The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL certificate for all services

Discussion in 'General Discussion' started by sehh, Sep 5, 2007.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Currently, when a virtual host installs an SSL certificate, it only works for HTTPS. Is it possible to install that certificate for all other services, like cPanel access, FTP, POP3/Imap, etc?

    Thank you.
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Are you referring to something like WHM -> Service Configuration -> Manage Service SSL Certificates ?
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I've done that, but all it does is install system-wide certificates.

    I'm talking about per-host certificates, so a virtual domain (with a dedicated IP) can install its SSL certificate and have it work in Exim as well.

    Currently, my hosted domains with SSL certificates see their own certificate when they access the server via HTTPS, but see the system-wide certificate for other services (ftp, pop3, etc), which means that they get a popup for a mismatched domain/certificate.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I recall a recent discussion on these forums requesting that cPanel support such functionality. However, it does not appear that anyone submitted an official feature request for that functionality yet.

    Feel free to submit this as a feature request to http://bugzilla.cpanel.net

    I'm sure if there's a manual way of doing (as it's not supported by cPanel/WHM itself at this time) this that someone here on the forums may be able to address that for you.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    To tell you the truth, i don't have much confidence in the bugzilla, because requests in there are left unanswered for years, left as "NEW" with no further comment from the developers and generally seem to be ignored.

    Don't take this wrong, i'm sure the developers have enough things to do already, its just that looking at the bugzilla ticket status, it doesn't seem like opening a ticket actually means anything.
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Note that every new bugzilla entry is reviewed by a member of our Quality Assurance staff. While they rarely provide input after reviewing the bug submission/feature request other than modifying to enhancement or confirmed, that doesn't mean it goes unnoticed. Many of these entries are acted upon, especially those with a substantial number of votes and CC's indicating popular support among the user community.

    For what it's worth though, your feature request is more likely to be acted upon if submitted to http://bugzilla.cpanel.net than it is by a simple forum post in a forum not routinely monitored by the QA and development staff.
     
  7. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
  8. brumie

    brumie Active Member

    Joined:
    Dec 9, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    any updates?

    I vote this one too, lots customer asking for this as they always get DOMAIN MISMATCH, NOT VALID, and they're angry about their certificate being recognized as not valid by Apple Mail and others mail application

    we need user's SSL can be use for other services too
     
  9. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    its definitely a missing feature and an important one!

    most people don't notice but all communications (pop3/smtp/etc) are unencrypted.

    if this feature was implemented then we would be able to offer greater security and prevent man-in-the-middle sniffing of data.
     
  10. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Definitely need SSL for other services

    Hi,

    Has anyone figured out a wa of doing this manually? Via stunnel/IMAP config perhaps?

    I also vote this in...
     
  11. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Nope, cPanel doesn't support per-domain SSL certificates for any services other than HTTPS.
     
  12. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    a workaround

    There is a workaround, at least for IMAP. Haven't looked into other services yet (but POP is exactly the same).

    ...as long as you have access to WHM.

    Here goes...

    1. Go into WHM and install the certificate under 'Install a SSL certificate and setup a domain'. You may also install the certificate in cPanel.
    2. Once it's installed, go to 'Manage Service SSL Certificates' under 'service configuration.
    3. Click on 'Install a new certificate' next to IMAP
    4. Select the certificate you installed in step 1.
    5. Test that it works for the mail client.
    6. Now, the key file you need is '/var/cpanel/ssl/courier/myimapd.pem'. It's always called that and is linked to by the file '/usr/lib/courier-imap/share/imapd.pem'
    7. Now you need to copy that file '/var/cpanel/ssl/courier/myimapd.pem' to /etc/ssl/certs/www.mydomain.com.pem using
    Code:
    cp /var/cpanel/ssl/courier/myimapd.pem /etc/ssl/certs/www.mydomain.com.pem
    8. Now you need to create a ln to that file in /usr/lib/courier-imap/share/ in the form imapd.pem.<ip-address-of-mydomain>. Yes, it only works by IP address so you need a dedicateed one for each host...as with apache.
    Code:
    ln --symbolic /etc/ssl/certs/www.mydomain.com.pem /usr/lib/courier-imap/share/imapd.pem.xxx.xxx.xxx.xxx
    where the x's are your ip address.
    9.Now, go back to WHM and reinstall the original certificate for IMAP (steps 2 and 3) or just reset the certificate.
    10.That's it.

    Enjoy!
     
  13. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
  14. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    SMTP also

    I think the thread you're referring to is

    http://www.jaguarpc.com/forums/showthread.php?t=20765

    I have also done it for SMTP now. It is a similar process. Key to this process (and the IMAP process above) is picking the domain name for the certificate: it shouldn't be www.mydomain.com but just 'mydomain.com' or 'secure.mydomain.com'. when you install the cert, you'll be using https://mydomain.com for secure web services and mydomain.com as the incoming server and smtp server.

    1. If you haven't installed the certificate, go into WHM and install the certificate under 'Install a SSL certificate and setup a domain'. You may also install the certificate in cPanel.
    2. Once it's installed, go to 'Manage Service SSL Certificates' under 'service configuration.
    3. Click on 'Install a new certificate' next to EXIM. This creates the correct certificates (I don't know how to do that manually).
    4. This creates a link inside /etc called exim.crt and exim.key which point to the .crt and .key files that whm just created for you.
    5. Copy the target files exim.mydomain.com.crt and exim.mydomain.com.key and leave them where they are. The code:
    Code:
    cp /var/cpanel/ssl/exim/myexim.key /var/cpanel/ssl/exim/exim.mydomain.com.key
    cp /var/cpanel/ssl/exim/myexim.crt /var/cpanel/ssl/exim/exim.mydomain.com.crt
    6. Go to WHM 'Exim Configuration Editor' and click 'Advanced Editor' and add the following in the first box
    tls_certificate = /etc/$received_ip_address.exim.crt
    tls_privatekey = /etc/$received_ip_address.exim.key​
    and click 'save'.

    7. Create a new link for each IP address in the /etc folder

    Code:
    ln -s /var/cpanel/ssl/exim/exim.mydomain.com.crt /etc/xxx.xxx.xxx.xxx.exim.crt
    ln -s /var/cpanel/ssl/exim/exim.mydomain.com.key /etc/xxx.xxx.xxx.xxx.exim.key
    8. Now to reset the original certificate for the other IP address(es)
    Code:
    cp exim.crt xxx.xxx.xxx.xx2.exim.crt
    cp exim.key xxx.xxx.xxx.xx2.exim.key
    where the xxxs are the two different IP addresses (or as many as you are using). This ensures the original cert is used for connection to the original IP address.

    9. Now make sure the permissions are ok
    Code:
    cd /var/cpanel/ssl/exim
    chown mailnull exim.mydomain.*
    chgrp mail exim.mydomain.*
    chmod 660 exim.mydomain.*
    10. That's it... it should all be fine....

    NB these instructions were updated with later comments...

    I hope that it will be added soon as it's a pretty glaring hole...
     
    #14 visskiss, Sep 22, 2008
    Last edited: Sep 24, 2009
  15. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    hmm interesting, but does it work properly on single-certificates?

    since the user connects to mail.somedomain.com and most HTTP certificates don't offer wildcard support for subdomains (only the very expensive ones), so they should get an error for a mismatched domain.
     
  16. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    subdomains

    It will work if you have a wildcard certificate, otherwise it won't work. I have clients connect to their certificate domain name (domain.com usually) for all secure services. You could use secure.domain.com and just get a certificate for that.

    I use godaddy certificates for $30. You can also use CACert for free, but then root certificates need to be added to all your clients machines ;-)
     
  17. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    i guessed as much, wildcard certificates are more expensive and feed the "beast" of corporate blackmail that has held the internet captive with certificates.

    i wish cacert (http://www.cacert.org) was finally included in Firefox, that would solve most of our problems and we would circumvent paid certificates.

    i use cacert and our clients don't mind installing the cacert root certificate.
     
  18. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    How does one make the SSL changes done in exim.conf to stay permament?
    Add it to the first box in advanced exim configuration?
     
  19. visskiss

    visskiss Member

    Joined:
    Jun 17, 2008
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Did you figure that out? I just had to redo the changes.
     
  20. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Ah sorry yes I did.

    1. Go into WHM.
    2. Click Exim Configuration Editor.
    3. Click Advanced Editor.
    4. Enter all of the config in the first box.
    5. Save.

    This will keep the config through upgrades.
     
Loading...

Share This Page