot be trusted. Impact: The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. Third, the certificate chain may contain a signature that either didn't match the certificate's information, or was not possible to verify. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that SecurityMetrics either does not support or does not recognize. If the remote host is a public host in production, any break in the chain nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Data Received: The following certificates were at the top of the certificate chain sent by the remote host, but are signed by an unknown certificate authority : |-Subject : C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.MYDOMAIN.com/E=ssl@server.MYDOMAIN.com |-Issuer : C=US/ST=Unknow n/L=Unknown/O=Unknown/OU=Unknown/CN=server.MYDOMAIN.com/E=ssl@serve r.MYDOMAIN.com Resolution: Purchase or generate a proper certificate for this service. Risk Factor: Medium/ CVSS2 Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Is the server name actually uppercase server.MYDOMAIN.COM rather than server.mydomain.com ? Linux is case sensitive and domain names should not be in upper case.

    Also, ensure to install that same SSL onto each of the services in WHM > Manage Service SSL Certificates area. I'm uncertain if this failure is for https on port 443 or might be on one of the other ports used.
     
  5. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    I removed the actual domain name for this public post. So that part is ok.

    I get this failed notice for all ports, like 110, 443, 995, 143, 465, 993, 21.

    I did not have it installed under Manage Service SSL. I have done this and will re-run the PCI Scan.
     
Loading...

Share This Page