The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL - A definitive answer

Discussion in 'General Discussion' started by DuxAranea, May 21, 2004.

  1. DuxAranea

    DuxAranea Active Member

    Joined:
    May 1, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    There's one thing that keeps coming up but I have not seen any clear answers for yet, and that is a shared SSL ceritifcate for a server.

    What I mean by "shared SSL", and someone may want to correct me on my use of that term, is that all the domains on a shared IP address share the same SSL certificate.

    I have a shared IP address on my server and I want to provide generic, self-signed SSL for every domain on that IP. Can I do that with just one SSL cert on the shared IP address? How is that accomplished?

    Also - how can I set a subdirectory to use for storing my secure site? For example, I want https://mydomain.com to bring me straight to the secure folder, and do it transparently - meaning that https://mydomain.com still shows in the browser's address line, without the secure subdirectory name showing. I had this set up once when I was on a host with Plesk, and I'd like to try and set it up that way for my users in cpanel, since I remember it being a very user-friendly setup.

    I know that's a lot for one post, but if I could get this cleared up once and for all, it would really help everyone, I think. Thanks to anyone who can help.
     
    #1 DuxAranea, May 21, 2004
    Last edited: May 21, 2004
  2. icanectc

    icanectc Well-Known Member

    Joined:
    Mar 10, 2003
    Messages:
    344
    Likes Received:
    0
    Trophy Points:
    16
  3. DuxAranea

    DuxAranea Active Member

    Joined:
    May 1, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    That doesn't sound right to me...
     
  4. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    16
    To use a shared SSL you have to do it like icanectc said. To do it the other way each site would have to have its on self signed ssl. And since you can only have 1 ssl per IP that would require every client to have their own IP.

    To have the https:// go to a different folder then you need to edit the httpd.conf file for that domain and specify the root file path for the secure website to be what ever you want it to be.
     
  5. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Well, it is...
     
  6. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Example:

    Server name: test.abc.com

    Create account: abc.com (sharing server IP address)
    Create sub-domain: test.abc.com

    Order SSL Cert for test.abc.com, using server IP.

    Install Certificate via WHM for test.abc.com

    Now, clients/accounts can use the server-wide Shared Certificate using:

    https://test.abc.com/~userID/filename.shtml
     
  7. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
  8. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Note: In the example, test.abc.com is the server name. Also, the Certificate must be issued to "test.abc.com" (important).

    You wrote: "https://test.abc.com/ goes to the same place as http://abc.com/"

    Is your Certificate issued to your server name, test.abc.com, using abc.com's unique IP address?

    Obviously, test.abc.com (sub-domain.url.com) is substituted for your real domain and sub-domain :)
     
  9. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Thanks,

    Yes server name is test.abc.com and ssl cert is for same

    abc.com is on the same IP address as all the user accounts that don't have their own IP address (so they can have their own SSL certs). This is the main server IP address that is used by the Server Name. Is this wrong?
     
  10. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Yes, abc.com should have it's own unique IP address (as is so with any SSL Cert.).
     
  11. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I tried to switch abc.com to a new ip ad it seemed to mess things up. http://test.abc.com went to a customer's site and
    http://test.abc.com/~username was not found. This also broke http://[main ahared ip]/~username. I had to restore the last httpd.conf file to get things right again. I'm a little scared of messing things up :-(
     
  12. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    The time to assign a unique Ip is before you order the Cert. It's already assigned the IP you ordered it with now.
     
  13. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    I seem to have done it. I manually changed the httpd.conf file:

    added:

    <IfDefine SSL>
    <VirtualHost [Shared IP]:443>
    DocumentRoot /usr/local/apache/htdocs
    BytesLog domlogs/[Server Name]-bytes_log
    ServerName [Server Name]-
    SSLEnable
    SSLCertificateFile /usr/share/ssl/certs/[Server Name]-.crt
    SSLCertificateKeyFile /usr/share/ssl/private/[Server Name]-.key
    SSLLogFile /var/log/[Server Name]-
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    </VirtualHost>
    </IfDefine>

    Does this seem okay to you?
     
  14. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    Yep, especially if that is working for you. I was about to suggest uninstalling the Cert and then reinstalling it with assigning it a new unique IP address (for abc.com) :)
     
  15. protocol

    protocol Well-Known Member
    PartnerNOC

    Joined:
    Apr 13, 2004
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Okay, Hopefully cpanel will not overwrite it. Thanks for the help.

    Will
     
  16. Host4u2

    Host4u2 Well-Known Member

    Joined:
    Mar 24, 2002
    Messages:
    248
    Likes Received:
    0
    Trophy Points:
    16
    If you find you still have a problem... since all else is okay, just assign your abc.com a unique IP address, then uninstall the cert, and then reinstall via your WHM using the new unique IP. However, it sounds like all is well now :D
     
  17. fadedpictures

    fadedpictures Registered

    Joined:
    Dec 4, 2002
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    So i just want to clarify.

    I'm in a similiar situation.

    i have just installed a cert on my main domain name under secure.mymaindomain.com for use as a shared ssl cert for my server. the IP address assigned to my secure.mymaindomain.com URL is different from the main shared IP address of the server.

    All my shared virtual accounts are attached obviously to the main shared IP address of the server.

    Do i need to get my cert reissued to the main shared IP address of the server? Instead of to my sites main IP address, which is only assigned to my site and the secure sub.

    as of now i get a 404 error message when i try and go to https://secure.mymaindomain.com/~username/
    and the only thing i can think of to fix the issue is to tie the cert to the servers IP addresss.

    are certs bound to the ip, or just the name i.e. secure.mymaindomain.com?

    thanks for you all your help.

    Bret
    faded pictures designs
     
  18. mweb

    mweb Member

    Joined:
    Mar 11, 2003
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    name only

    Certs are only bound to the name. There's a lot of noise in these forums saying that certs are bound to IP, but that's entirely not true.

    If you're doing this to leverage your one certificate, you should make sure that in httpd.conf it's the default virtual host for that ip. Then you should be able to use /~username all you want. Bear in mind that those users won't be able to run perl scripts unless the site is running as "nobody".

    You might want to check that you've got ~username enabled under tweak security > mod_userdir (checked for "default").
     
  19. fadedpictures

    fadedpictures Registered

    Joined:
    Dec 4, 2002
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the clarity on the issue, that helps a lot.
     
Loading...

Share This Page