The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Shared SSL For All Of my Clients

Discussion in 'General Discussion' started by rdb4133, Aug 5, 2002.

  1. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello everyone, I have recently started paying for my own Dedicated server (I was a reseller), and many of my clients have been asking me for a while to have SSL, and I just wish to have a shared SSL solution for my clients. I installed the cert for www.maindns.us and I wish to do something like https://www.maindns.us/~username/ for each of my clients that wish to have SSL, so they can store all of the secure information there. I'm a bit of a newbie when it comes to SSL and installing it and setting it up, how exactly would I be able to set this up to use and all. Any help would be appreciated. This is a GeoTrust Certificate, and I was able to install it without a problem at all. Thanks in advance everyone! You can PM also if you wish to help out :)
     
  2. SHSaeed

    SHSaeed Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    16
    Well, the best way &I think& would be to get a SSL cert for your server's host name (i.e. host.yourdomain.com). This way, all users can access their own site in secure enviroment simply by going to https://host.yourdomain.com/~useraccount/ (no extra accounts or passwords needed). However, this might not be the best option if you're planning to charge for shared SSL. Then I guess you can create additional FTP accounts for each user that requests shared SSL.
     
  3. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello, no I do not wish to charge my clients for this at all, it is just something that I feel I should be offering anyways. So, would I have to login to FTP for MainDNS to have the folders available for each of the clients, or how would it work (as I said I'm a newbie when it comes to SSL)

    Thanks!
     
  4. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:0ff4c77741][i:0ff4c77741]Originally posted by rdb4133[/i:0ff4c77741]

    Hello, no I do not wish to charge my clients for this at all, it is just something that I feel I should be offering anyways. So, would I have to login to FTP for MainDNS to have the folders available for each of the clients, or how would it work (as I said I'm a newbie when it comes to SSL)

    Thanks![/quote:0ff4c77741]
    No it's not necessary,
    Try this http://serverdomain.com/~user/
    You should see user's site this feature is offered by Apache by enabling &UserDir& Directive in httpd.conf (which is enabled by default in Cpanel)

    If you install SSL certificate for the main domain you can use this
    https://serverdomain.com/~user/

    Nothing especial in necessary everyone with a user account on your server has SSL access

    However there are some other ways to provide anonymous shared SSL
     
  5. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello, Thanks for the input, and yeah I figured it *SHOULD* work like you said, but unfortunately it's not, you can check it right here: https://www.maindns.us all I get is a page not found. Any ideas as to what I did wrong? and you can try: https://www.maindns.us/~isuperwe/ (My account)

    You'll get the same result.
     
  6. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:7c624984c7][i:7c624984c7]Originally posted by rdb4133[/i:7c624984c7]

    Hello, Thanks for the input, and yeah I figured it *SHOULD* work like you said, but unfortunately it's not, you can check it right here: https://www.maindns.us all I get is a page not found. Any ideas as to what I did wrong? and you can try: https://www.maindns.us/~isuperwe/ (My account)

    You'll get the same result.[/quote:7c624984c7]
    you have to install SSL web certificate for main server address like this server.maindns.us
    then use
    https://server.maindns.us/~user/
     
  7. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello, unfortunately I think I've already set it up for www.maindns.us is there any way to actually change this? Or am I stuck?
     
  8. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:16725d1bd2][i:16725d1bd2]Originally posted by rdb4133[/i:16725d1bd2]

    Hello, unfortunately I think I've already set it up for www.maindns.us is there any way to actually change this? Or am I stuck?[/quote:16725d1bd2]
    Yes it's possible, but depends on your policies

    Providing shared SSL has some other issues, please read this thread about bandwidth calculation first and focus on what I wrote --itf

    http://forums.cpanel.net/read.php?TID=3259

    I wrote there about shared SSL strategies and some of methods
    Then if you would like those protection settings you have to change some of your strategies, also if you need mod_bwprotect you have to reinstall Buildapache.sea in advanced mode

    After reading that thread please post what is your choice?
    I'll write about shared SSL (step by step) at the next post (it is large and I'm a bit busy now to complete my writings)
     
  9. albert1

    albert1 Registered

    Joined:
    Jul 21, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Sorry...but any assistance will be much appreciated

    I am also a Newbie..was a reseller and jus recently rented my own server.

    Can u all suggest to me where/how can i get a SSL cert for the least $$

    Thanks.

    Yes...wanna use it for my clients/share.

    Thank you in advance.
     
  10. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:3638421e30][i:3638421e30]Originally posted by albert1[/i:3638421e30]

    I am also a Newbie..was a reseller and jus recently rented my own server.

    Can u all suggest to me where/how can i get a SSL cert for the least $$

    Thanks.

    Yes...wanna use it for my clients/share.

    Thank you in advance.
    [/quote:3638421e30]
    try http://www.thawte.com, or http://instantssl.com

    there are many other providers like: verisign.com, Geo Trust Equifax.com, OpenSRS Resellers and ...
     
  11. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello ITF thanks for the informative post regarding the BW and possible Shared SSL problems. I honestly would be quite happy having https://www.maindns.us/~username/ or the sub-domain as you also suggested, either one would be fine, but as I've stated previously in other posts, as of right now https://www.maindns.us doesn't work, it just brings up a page not found, your help would be greatly appreciated.

    By the way I got my GeoTrust SSL Cert from http://www.rackshack.net they have a special they are going for $49 per year.
     
  12. flexibert1

    flexibert1 Member

    Joined:
    Aug 6, 2002
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for that.
    Will look into GeoTrust SSL Cert from http://www.rackshack.net they have a special they are going for $49 per year.


    Thanks.

    Is it hard to install?
     
  13. rdb4133

    rdb4133 Member

    Joined:
    Jul 24, 2002
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    It wasn't too hard to install, now actually getting it to work, is another story.... That's why I'm here asking for help on it.
     
  14. ezi

    ezi Registered

    Joined:
    Aug 6, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    shared ssl

    This is what we offer to our clients-all we do is set up an ftp account for them and give them the pathways for cgi etc

    With all ezi hosting packages clients have access to a shared ssl 128 Bit directory such as https://www.ezihosting.com/secureyourdomain/forms.htm as standard. If you require a secure url such as https://www.yourdomain.com you will need to purchase your own ssl certificate.

    Path to cgi-bin directory on secure server:
    /home/ezi/public_html/securedomain/cgi-bin
    URL to cgi-bin via secure server:
    https://www.ezihosting.com/securedomain/cgi-bin/
    path to web root directory on the secure server (for html files):
    /home/ezi/public_html/securedomain
    URL to web root directory via secure server.:
    https://www.ezihosting.com/securedomain/
     
  15. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    In this post I’ll Show YOU

    [b:a79777a22c] HOW TO GET SHARED SSL WORKING (in a Step-By-Step instruction)[/b:a79777a22c]

    I do not describe how to generate SSL keys most of you know it, just focus on installing Shared SSL and get it working

    There are two major methods of offering shared SSL

    A) User Directory Shared SSL https://host.server.com/~user/
    B) Subdomain Shared SSL https://user.server.com

    Also you have to have these modules for apache, mod_bwlimited & mod_bwprotect to save your bandwidth

    Read this thread I wrote everything about bandwidth saving issues

    http://forums.cpanel.net/read.php?TID=3259

    For this purpose you should re-install buildapache.sea by using
    /scripts/easyapache
    select advanced
    then select these modules

    (*) User bandwidth leech protection
    (*) Bytes logging Module
    (*) Frontpage Module
    (*) Raise HARD_SERVER_LIMIT
    (*) Rewrite Module
    (*) SSL Module
    (*) suEXEC Module


    [b:a79777a22c]A) User Directory Shared SSL https://host.server.com/~user/ [/b:a79777a22c]


    1- in WHM -& SSL/TLS -& Install SSL Certificate

    paste your server certificate, private key & CA's public key (is required for some of certificates) wait until cpanel shows you the domain and IP of your Server certificate’s FQDN

    Note: If you generated the certificate using WebHost Manager, the certificate files will be available. Refer to Generate an SSL certificate for more information.
    Enter your FQDN in Domain field and press fetch button

    [b:a79777a22c] WHAT is FQDN ?[/b:a79777a22c] FQDN stands for Fully Qualified Domain Name which is something like this host.serverdomain.com, please be careful SSL certificates should be generated for FQDN not just a domain (domain: domain.com, FQDN: host.domain.com)

    [b:a79777a22c] Attention: You have to use HOST.SERVERDOMAIN.COM[/b:a79777a22c]
    in a Root SSH session type this command

    root@host [~]# [b:a79777a22c] hostname

    the FQDN that you should use for Shared SSL is the result of above command [/b:a79777a22c]

    enter your commercial domain’s Username in the Username field do not enter root or nobody we will modify this later.

    press “Do it” installation will be finished by restarting Apache

    2- Find these lines in your httpd.conf use pico /etc/httpd/conf/httpd.conf in a Root SSH session (these lines are at the near end of the file)
    Note: 10.20.30.40 is your server’s IP, host.serverdomain.com is your server’s FQDN and username is your username

    [quote:a79777a22c]
    &IfDefine SSL&
    &VirtualHost 10.20.30.40:443&
    ServerAdmin webmaster@host.serverdomain.com
    DocumentRoot /home/username/public_html
    ServerName host.serverdomain.com
    CustomLog /usr/local/apache/domlogs/host.serverdomain.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/host.serverdomain.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/host.serverdomain.com.key
    SSLCACertificateFile /usr/share/ssl/certs/host.serverdomain.com.cabundle
    SSLLogFile /var/log/host.serverdomain.com

    UserDir public_html

    ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/

    SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
    &/VirtualHost&
    &/IfDefine&
    [/quote:a79777a22c]

    Now it’s time to modify the block, bold text should be modified as you see exactly in this quotation
    Note: don’t forget to put # mark in front of UserDir and ScriptAlias lines or modify them as you need to show something more than &HEY, it worked!& page when someone type https://host.domainserver.com, but these settings do not affect on https://host.domainserver.com/~user/

    [quote:a79777a22c]
    &IfDefine SSL&
    &VirtualHost 10.20.30.40:443&
    [b:a79777a22c] ServerAdmin root@host.serverdomain.com [/b:a79777a22c]
    [b:a79777a22c] DocumentRoot /usr/local/apache/htdocs [/b:a79777a22c]
    ServerName host.serverdomain.com
    CustomLog /usr/local/apache/domlogs/host.serverdomain.com-ssl_log &%t %{version}c %{cipher}c %{clientcert}c&
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/host.serverdomain.com.crt
    SSLCertificateKeyFile /usr/share/ssl/private/host.serverdomain.com.key
    SSLCACertificateFile /usr/share/ssl/certs/host.serverdomain.com.cabundle
    SSLLogFile /var/log/host.serverdomain.com

    [b:a79777a22c]# UserDir public_html

    # ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/ [/b:a79777a22c]

    SetEnvIf User-Agent &.*MSIE.*& nokeepalive ssl-unclean-shutdown
    &/VirtualHost&
    &/IfDefine&
    [/quote:a79777a22c]

    3- Restart Apache

    [b:a79777a22c] You have to do this installation one time then all of accounts on your server have SSL access without any modification. [/b:a79777a22c]

    Now your https://host.serverdomain.com should shows your “HEY, it Worked page!” and shared SSL is working fine using

    https://host.serverdomain.com/~user/

    [b:a79777a22c] CGI / PHP scripts [/b:a79777a22c]
    Some of CGI and PHP scripts split the paths from your address bar they use relative address (URL), you have to make a second copy of them and change relative paths or configurations for secure usage .


    [b:a79777a22c] B) Subdomain Shared SSL https://user.server.com [/b:a79777a22c]

    Subdomain shared SSL has similar procedures but you need to buy wildcard certificate, and create a subdomain for each user

    I do not recommend to use subdomain shared SSL if you don’t charge your customers about SSL feature because “wildcard SSL web Certificate” is more expensive than single web certificate and you have to do some parts of installation procedures manually on a per user basis or write you own scripts


    [b:a79777a22c] How to Remove SSL certs and Keys? [/b:a79777a22c]

    If you want to remove an installed SSL for example for the host.domain.com you should remove

    Certificates are at this directory:
    /usr/share/ssl/certs/
    remove these files:

    host.domain.com.crt
    host.domain.com.cabundle (if available)

    Private keys are at this directory:
    /usr/share/ssl/private/
    remove this file:

    host.domain.com.key

    Also you have to remove the related block in httpd.conf
    &IfDefine SSL&
    &VirtualHost 10.20.30.40:443&
    ……
    &/VirtualHost&
    &/IfDefine&


    [b:a79777a22c] How to test before buy a Certificate
    or
    Installing fake SSL Web Certificate [/b:a79777a22c]

    You can create fake web certificate and install it for testing purposes if you don’t know how to create a fake certificate go to this URL and create one for testing purposes only

    http://snakeoil.haisee.com/freecerts.php

    [b:a79777a22c]Attention: Fake web certificates are not trusted in client browsers, also there are some legal issues with them (they are illegal in production environments) Thus Never use fake certificates for production environments.[/b:a79777a22c]
     
  16. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Thanks!

    Thanks, ITF, for providing such detailed instructions exactly when I needed them.

    I used the User Directory method, and it worked exactly as you stated.
     
  17. Jedito

    Jedito Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I'm using https://ssldomain.com/~username/ but I get

    Access Not Allowed from this Domain
    You are attempting to access a user dir from a domain that is not owned by the user. Please correct the domain that you are attempting to use to access this url.

    Anybody know why?
     
  18. itf

    itf Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    [quote:f04d2e68a4][i:f04d2e68a4]Originally posted by Jedito[/i:f04d2e68a4]

    I'm using https://ssldomain.com/~username/ but I get

    Access Not Allowed from this Domain
    You are attempting to access a user dir from a domain that is not owned by the user. Please correct the domain that you are attempting to use to access this url.

    Anybody know why?[/quote:f04d2e68a4]
    Read my above post about Shared SSL, you have to use your hostname for Shared SSL FQDN (host.serverdomain.com)

    this is due to mod_bwprotect read this thread I described why

    http://forums.cpanel.net/read.php?TID=3259

    you can't offer shared SSL on a different domain while you have mod_bwprotect installed, if you remove it your server's bandwidth would be abused.

    Please read the post exactly before asking another question that was answered. I wrote a complete step by step instruction
     
  19. dolphyn

    dolphyn Well-Known Member

    Joined:
    Nov 27, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Using server-wide cert for CPanel/WHM

    Okay, one more dumb question: How can I use the server-wide certificate for CPanel/WHM?

    I have tried using the &Change CPanel/WHM certificate& function in WHM, and I get this error:
    [b:2ff29a2453]error 20 at 0 depth lookup:unable to get local issuer certificate[/b:2ff29a2453]

    It's an InstantSSL certificate. I normally include a &bundle& to install these via WHM, but in this situation I'm not sure how to include the &bundle.& I tried copying the .cabundle file to /usr/local/cpanel/share/ssl/certs, but it still didn't work.

    Thanks.
     
  20. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    dolphyn, I have the same problem.

    If you have figured it out already, I would appreciate it if you tell me how you did it :)
     
Loading...

Share This Page