SSL certificate behaviour on addon domains...

[4u123]

I'm looking for some advice on how best to workaround the following issue...

Scenario: Customer has a plan with a number of addon domains and wants an SSL certificate for one of them. Lets say he has three domains...

domain1 (primary)
domain2 (addon)
domain3 (addon)

He wants an SSL cert on domain2 - so we give his account an IP address and install the certificate on domain2 for him.

A visitor goes to https://domain1 or https://domain3 in a browser and is correctly given a certificate warning, that the certificate doesn't match the domain. When the visitor chooses to accept the certificate and continue, the site displayed is the one for domain2 and not domain1 - however domain1 is displayed in the address bar.

I guess this happens because the web server sends the visitor to the root path of the certificate?

A customer has complained - he doesn't want any of his domains displaying the content of another - he argues that the visitor did not request the content of domain2 so this should not be displayed.

I've suggested that he work around this by using mod_rewrite to send the visitor to http whenever https is requested for his other domains. He's not happy with that and wants a more permanent solution.

So my question is - other than moving his certificate domain to a hosting plan on its own, Is there a better way to work around this issue?

 

[Sys Admin]

The correct method is to convert the addon domain to it's own cpanel account. Otherwise, You will need to edit the httpd.conf & /var/named/addon-domain.com.db dns zone manually and assign a different dedicated IP then you should be able to install the SSL cert for the addon domains through WHM and it will not conflict with the other addon domains.

 

[4u123]

The correct method is to convert the addon domain to it's own cpanel account. Otherwise, You will need to edit the httpd.conf & /var/named/addon-domain.com.db dns zone manually and assign a different dedicated IP then you should be able to install the SSL cert for the addon domains through WHM and it will not conflict with the other addon domains.

I think you'd edit the /var/cpanel/userdata/domain.name file and change the IP in there, rather than editing the httpd.conf file.

So at first glance it would seem the problem arises simply because the ssl protocol is designed to work on an IP address rather than a hostname and Apache is unable to use name based vhost entries for SSL for that reason.

However, if you look at this practically, it's a cpanel problem. It's not appropriate to tie all the domains to a single IP. What's the reason for doing that?

There is no advantage to changing all the domains on one account to use the same IP address, if you are only wanting to install a certificate on one domain. Considering that it is possible to manually configure individual domains within an account to use different IP's by changing the Apache and DNS configuration - why does this functionality not exist in cpanel? It's hardly complicated.

The option to "Change a Sites IP address" in WHM, should do what it says - change a particular site's IP, not the whole account.

It would seem much more practical and sensible to do it that way - so the question to cpanel would be - why not?

Yes, I know there is a big feature request open to allow for multiple SSL certificates in accounts (this is now possible anyway with SNI enabled servers) and changing the way addon domains work etc - but, let's get back to basics here...

The fundamental, basic functionality of this software should allow you simply to choose a domain you want to change the IP address for - that would be a minimum requirement in my opinion. Sure, allow a whole account to share single IP - as an additional option, but the default option should be on a "per domain" basis.

To me, the current functionality is backwards and it seems more complicated to change all the domains in one account, instead of just the one that is needed. I'd really like to understand cpanel's logic and reasoning behind the way they implemented this.

 

[cPanelMichael]

Hello

The full steps on how to assign a separate IP address to an addon domain name are documented here:

How to Assign Dedicated IP Addresses to Subdomains

The section at the bottom explains the slight difference when making the change for addon domains. Note that a browser based-interface that allows you to make this change does sound like a good feature. I suggest opening a feature request for it here:

Submit A Feature Request

Thank you.