Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL for services won't update

Discussion in 'Security' started by mathx, May 1, 2019.

Tags:
  1. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    Services wont update its ssl certificates when I apply a new wildcard cert to it (and all other) services via WHM except Exim (smtps port 465). It updated and works fine but all the other keys (ftp, https, imaps, pop3s) are reporting the old server certificate.

    I am checking with openssl s_client -showcerts -host server190.example.com -port 443 </dev/null

    (for each port: imaps ftps smtps pop3s https)

    and looking for depth 0 CN (common name) on the cert. Exim shows *.mydomain.com but the others show the old key (and old expiry dates).

    I've even rebooted the server, but that did not work.

    On one server, it is reporting back an SSL key from a customer domain which is on the same IP as the main server as well. The others all report the old key.
     
  2. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    I see that

    /var/cpanel/ssl/installed/certs/ and /var/cpanel/ssl/system/certs/

    do not have any new certs in them.
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,331
    Likes Received:
    2,161
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @mathx,

    You'll need to disable the following option under the Domains tab in WHM >> Tweak Settings:

    Replace service SSL certificates that do not match the local hostname

    When this option is enabled, the checkallsslcerts script will replace any service SSL certificates that do not match the hostname of the server with a cPanel-signed certificate. This includes wildcard certificates.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    This is on an older version of cpanel that doesnt have that option, we're trying to migrate off of it in the meantime we need to update our wildcard key.

    Can I manually replace them?

    • CENTOS 5.8 x86_64
    • [ WHM 56.0 (build 52)
     
    #4 mathx, May 14, 2019
    Last edited by a moderator: May 14, 2019
  5. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    Figured out the issue - you can use the wildcard cert even without the replace option on WHM 56, just need to ensure no SSL customer hosts are on the same ip. (We also had an old server wildcard host setup as seperate host on each main ip, removed those and it works.) We'll have to work on freeing up the main IP of the server that the customer is sharing somehow (before my time) then I expect I can apply a wildcard to all services for the server.

    Good rule: dont install any customer anything on the main server IP, use other IPs.

    Can marked as solved but really it was 2 issues, one for new WHM one for old WHM.
     
    cPanelMichael likes this.
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,331
    Likes Received:
    2,161
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @mathx,

    Let us know if you need any help migrating the accounts to CentOS 7 and a supported cPanel & WHM version.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    Ok this got worse now haha :)

    On the updated server (on centos 7 with the latest WHM) I had a working wildcard master SSL key.

    But any time we move a customer to this server, its replaced with a self signed cert for the customer that takes over the master wildcard key for all services on the server.

    Is it true that all customers should be on a different IP than the master? (It would be easier to have the master move to a new ip at this point, changing that many customers would be a pain).

    Please advise proper IP management when using SSL keys - can customers be on the same IP as the main server? (I assume wildcard use for the master isnt the issue here).
     
    #7 mathx, May 15, 2019
    Last edited: May 16, 2019
  8. mathx

    mathx Member

    Joined:
    Jan 16, 2017
    Messages:
    20
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Toronto
    cPanel Access Level:
    DataCenter Provider
    Ok removing all the self signed certs for customers without their own certs restores the main (wildcard in this case) cert for the server.

    I assume any customer with their own cert therefore has to be on a separate IP from the main server itself or we'll just run into this problem again with their cert being presented instead of the main server cert.
     
    #8 mathx, May 16, 2019
    Last edited: May 16, 2019
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,331
    Likes Received:
    2,161
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @mathx,

    A self-signed SSL certificate is automatically installed on new accounts when the following option under the Security tab in WHM >> Tweak Settings is enabled (the option is enabled by default):

    Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

    Here's the description of this option:

    Can you provide an example of how a user is accessing one of the services? Also, can you browse to WHM >> Manage AutoSSL >> Logs and confirm if AutoSSL is enabled and working for the the affected domains?

    Assigning accounts to a separate IP address is not typically required. The Domain TLS functionality makes use of SNI:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice