The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL certificates in other services...

Discussion in 'General Discussion' started by sehh, Mar 3, 2009.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    As far as i understand cPanel, it appears that *client* SSL certificates can only be used in Apache virtual hosts and in no other place (exim, dovecot/courier-imap, pure-ftpd, cpanel, etc).

    And i don't mean the system-wide certificate, i mean the certificate installed by the CLIENT domain.

    In other words, a client may access https://his.domain.com but not cPanel or any other service with his certificate.

    Are there any plans from cPanel developers to change this and instead apply the certificate properly on all services, or at least those who support it? (i know dovecot does not support per-IP certificates, at least we should have cPanel use them on port 2083).
     
  2. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Right now, all services except Apache are only designed for running 1 SSL certificate. Typically, the hostname's certificate is used for cPanel/WHM access rather than a site's SSL cert as not all sites have SSL
     
    #2 DaveUsedToWorkHere, Mar 3, 2009
    Last edited: Mar 3, 2009
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Would it be possible for at least cPanel to use the SSL certificate of the client if one exists? It would be a nice feature to have so our tech support isn't bothered with questions about certificates not matching or clients asking why their SSL certificate isn't working while they are on the control panel.

    I also know its possible to do this with courier-imap/pop3, it fully supports per-IP SSL certificates and a small patch has already been posted in the forum to do it.

    Unfortunately, this isn't supported at all by dovecot or exim :(
     
  4. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18

    Since we're not using Apache for the cPanel/WHM interfaces, we don't support virtualhosts for cPanel/WHM. You can typically avoid all browser warnings by having customers use domain.com/cpanel, installing a SSL certificate for your hostname, and making sure these options are set in WHM's Tweak Settings menu:


    Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.

    When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to:

    Hostname Origin Domain Name

    When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:
    SSL Certificate Name Hostname Origin Domain Name


    By always redirecting to the hostname, where a certificate is installed, you cover all customers, even those without certificates.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I'm sorry, i don't want to be rude but thats a cheap way to avoid solving the problem and properly supporting SSL certificates.

    Since its your application you are talking about and not exim or dovecot, why not invest in the development proper certificate support throughout the system? (cpanel/whm)
     
  6. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Adding such a feature would increase the overhead of each cPanel/WHM request as we would have to write in a virtualhost processing module and all virtualhosts on the system would have to be processed each time a request is made to cpsrvd. It would also require a major rewrite of the daemon to add this module.

    It is possible that this feature can be added but it's not something that can be put in place overnight as it requires a rework of cpsrvd to accommodate. It would likely be added as an option that is off by default as it would cause extra load on the server and latency for the user.

    I'm not trying to blow off your request. From our eyes, a user will be satisfied that they are connecting to their cPanel interface through SSL and when they do not receive any SSL errors from their browser. Would your users submit support about being redirected to the hostname when accessing the interface?

    Alternatively, we may be wrong and there may be a lot of demand for this feature. If that is the case, you can help us incorporate this feature quickly by having people post to this thread with support for virtualhost based SSL checking in cpsrvd.
     
  7. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Understood, if it does require so much development effort and indeed causes latency overhead then it may not be a priority.

    Based on my experience, users want SSL certificates on their own domain in three types of services (in order of importance): Web, Email (smtp/pop/imap) and cPanel. (very few use ftp and even less have asked for SSL over ftp).

    I guess we have the first (Web), but the other two are lacking. Since email SSL requires messing with several 3rd party projects (Exim, Dovecot, courier-imap/pop) then it does become rather hard to implement, unless you submit a feature request or submit patches from your development team.

    Oh well, nobody said this would be easy :)
     
  8. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    I'll keep a request open on our side for incorporating vhost based SSL into services as we can. Feel free to post any comments/thoughts here that may help us think of any angles we may have missed.
     
  9. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    There is a PHP script which enables pure-ftpd to use per-IP SSL certificates and automatically does the nessesary steps, unfortunately i can't remember the post.

    Discussion is already underway in dovecots mailinglist since many people there requested this feature, some said it was coming in future 2.x versions but i'm not sure if there is real development in it.

    Thank you for taking the time to look into this, i appreciate it.
     
Loading...

Share This Page