SSL site on shared ip problem

[trhosting.net]

Hello,

We have a problem with SSL sites that are on the main server shared ip.
We have sites on the main shared ip and some SSL sites too.

For example we have a site example1.com that has no SSL installed and on the same shared ip there is another account example2.com with SSL.

example1.com (no SSL)
example2.com (with SSL)

When a user connects to this sites with http://example1.com and http://example2.com there is no problem. But the problem is when a user accidentally connects to https://example1.com (example1.com has no SSL), example2.com is loading at the browser gives SSL error because the certificate belongs to example2.com but the url is example1.com.

What can we do for this?

Thank you

- - - Updated - - -

I am asking because some of the sites on our server is indexed by google with https links, but they have no ssl installed and the indexed site is wrong site

 

[cPanelMichael]

Hello

If the account is assigned a shared IP address, and a SSL certificate is installed on that IP address, then any secure request to a domain name on that IP address will load the contents of the domain name the certificate is installed for. This is by design. You will need to assign a dedicated IP address to the account that uses the SSL certificate if you don't want that certificate applied to the other domain names on it's IP address. Or, you could generate/install a self-signed certificate for each domain name on the server (Assuming your server supports SNI).

Thank you.

 

[trhosting.net]

Hello Michael,

Is it possible to install many SSL certificates to another IP address on the server?

We have lots of sites with SSL on shared address. I want to transfer them to another IP address but all to the same IP address.

 

[cPanelMichael]

Hello

Yes, you can install multiple SSL certificates on a single IP address if your server supports SNI (it uses CentOS/RHEL 6).

Thank you.

 

[elialum]

Hi,

We are facing the same issue.

I've managed to "bypass" this problem by generating a fake account on the shared ip (nossl.loc), and create a self signed ssl for it.

Now, if the fake account will be listed first in httpd.conf, he will take all the https requests and will return an error to any site that is not using SSL.

Problem is that I don't know how to force it to get listed first ?

Any ideas will be welcomed.

Thanks,
Eli.

 

[elialum]

Hi Again,

ok, I think I've worked something out -

I've copied the "<VirtualHost 1.1.1.1:443> ... /VirtualHost>" section from the main httpd.conf for the fake domain I created earlier to the pre_main_global.conf file, so now it loads first.

Now it shows twice, first on the pre_main_global file, and second on the main httpp.conf (couldn't remove it from the httpd.conf, rebuild adds it once again every time).

Dirty solution, but it works for now.

Eli.

 

[cPanelMichael]

You could also make one SSL certificate the primary certificate for an IP address via the "Make Primary" option in "WHM Home » SSL/TLS » Manage SSL Hosts".

Thank you.

 

[EEKdood]

Hello Folks,

I have pretty much the same problem: One IP and a mix of SSL and non-SSL hosts. I have installed a certificate for the server's hostname (wildcard certificate). I've set that certificate as the primary for the IP address and as the shared certificate.

Now, when I visit a non-SSL host using https, the certificate for one of the SSL hosts is displayed.

What am I missing here?

Thanks.

 

[cPanelMichael]

Now, when I visit a non-SSL host using https, the certificate for one of the SSL hosts is displayed.

Hi EEKdood,

This is explained in my earlier post:

If the account is assigned a shared IP address, and a SSL certificate is installed on that IP address, then any secure request to a domain name on that IP address will load the contents of the domain name the certificate is installed for. This is by design. You will need to assign a dedicated IP address to the account that uses the SSL certificate if you don't want that certificate applied to the other domain names on it's IP address. Or, you could generate/install a self-signed certificate for each domain name on the server (Assuming your server supports SNI).

Or, do you mean it's loading a SSL certificate that is different than the one you used the "Make Primary" option for?

Thank you.

 

[EEKdood]

Or, do you mean it's loading a SSL certificate that is different than the one you used the "Make Primary" option for?

Thanks Michael. You are correct. The SSL being loaded for sites that do not have a certificate installed is different than the one I have selected as Primary and Shared (which is a wildcard installed as the server's hostname).

 

[cPanelMichael]

To clarify, is this happening on websites assigned that same IP address? If so, please open a support ticket so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thanks.

 

[EEKdood]

To clarify, is this happening on websites assigned that same IP address?

Yes. All sites on the same IP. A small percentage have SSLs installed. A certificate for the hostname is set as primary on the IP and is also set as shared.

Thanks! I'll open a ticket now.

 

[cPMatthewV]

Hello,

I wanted to update the thread with a work around for an issue that occurred in previous versions of cPanel that has re-appeared in 11.44 that can occur with the Primary SSL/Shared SSL set for the server's hostname after resetting the hostname. For your reference this is related to case 52366.

There have been cases where resetting the hostname will append the new hostname as a subdomain to the "/var/cpanel/userdata/nobody/main" file, instead of replacing the main domain. In order to correct this you have to manually edit the file at "/var/cpanel/userdata/nobody/main" and remove this from the subdomain section and set it as the main domain, then rebuild the apache configuration file with "/scripts/rebuildhttpdconf", and restarted apache using "service httpd restart".

In some cases you may need to also remove and reapply the shared certificate for the hostname.

If you have any issues with this please feel free to open a support ticket using the links in my signature.