SSL certs wildcard domains across different hosts

[mobcdi]

I have a number of hosts all in the same domain "name.company.tld" with 1 of them hosting the website for name.company.tld

I would like to use 1 cert *.name.company to avoid having to get individual certs but was wondering if i can use the same cert across a number of hosts to both sign the host and some of the websites they host?

All certs will be from the same CA but wanted to check before going further

 

[mobcdi]

Is it just a matter of using the correct key when i go to install the certs across the different hosts and hosted site?

 

[GaryT]

Someone correct me if I'm wrong but, If a user wants SSL certificates, They must have there own dedicated IP for this to work ?

 

[mobcdi]

Not sure but have dedicated ip addresses for hosts and the website

 

[cPanelTristan]

You can install a wildcard SSL onto the main shared IP, but it will end up installing as the user nobody and have to be manually modified to change it if you want to have additional subdomains on the SSL certificate.

The modification would be in /var/cpanel/userdata/nobody location to copy the existing *.domain.com_SSL to /var/cpanel/userdata/username location (replacing username with the actual username for the domain account), then changing it to match the subdomain name and modifying the paths to the user and changing nobody to the username.

Here's an example of what the /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL file would look like that needs modified:

documentroot: /home/username/public_html
group: nobody
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: #
owner: root
phpopenbasedirprotect: 0
port: 443
serveradmin: [email protected]
serveralias: "*.mydomainisgreat.com"
servername: "*.mydomainisgreat.com"
ssl: 1
sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
sslengine: 'on'
usecanonicalname: 'Off'
user: nobody

The lines needing changed would be these:

group: nobody
homedir: /usr/local/apache/htdocs
user: nobody

Sometimes, the documentroot: line also needs changed if it isn't pointing to that user's /home/username/public_html path.

The nobody user would be changed to the username for the cPanel account with the subdomain, while the homedir would be /home/username instead.

So, let's say you have pandas.mydomainisgreat.com as the subdomain needing the wildcard SSL on the great cPanel username account, you'd do:

cp /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL /var/cpanel/userdata/great/pandas.mydomainisgreat.com_SSL

Then in the copied file, you'd change it to the following:

documentroot: /home/great/public_html/pandas
group: great
hascgi: 1
homedir: /home/great
ip: PUT.IP.ADDRESS.HERE
owner: root
phpopenbasedirprotect: 0
port: 443
serveradmin: [email protected]
serveralias: "www.pandas.mydomainisgreat.com"
servername: "pandas.mydomainisgreat.com"
ssl: 1
sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
sslengine: 'on'
usecanonicalname: 'Off'
user: great

At that point, you'd then save the file, copy Apache as a backup, rebuild Apache configuration and restart Apache:

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak101013
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

That's how you get a wildcard subdomain SSL certificate working on a shared IP when installed for the user nobody. You should then be able to do the same for any subdomains on that domain on other accounts so long as you modify the paths and user properly for each.

 

[mobcdi]

When I create the SSL cert request using WHM "Generate a SSL Certificate and Signing Request" should i name the domain *.mydomain.tld or mydomain.tld so it will work across mydomain.tld and dom1.mydomain.tld ...domN.mydomain.tld ?

 

[cPanelTristan]

You should name it *.mydomain.tld for the CSR (Certificate and Signing Request) generation.

 

[mobcdi]

And when I'm installing the *.mydomain.tld cert should I list the actual specific domain its applying
e.g. enabling whm ssl access to dom1.mydomain.tld or leave it as *.mydomain.tld in the "domain this CRT is for" field

 

[cPanelTristan]

When you install the SSL onto the user nobody, you'll need to install it onto the wildcard as that first SSL needs to be owned by the wildcard and nobody. Subsequent SSLs for the various subdomains will then need to be manually installed using the method I detailed above.

 

[mobcdi]

i probably mis-understood the instructions but they seem to be directed at sites that share the same IP address. I have/ will have separate IP addresses for host, domain and sub domains

Apologies if I didn't pick it up correctly

 

[cPanelTristan]

If you will have different IPs for each domain, then you can install each in WHM using the subdomain name for each that will have their own SSL on their own IP for the wildcard SSL. The first SSL installation needs to be for the wildcard SSL itself, though, so you would need to install *.mydomain.tld first

 

[mobcdi]

So I would "install & setup the domain in these order

1. *.mydomain.tld
2. mydomain.tld
3. dom1.mydomain.tld
4. dom2.mydomain.tld
5. ....

Or is it recommended that *.mydomain.tld ssl be installed on the website mydomain.tld with the user nobody

 

[cPanelTristan]

You don't need to install it for the mydomain.tld website under the user nobody, you can simply install the wildcard first as the user nobody and then each subsequent SSL as its own user provided each has a different IP. This means that subdomains must be on their own account with their own IP for each in order to install them via WHM.

 

[brentc]

Okay, so I have been trying to follow along with this. Let me see if i've got it right...

Ultimately we'll want to have SSL (https://) installed for a main domain and any subdomains. So, should we have created the initial SSL for the main domain as *.maindomain.tld instead of just maindomain.tld? That seems fine, but what if you didn't anticipate ever using a subdomain? Are we forced to reinstall a new SSL?

 

[cPanelTristan]

If you are going to get a wildcard certificate, which inherently costs more than a regular SSL, you need to generate the CSR and key for *.maindomain.com rather than for maindomain.com before purchasing it. If you then later don't use it for any subdomains, you would still be able to use it on maindomain.com and www.maindomain.com

If you didn't create the CSR and key for *.maindomain.com, then I suggest regenerating it prior to purchase.

If you aren't actually going to use it on any subdomains, you might as well not purchase a wildcard SSL. As I mentioned, they cost more and the only reason to pay the additional costs would be if you are going to use it.

 

[brentc]

Okay, the server I'm working on DOES have a wildcard SSL. I did not generate the CSR, or install the certificate, I'm just the one lucky enough to try and fix this.

Here's basically what I've come to find:

The SSL Key/Crt Manager tool in WHM there are a few entries.

Listed under Keys there is *.domainname.tld with a matching Signing Request, and since this client has multiple certificates, under Certificates there are multiple entires; including one for *.domainname.tld. As far as I can tell, this should all be correct.

When I followed the directions above to update the owner of the SSL from nobody to username, I find no corresponding file at /var/cpanel/userdata/nobody/*.domainname.tld_SSL, so I copied the domainname.tld_SSL from /var/cpanel/userdata/username and updated the values to sort of act like the file as it's supposed to exist at /var/cpanel/userdata/nobody. This doesn't seem to work.

At this point I am starting to think the SSL installation was done differently than what we're expecting should have happened so that I can follow the instructions here. Am I too far gone with this to be to fix it manually, or should we be doing a reinstall of the certificate somehow?

 

[cPanelTristan]

Is there a wildcard certificate in /etc/ssl/certs/ location named *.domainname.tld.crt ? If there is not, then that needs to exist first in order for anything else to work.

 

[brentc]

Yes, there is the .crt and .csr in this location. But, I am also seeing that I guess they were trying to cover all the bases and there are also entries for TheSubDomainIWant.domainname.tld.crt (&.csr) and just domainname.tld.crt (&.csr). Could this be possibly causing a conflict? What I don't see for the wildcard is the *.domainname.tld.cabundle.

 

[cPanelTristan]

You'd need the .cabundle file for the wildcard. Do you still have the certificate? If so, why not simply reinstall it using the user nobody like the guide and follow the steps then? You probably want to uninstall the other certificate while you are at it (please ensure to make copies of /etc/ssl folder before making any changes with "cp -R /etc/ssl /etc/ssl.bak110901" first).

 

[brentc]

Ah man. I think I've over-thought this.

My client has already tried to create the SSL a few different ways so everything's getting all confused here. I am not finding the best way to "undo" what he's done so I can get a truly clean install of the SSL as if it was the first time. When I've done everything I think I was supposed to do, and I rebuild httpd, I'm getting errors that there's already an SSL VirtualHost entry, etc etc...

warn [rebuildhttpdconf] SSL VirtualHosts with identical IP/Port detected: subdomain.domainname.tld_SSL and *.domainname.tld_SSL ... defaulted to subdomain.domainname.tld_SSL
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.1314914985
Error:
An error occurred while running: /usr/local/apache/bin/httpd -DSSL -t -f /usr/local/apache/conf/httpd.conf.1314914985
Exit signal was: 0
Exit value was: 1
Output was:
---
Syntax error on line 260 of /usr/local/apache/conf/httpd.conf.1314914985:
<VirtualHost> directive requires additional arguments
---

Whereas at line 260 of httpd.conf.1314914985, it's like an empty conf entry.

I guess now I'm at, How do I uninstall everything this customer did before I touched it? Unless you have a better suggestion.