Shared SSL For All Of my Clients

[rdb4133]

Hello everyone, I have recently started paying for my own Dedicated server (I was a reseller), and many of my clients have been asking me for a while to have SSL, and I just wish to have a shared SSL solution for my clients. I installed the cert for www.maindns.us and I wish to do something like https://www.maindns.us/~username/ for each of my clients that wish to have SSL, so they can store all of the secure information there. I'm a bit of a newbie when it comes to SSL and installing it and setting it up, how exactly would I be able to set this up to use and all. Any help would be appreciated. This is a GeoTrust Certificate, and I was able to install it without a problem at all. Thanks in advance everyone! You can PM also if you wish to help out

 

[SHSaeed]

Well, the best way &I think& would be to get a SSL cert for your server's host name (i.e. host.yourdomain.com). This way, all users can access their own site in secure enviroment simply by going to https://host.yourdomain.com/~useraccount/ (no extra accounts or passwords needed). However, this might not be the best option if you're planning to charge for shared SSL. Then I guess you can create additional FTP accounts for each user that requests shared SSL.

 

[rdb4133]

Hello, no I do not wish to charge my clients for this at all, it is just something that I feel I should be offering anyways. So, would I have to login to FTP for MainDNS to have the folders available for each of the clients, or how would it work (as I said I'm a newbie when it comes to SSL)

Thanks!

 

[itf]

[quote:0ff4c77741][i:0ff4c77741]Originally posted by rdb4133[/i:0ff4c77741]

Hello, no I do not wish to charge my clients for this at all, it is just something that I feel I should be offering anyways. So, would I have to login to FTP for MainDNS to have the folders available for each of the clients, or how would it work (as I said I'm a newbie when it comes to SSL)

Thanks![/quote:0ff4c77741]
No it's not necessary,
Try this http://serverdomain.com/~user/
You should see user's site this feature is offered by Apache by enabling &UserDir& Directive in httpd.conf (which is enabled by default in Cpanel)

If you install SSL certificate for the main domain you can use this
https://serverdomain.com/~user/

Nothing especial in necessary everyone with a user account on your server has SSL access

However there are some other ways to provide anonymous shared SSL

 

[rdb4133]

Hello, Thanks for the input, and yeah I figured it *SHOULD* work like you said, but unfortunately it's not, you can check it right here: https://www.maindns.us all I get is a page not found. Any ideas as to what I did wrong? and you can try: https://www.maindns.us/~isuperwe/ (My account)

You'll get the same result.

 

[itf]

[quote:7c624984c7][i:7c624984c7]Originally posted by rdb4133[/i:7c624984c7]

Hello, Thanks for the input, and yeah I figured it *SHOULD* work like you said, but unfortunately it's not, you can check it right here: https://www.maindns.us all I get is a page not found. Any ideas as to what I did wrong? and you can try: https://www.maindns.us/~isuperwe/ (My account)

You'll get the same result.[/quote:7c624984c7]
you have to install SSL web certificate for main server address like this server.maindns.us
then use
https://server.maindns.us/~user/

 

[rdb4133]

Hello, unfortunately I think I've already set it up for www.maindns.us is there any way to actually change this? Or am I stuck?

 

[itf]

[quote:16725d1bd2][i:16725d1bd2]Originally posted by rdb4133[/i:16725d1bd2]

Hello, unfortunately I think I've already set it up for www.maindns.us is there any way to actually change this? Or am I stuck?[/quote:16725d1bd2]
Yes it's possible, but depends on your policies

Providing shared SSL has some other issues, please read this thread about bandwidth calculation first and focus on what I wrote --itf

http://forums.cpanel.net/read.php?TID=3259

I wrote there about shared SSL strategies and some of methods
Then if you would like those protection settings you have to change some of your strategies, also if you need mod_bwprotect you have to reinstall Buildapache.sea in advanced mode

After reading that thread please post what is your choice?
I'll write about shared SSL (step by step) at the next post (it is large and I'm a bit busy now to complete my writings)

 

[albert1]

Sorry...but any assistance will be much appreciated

I am also a Newbie..was a reseller and jus recently rented my own server.

Can u all suggest to me where/how can i get a SSL cert for the least $$

Thanks.

Yes...wanna use it for my clients/share.

Thank you in advance.

 

[itf]

[quote:3638421e30][i:3638421e30]Originally posted by albert1[/i:3638421e30]

I am also a Newbie..was a reseller and jus recently rented my own server.

Can u all suggest to me where/how can i get a SSL cert for the least $$

Thanks.

Yes...wanna use it for my clients/share.

Thank you in advance.
[/quote:3638421e30]
try http://www.thawte.com, or http://instantssl.com

there are many other providers like: verisign.com, Geo Trust Equifax.com, OpenSRS Resellers and ...

 

[rdb4133]

Hello ITF thanks for the informative post regarding the BW and possible Shared SSL problems. I honestly would be quite happy having https://www.maindns.us/~username/ or the sub-domain as you also suggested, either one would be fine, but as I've stated previously in other posts, as of right now https://www.maindns.us doesn't work, it just brings up a page not found, your help would be greatly appreciated.

By the way I got my GeoTrust SSL Cert from http://www.rackshack.net they have a special they are going for $49 per year.

 

[flexibert1]

Thanks for that.
Will look into GeoTrust SSL Cert from http://www.rackshack.net they have a special they are going for $49 per year.


Thanks.

Is it hard to install?

 

[rdb4133]

It wasn't too hard to install, now actually getting it to work, is another story.... That's why I'm here asking for help on it.

 

[ezi]

shared ssl

This is what we offer to our clients-all we do is set up an ftp account for them and give them the pathways for cgi etc

With all ezi hosting packages clients have access to a shared ssl 128 Bit directory such as https://www.ezihosting.com/secureyourdomain/forms.htm as standard. If you require a secure url such as https://www.yourdomain.com you will need to purchase your own ssl certificate.

Path to cgi-bin directory on secure server:
/home/ezi/public_html/securedomain/cgi-bin
URL to cgi-bin via secure server:
https://www.ezihosting.com/securedomain/cgi-bin/
path to web root directory on the secure server (for html files):
/home/ezi/public_html/securedomain
URL to web root directory via secure server.:
https://www.ezihosting.com/securedomain/

 

[itf]

In this post I’ll Show YOU

[b:a79777a22c] HOW TO GET SHARED SSL WORKING (in a Step-By-Step instruction)[/b:a79777a22c]

I do not describe how to generate SSL keys most of you know it, just focus on installing Shared SSL and get it working

There are two major methods of offering shared SSL

A) User Directory Shared SSL https://host.server.com/~user/
B) Subdomain Shared SSL https://user.server.com

Also you have to have these modules for apache, mod_bwlimited & mod_bwprotect to save your bandwidth

Read this thread I wrote everything about bandwidth saving issues

http://forums.cpanel.net/read.php?TID=3259

For this purpose you should re-install buildapache.sea by using
/scripts/easyapache
select advanced
then select these modules

(*) User bandwidth leech protection
(*) Bytes logging Module
(*) Frontpage Module
(*) Raise HARD_SERVER_LIMIT
(*) Rewrite Module
(*) SSL Module
(*) suEXEC Module


[b:a79777a22c]A) User Directory Shared SSL https://host.server.com/~user/ [/b:a79777a22c]


1- in WHM -& SSL/TLS -& Install SSL Certificate

paste your server certificate, private key & CA's public key (is required for some of certificates) wait until cpanel shows you the domain and IP of your Server certificate’s FQDN

Note: If you generated the certificate using WebHost Manager, the certificate files will be available. Refer to Generate an SSL certificate for more information.
Enter your FQDN in Domain field and press fetch button

[b:a79777a22c] WHAT is FQDN ?[/b:a79777a22c] FQDN stands for Fully Qualified Domain Name which is something like this host.serverdomain.com, please be careful SSL certificates should be generated for FQDN not just a domain (domain: domain.com, FQDN: host.domain.com)

[b:a79777a22c] Attention: You have to use HOST.SERVERDOMAIN.COM[/b:a79777a22c]
in a Root SSH session type this command

[email protected] [~]# [b:a79777a22c] hostname

the FQDN that you should use for Shared SSL is the result of above command [/b:a79777a22c]

enter your commercial domain’s Username in the Username field do not enter root or nobody we will modify this later.

press “Do it” installation will be finished by restarting Apache

2- Find these lines in your httpd.conf use pico /etc/httpd/conf/httpd.conf in a Root SSH session (these lines are at the near end of the file)
Note: 10.20.30.40 is your server’s IP, host.serverdomain.com is your server’s FQDN and username is your username

[quote:a79777a22c]
&IfDefine SSL&
&VirtualHost 10.20.30.40:443&
ServerAdmin [email protected]
DocumentRoot /home/username/public_html
ServerName host.serverdomain.com
CustomLog /usr/local/apache/domlogs/host.serverdomain.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/host.serverdomain.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/host.serverdomain.com.key
SSLCACertificateFile /usr/share/ssl/certs/host.serverdomain.com.cabundle
SSLLogFile /var/log/host.serverdomain.com

UserDir public_html

ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/

SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
&/VirtualHost&
&/IfDefine&
[/quote:a79777a22c]

Now it’s time to modify the block, bold text should be modified as you see exactly in this quotation
Note: don’t forget to put # mark in front of UserDir and ScriptAlias lines or modify them as you need to show something more than &HEY, it worked!& page when someone type https://host.domainserver.com, but these settings do not affect on https://host.domainserver.com/~user/

[quote:a79777a22c]
&IfDefine SSL&
&VirtualHost 10.20.30.40:443&
[b:a79777a22c] ServerAdmin [email protected] [/b:a79777a22c]
[b:a79777a22c] DocumentRoot /usr/local/apache/htdocs [/b:a79777a22c]
ServerName host.serverdomain.com
CustomLog /usr/local/apache/domlogs/host.serverdomain.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/host.serverdomain.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/host.serverdomain.com.key
SSLCACertificateFile /usr/share/ssl/certs/host.serverdomain.com.cabundle
SSLLogFile /var/log/host.serverdomain.com

[b:a79777a22c]# UserDir public_html

# ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/ [/b:a79777a22c]

SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
&/VirtualHost&
&/IfDefine&
[/quote:a79777a22c]

3- Restart Apache

[b:a79777a22c] You have to do this installation one time then all of accounts on your server have SSL access without any modification. [/b:a79777a22c]

Now your https://host.serverdomain.com should shows your “HEY, it Worked page!” and shared SSL is working fine using

https://host.serverdomain.com/~user/

[b:a79777a22c] CGI / PHP scripts [/b:a79777a22c]
Some of CGI and PHP scripts split the paths from your address bar they use relative address (URL), you have to make a second copy of them and change relative paths or configurations for secure usage .


[b:a79777a22c] B) Subdomain Shared SSL https://user.server.com [/b:a79777a22c]

Subdomain shared SSL has similar procedures but you need to buy wildcard certificate, and create a subdomain for each user

I do not recommend to use subdomain shared SSL if you don’t charge your customers about SSL feature because “wildcard SSL web Certificate” is more expensive than single web certificate and you have to do some parts of installation procedures manually on a per user basis or write you own scripts


[b:a79777a22c] How to Remove SSL certs and Keys? [/b:a79777a22c]

If you want to remove an installed SSL for example for the host.domain.com you should remove

Certificates are at this directory:
/usr/share/ssl/certs/
remove these files:

host.domain.com.crt
host.domain.com.cabundle (if available)

Private keys are at this directory:
/usr/share/ssl/private/
remove this file:

host.domain.com.key

Also you have to remove the related block in httpd.conf
&IfDefine SSL&
&VirtualHost 10.20.30.40:443&
……
&/VirtualHost&
&/IfDefine&


[b:a79777a22c] How to test before buy a Certificate
or
Installing fake SSL Web Certificate [/b:a79777a22c]

You can create fake web certificate and install it for testing purposes if you don’t know how to create a fake certificate go to this URL and create one for testing purposes only

http://snakeoil.haisee.com/freecerts.php

[b:a79777a22c]Attention: Fake web certificates are not trusted in client browsers, also there are some legal issues with them (they are illegal in production environments) Thus Never use fake certificates for production environments.[/b:a79777a22c]

 

[dolphyn]

Thanks!

Thanks, ITF, for providing such detailed instructions exactly when I needed them.

I used the User Directory method, and it worked exactly as you stated.

 

[Jedito]

I'm using https://ssldomain.com/~username/ but I get

Access Not Allowed from this Domain
You are attempting to access a user dir from a domain that is not owned by the user. Please correct the domain that you are attempting to use to access this url.

Anybody know why?

 

[itf]

[quote:f04d2e68a4][i:f04d2e68a4]Originally posted by Jedito[/i:f04d2e68a4]

I'm using https://ssldomain.com/~username/ but I get

Access Not Allowed from this Domain
You are attempting to access a user dir from a domain that is not owned by the user. Please correct the domain that you are attempting to use to access this url.

Anybody know why?[/quote:f04d2e68a4]
Read my above post about Shared SSL, you have to use your hostname for Shared SSL FQDN (host.serverdomain.com)

this is due to mod_bwprotect read this thread I described why

http://forums.cpanel.net/read.php?TID=3259

you can't offer shared SSL on a different domain while you have mod_bwprotect installed, if you remove it your server's bandwidth would be abused.

Please read the post exactly before asking another question that was answered. I wrote a complete step by step instruction

 

[dolphyn]

Using server-wide cert for CPanel/WHM

Okay, one more dumb question: How can I use the server-wide certificate for CPanel/WHM?

I have tried using the &Change CPanel/WHM certificate& function in WHM, and I get this error:
[b:2ff29a2453]error 20 at 0 depth lookup:unable to get local issuer certificate[/b:2ff29a2453]

It's an InstantSSL certificate. I normally include a &bundle& to install these via WHM, but in this situation I'm not sure how to include the &bundle.& I tried copying the .cabundle file to /usr/local/cpanel/share/ssl/certs, but it still didn't work.

Thanks.

 

[jamesbond]

dolphyn, I have the same problem.

If you have figured it out already, I would appreciate it if you tell me how you did it