SSL and Shared Sites

[TampaTech]

I have a dedicated server and have some questions regarding IP address allocation and SSL setup.

In WHM, under Main - IP Functions - Show IP Address Usage, here is what I have:
IP Address Http Usage
-------------------------------------
1.1.1.1 www.sharedsite1.com server1.mydomain.com www.sharedsite2.com www.sharedsite3.com
1.1.1.2 (blank)
1.1.1.3 www.privatesslsite1.com
1.1.1.4 www.privatesslsite2.com
1.1.1.5 www.mydomain.com
1.1.1.6 (blank)

Background Configuration:
* My hostname is server1.mydomain.com
* Under WH Setup, my Main Shared Virtual Host IP is: 1.1.1.1
* I have 3 customer shared sites on 1.1.1.1
* I have 2 customer sites with private SSL certs on .3 and .4
* I needed a private SSL for my domain, so I got one for www.mydomain.com and gave it the IP of 1.1.1.5. I am using this SSL cert for the shopping cart of main site

Question:
1) I want to provide a shared SSL for my customers (those who run osCommerce) and also for secure webmail. What is needed to accomplish this? How do I create a subdomain account and what should be the FQDN of the new SSL cert? I want to provide my customers with a shared SSl of something like: https://secure1.mydomain.com/~user1/. So, I would guess that the FDQN of the new cert would be secure1.mydomain.com, but want to make sure.
2) After I set up the new secure domain, do I need to change the Main Shared Virtual Host IP address so that my customers are tied to the IP address of the new secure cert?
3) Is anything special needed for the secure webmail configuration?

Any examples/feedback is much appreciated.

Thanks.

 

[jayh38]

Keep in mind if you offer ssl to your hostling clients, the certificate will show you as the owner and not your clients domain which may not be desired.

Anyway, you should let clients purchase ssl for their own domain or offer it as a reseller service feature. They are inexpensive for starter certs, 15 bux or so or you could invest some money and purchase a wildcard which will allow you to issue certificates appropriately.

Anyway, there is nothing special about the subdomain. Just generate your key inside the cpanel that controls the subdomain. Once the key is generated and uploaded, you then generate the CSR which is used for for the actual purchase.

One hint, do paste every key safely into a text file and keep it safe. If you reinstall or lose your remote key, no certificate will work and you will need to purchase again.

Check out namecheap or registerfly for economical starter certs.

 

[TampaTech]

Thanks for the response. The goal is to tell my customers to go with a private ssl cert...it is preferred for a number of different reasons.

However, I know I will need to provide a shared SSL for some customers....there are too many other companies that do this unfortunately.

Having said that, I need the FQDN for the SSL cert. So, given my example in the original post, should I get one for server1.mydomain.com or for mydomain.com?

Also, after getting the SSL cert and installing it to a specific IP address, do I then need to modify the Main Shared Virtual Host IP address so that my customers are now tied to that private SSL? How do I point customer sites to a shared SSL?

Thanks

 

[jayh38]

Ouch.. what you are asking is just not the way ssl is made to operate.
I highly suggest not trying what you propose.

keep it simple, If clients can afford to buy and sell products, they surely can afford their own ssl certificate for a lousy 10 dollars per year. On the other hand, If you are not actually processing cards on the service, then SSL is truely not needed. When you hand the order over to paypal, 2checkout, authorize.net or whomever, they invoke ssl and proper security.

 

[TampaTech]

I think you took my post the wrong way. I appreciate the feedback...I wasn't trying to be sarcastic.

Most of the major hosting companies provide their customers with access to a shared SSL (IPower#eb, Ho$tRocket, etc.). I don't believe they use wildcard SSL certs, but need more info on how they do it.

Can anyone provide some answers on how to provide my customers with a shared SSL.

Thanks.

 

[jayh38]

This may explain better than I have already. I will make this my final comment in this thread and wish you well.

http://www.ourshop.com/resources/shared-ssl.html

 

[robbyboycar]

Have you sorted this. I can help.

Hi there. This seems like an old post now, don't know if it's still relevant.

I know exactly what you're trying to do. There's nothing wrong with it at all (in my opinion).

I am presuming 2 things. Firstly you have some knowledge of SSH commands, and secondly that your Apache server is configured for symlinks? (If it isn't then reply and I'll give you the instructions for configuring your server's vhost_ssl.conf

You need to be doing this in SSH. Presumably you have SSH access.

Reading your posts do the following,

1. Pick your shared domain, we'll call it <sharedssl.com> for the purposes of this thread.

2. Obviously purchase and set up a cert for that domain on whatever IP address it's sitting on, FQDN - www.sharedssl.com. (cheapest this way)

3. Make sure that all your customers wishing to share this ssl cert are sitting on the same IP address.

4. Let's say that your first customer wishing to use the shared SSL is <www.customer1.com>

6. In SSH (within the sharedssl.com domain), cd (absolute path) to wherever the https docs are served up, e.g. /var/vhosts.../blah/...../sharedssl/httpsdocs and type the following;

ln -s /var/vhosts.../blah/...../customer1.com/httpdocs customer1
|- this is the absolute path to customer1's httpdocs -|

You now have created a symbolic link called customer1 that points directly to customer1's httpdocs.

7. Finally you need to now set the permissions for this symbolic link to work correctly. e.g.;

At the command,

chown username:group customer1

To summarise;

https://www.sharedssl.com/customer1

is looking at the same pages as;

http://www.customer1.com

You can repeat the process as many times as you want for all your different customers who want to use your shared SSL. The previous poster was right, in that the certificate shows your details, not that of your customers, though in reality, this is very very common practice, and let's be honest how many people sit there studying the ownership details of a cert anyway. I bloody don't!

Contact me if you need any more help.

Rob (UK)

 

[brianc]

Has anyone confirmed that the above request from Rob actually works?

For instance his instructions in step 7 does not work for me:

"7. Finally you need to now set the permissions for this symbolic link to work correctly. e.g.;

At the command,

chown username:group customer1"

When I try to change the ownership of the symbolic link, it still stays as the owner root. Am I missing something here?

Brian

 

[freedman]

Has anyone confirmed that the above request from Rob actually works?

For instance his instructions in step 7 does not work for me:

"7. Finally you need to now set the permissions for this symbolic link to work correctly. e.g.;

At the command,

chown username:group customer1"

When I try to change the ownership of the symbolic link, it still stays as the owner root. Am I missing something here?

Brian

the permissions on softlinks is largely irrelevant. the OS cares about the permission of the file the link points to, so it's not generally critical if the link itself doesn't have the right labels. but if you need the user/group to list a specific user, you can:
su - USERNAME ln FILEPATH LINKNAME


if you do "chown username:group customer1" then it will change the ownership of the file/directory customer1 links to, which happens to be ok in this scenario, but if you have multiple links to a file, you may not want to keep chaning it's ownership :P

so, basically, ignore this line.. make sure your customers files are owned by them, and your webserver needs read access to them, you should be ok.