SSL - A definitive answer

DuxAranea

Active Member
May 1, 2004
26
0
151
There's one thing that keeps coming up but I have not seen any clear answers for yet, and that is a shared SSL ceritifcate for a server.

What I mean by "shared SSL", and someone may want to correct me on my use of that term, is that all the domains on a shared IP address share the same SSL certificate.

I have a shared IP address on my server and I want to provide generic, self-signed SSL for every domain on that IP. Can I do that with just one SSL cert on the shared IP address? How is that accomplished?

Also - how can I set a subdirectory to use for storing my secure site? For example, I want https://mydomain.com to bring me straight to the secure folder, and do it transparently - meaning that https://mydomain.com still shows in the browser's address line, without the secure subdirectory name showing. I had this set up once when I was on a host with Plesk, and I'd like to try and set it up that way for my users in cpanel, since I remember it being a very user-friendly setup.

I know that's a lot for one post, but if I could get this cleared up once and for all, it would really help everyone, I think. Thanks to anyone who can help.
 
Last edited:

fishfreek

Well-Known Member
Jan 2, 2004
238
0
166
To use a shared SSL you have to do it like icanectc said. To do it the other way each site would have to have its on self signed ssl. And since you can only have 1 ssl per IP that would require every client to have their own IP.

To have the https:// go to a different folder then you need to edit the httpd.conf file for that domain and specify the root file path for the secure website to be what ever you want it to be.
 

protocol

Well-Known Member
PartnerNOC
Apr 13, 2004
90
0
156

Host4u2

Well-Known Member
Mar 24, 2002
247
0
316
Note: In the example, test.abc.com is the server name. Also, the Certificate must be issued to "test.abc.com" (important).

You wrote: "https://test.abc.com/ goes to the same place as http://abc.com/"

Is your Certificate issued to your server name, test.abc.com, using abc.com's unique IP address?

Obviously, test.abc.com (sub-domain.url.com) is substituted for your real domain and sub-domain :)
 

protocol

Well-Known Member
PartnerNOC
Apr 13, 2004
90
0
156
Thanks,

Yes server name is test.abc.com and ssl cert is for same

abc.com is on the same IP address as all the user accounts that don't have their own IP address (so they can have their own SSL certs). This is the main server IP address that is used by the Server Name. Is this wrong?
 

protocol

Well-Known Member
PartnerNOC
Apr 13, 2004
90
0
156
I seem to have done it. I manually changed the httpd.conf file:

added:

<IfDefine SSL>
<VirtualHost [Shared IP]:443>
DocumentRoot /usr/local/apache/htdocs
BytesLog domlogs/[Server Name]-bytes_log
ServerName [Server Name]-
SSLEnable
SSLCertificateFile /usr/share/ssl/certs/[Server Name]-.crt
SSLCertificateKeyFile /usr/share/ssl/private/[Server Name]-.key
SSLLogFile /var/log/[Server Name]-
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
</IfDefine>

Does this seem okay to you?
 

Host4u2

Well-Known Member
Mar 24, 2002
247
0
316
Yep, especially if that is working for you. I was about to suggest uninstalling the Cert and then reinstalling it with assigning it a new unique IP address (for abc.com) :)
 

Host4u2

Well-Known Member
Mar 24, 2002
247
0
316
If you find you still have a problem... since all else is okay, just assign your abc.com a unique IP address, then uninstall the cert, and then reinstall via your WHM using the new unique IP. However, it sounds like all is well now :D
 

fadedpictures

Registered
Dec 4, 2002
2
0
151
So i just want to clarify.

I'm in a similiar situation.

i have just installed a cert on my main domain name under secure.mymaindomain.com for use as a shared ssl cert for my server. the IP address assigned to my secure.mymaindomain.com URL is different from the main shared IP address of the server.

All my shared virtual accounts are attached obviously to the main shared IP address of the server.

Do i need to get my cert reissued to the main shared IP address of the server? Instead of to my sites main IP address, which is only assigned to my site and the secure sub.

as of now i get a 404 error message when i try and go to https://secure.mymaindomain.com/~username/
and the only thing i can think of to fix the issue is to tie the cert to the servers IP addresss.

are certs bound to the ip, or just the name i.e. secure.mymaindomain.com?

thanks for you all your help.

Bret
faded pictures designs
 

mweb

Member
Mar 11, 2003
23
0
151
name only

Certs are only bound to the name. There's a lot of noise in these forums saying that certs are bound to IP, but that's entirely not true.

If you're doing this to leverage your one certificate, you should make sure that in httpd.conf it's the default virtual host for that ip. Then you should be able to use /~username all you want. Bear in mind that those users won't be able to run perl scripts unless the site is running as "nobody".

You might want to check that you've got ~username enabled under tweak security > mod_userdir (checked for "default").