The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL certs wildcard domains across different hosts

Discussion in 'General Discussion' started by mobcdi, Oct 13, 2010.

  1. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    I have a number of hosts all in the same domain "name.company.tld" with 1 of them hosting the website for name.company.tld

    I would like to use 1 cert *.name.company to avoid having to get individual certs but was wondering if i can use the same cert across a number of hosts to both sign the host and some of the websites they host?

    All certs will be from the same CA but wanted to check before going further
     
  2. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Is it just a matter of using the correct key when i go to install the certs across the different hosts and hosted site?
     
  3. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Someone correct me if I'm wrong but, If a user wants SSL certificates, They must have there own dedicated IP for this to work ?
     
  4. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Not sure but have dedicated ip addresses for hosts and the website
     
  5. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You can install a wildcard SSL onto the main shared IP, but it will end up installing as the user nobody and have to be manually modified to change it if you want to have additional subdomains on the SSL certificate.

    The modification would be in /var/cpanel/userdata/nobody location to copy the existing *.domain.com_SSL to /var/cpanel/userdata/username location (replacing username with the actual username for the domain account), then changing it to match the subdomain name and modifying the paths to the user and changing nobody to the username.

    Here's an example of what the /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL file would look like that needs modified:

    Code:
    documentroot: /home/username/public_html
    group: nobody
    hascgi: 1
    homedir: /usr/local/apache/htdocs
    ip: #
    owner: root
    phpopenbasedirprotect: 0
    port: 443
    serveradmin: webmaster@mydomainisgreat.com
    serveralias: "*.mydomainisgreat.com"
    servername: "*.mydomainisgreat.com"
    ssl: 1
    sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
    sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
    sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
    sslengine: 'on'
    usecanonicalname: 'Off'
    user: nobody
    The lines needing changed would be these:

    Code:
    group: nobody
    homedir: /usr/local/apache/htdocs
    user: nobody
    Sometimes, the documentroot: line also needs changed if it isn't pointing to that user's /home/username/public_html path.

    The nobody user would be changed to the username for the cPanel account with the subdomain, while the homedir would be /home/username instead.

    So, let's say you have pandas.mydomainisgreat.com as the subdomain needing the wildcard SSL on the great cPanel username account, you'd do:

    Code:
    cp /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL /var/cpanel/userdata/great/pandas.mydomainisgreat.com_SSL
    Then in the copied file, you'd change it to the following:

    Code:
    documentroot: /home/great/public_html/pandas
    group: great
    hascgi: 1
    homedir: /home/great
    ip: PUT.IP.ADDRESS.HERE
    owner: root
    phpopenbasedirprotect: 0
    port: 443
    serveradmin: webmaster@mydomainisgreat.com
    serveralias: "www.pandas.mydomainisgreat.com"
    servername: "pandas.mydomainisgreat.com"
    ssl: 1
    sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
    sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
    sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
    sslengine: 'on'
    usecanonicalname: 'Off'
    user: great
    At that point, you'd then save the file, copy Apache as a backup, rebuild Apache configuration and restart Apache:

    Code:
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak101013
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
    That's how you get a wildcard subdomain SSL certificate working on a shared IP when installed for the user nobody. You should then be able to do the same for any subdomains on that domain on other accounts so long as you modify the paths and user properly for each.
     
    #5 cPanelTristan, Oct 13, 2010
    Last edited by a moderator: Oct 13, 2010
  6. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    When I create the SSL cert request using WHM "Generate a SSL Certificate and Signing Request" should i name the domain *.mydomain.tld or mydomain.tld so it will work across mydomain.tld and dom1.mydomain.tld ...domN.mydomain.tld ?
     
  7. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You should name it *.mydomain.tld for the CSR (Certificate and Signing Request) generation.
     
  8. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    And when I'm installing the *.mydomain.tld cert should I list the actual specific domain its applying
    e.g. enabling whm ssl access to dom1.mydomain.tld or leave it as *.mydomain.tld in the "domain this CRT is for" field
     
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    When you install the SSL onto the user nobody, you'll need to install it onto the wildcard as that first SSL needs to be owned by the wildcard and nobody. Subsequent SSLs for the various subdomains will then need to be manually installed using the method I detailed above.
     
  10. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    i probably mis-understood the instructions but they seem to be directed at sites that share the same IP address. I have/ will have separate IP addresses for host, domain and sub domains

    Apologies if I didn't pick it up correctly
     
  11. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you will have different IPs for each domain, then you can install each in WHM using the subdomain name for each that will have their own SSL on their own IP for the wildcard SSL. The first SSL installation needs to be for the wildcard SSL itself, though, so you would need to install *.mydomain.tld first
     
  12. mobcdi

    mobcdi Well-Known Member

    Joined:
    Jul 13, 2009
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    So I would "install & setup the domain in these order
    1. *.mydomain.tld
    2. mydomain.tld
    3. dom1.mydomain.tld
    4. dom2.mydomain.tld
    5. ....

    Or is it recommended that *.mydomain.tld ssl be installed on the website mydomain.tld with the user nobody
     
  13. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You don't need to install it for the mydomain.tld website under the user nobody, you can simply install the wildcard first as the user nobody and then each subsequent SSL as its own user provided each has a different IP. This means that subdomains must be on their own account with their own IP for each in order to install them via WHM.
     
  14. brentc

    brentc Member

    Joined:
    Jul 20, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Okay, so I have been trying to follow along with this. Let me see if i've got it right...

    Ultimately we'll want to have SSL (https://) installed for a main domain and any subdomains. So, should we have created the initial SSL for the main domain as *.maindomain.tld instead of just maindomain.tld? That seems fine, but what if you didn't anticipate ever using a subdomain? Are we forced to reinstall a new SSL?
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you are going to get a wildcard certificate, which inherently costs more than a regular SSL, you need to generate the CSR and key for *.maindomain.com rather than for maindomain.com before purchasing it. If you then later don't use it for any subdomains, you would still be able to use it on maindomain.com and www.maindomain.com

    If you didn't create the CSR and key for *.maindomain.com, then I suggest regenerating it prior to purchase.

    If you aren't actually going to use it on any subdomains, you might as well not purchase a wildcard SSL. As I mentioned, they cost more and the only reason to pay the additional costs would be if you are going to use it.
     
  16. brentc

    brentc Member

    Joined:
    Jul 20, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Okay, the server I'm working on DOES have a wildcard SSL. I did not generate the CSR, or install the certificate, I'm just the one lucky enough to try and fix this. :)

    Here's basically what I've come to find:

    The SSL Key/Crt Manager tool in WHM there are a few entries.

    Listed under Keys there is *.domainname.tld with a matching Signing Request, and since this client has multiple certificates, under Certificates there are multiple entires; including one for *.domainname.tld. As far as I can tell, this should all be correct.

    When I followed the directions above to update the owner of the SSL from nobody to username, I find no corresponding file at /var/cpanel/userdata/nobody/*.domainname.tld_SSL, so I copied the domainname.tld_SSL from /var/cpanel/userdata/username and updated the values to sort of act like the file as it's supposed to exist at /var/cpanel/userdata/nobody. This doesn't seem to work.

    At this point I am starting to think the SSL installation was done differently than what we're expecting should have happened so that I can follow the instructions here. Am I too far gone with this to be to fix it manually, or should we be doing a reinstall of the certificate somehow?
     
  17. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Is there a wildcard certificate in /etc/ssl/certs/ location named *.domainname.tld.crt ? If there is not, then that needs to exist first in order for anything else to work.
     
  18. brentc

    brentc Member

    Joined:
    Jul 20, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Yes, there is the .crt and .csr in this location. But, I am also seeing that I guess they were trying to cover all the bases and there are also entries for TheSubDomainIWant.domainname.tld.crt (&.csr) and just domainname.tld.crt (&.csr). Could this be possibly causing a conflict? What I don't see for the wildcard is the *.domainname.tld.cabundle.
     
  19. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You'd need the .cabundle file for the wildcard. Do you still have the certificate? If so, why not simply reinstall it using the user nobody like the guide and follow the steps then? You probably want to uninstall the other certificate while you are at it (please ensure to make copies of /etc/ssl folder before making any changes with "cp -R /etc/ssl /etc/ssl.bak110901" first).
     
  20. brentc

    brentc Member

    Joined:
    Jul 20, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Ah man. I think I've over-thought this.

    My client has already tried to create the SSL a few different ways so everything's getting all confused here. I am not finding the best way to "undo" what he's done so I can get a truly clean install of the SSL as if it was the first time. When I've done everything I think I was supposed to do, and I rebuild httpd, I'm getting errors that there's already an SSL VirtualHost entry, etc etc...

    warn [rebuildhttpdconf] SSL VirtualHosts with identical IP/Port detected: subdomain.domainname.tld_SSL and *.domainname.tld_SSL ... defaulted to subdomain.domainname.tld_SSL
    Failed to generate a syntactically correct Apache configuration.
    Bad configuration file located at /usr/local/apache/conf/httpd.conf.1314914985
    Error:
    An error occurred while running: /usr/local/apache/bin/httpd -DSSL -t -f /usr/local/apache/conf/httpd.conf.1314914985
    Exit signal was: 0
    Exit value was: 1
    Output was:
    ---
    Syntax error on line 260 of /usr/local/apache/conf/httpd.conf.1314914985:
    <VirtualHost> directive requires additional arguments
    ---

    Whereas at line 260 of httpd.conf.1314914985, it's like an empty conf entry.

    I guess now I'm at, How do I uninstall everything this customer did before I touched it? Unless you have a better suggestion.
     
Loading...

Share This Page