SSL untrusted connection, or "Should I send them elsewhere?"

mwaterous

Member
Sep 19, 2010
5
0
51
NV
After doing a rather exhaustive search on the matter, all I've really turned up is that using cPanel outside of an SSL connection is unrecommended. This is for obvious reasons, and I'm not disputing the need; however I can't afford to purchase a signed cert for every domain I'm going to set up on my server, and some of my clients will be very very frightened by the warning screens modern browsers are starting to use (Chrome LEAPS to mind).

What do you all do to handle this?

I'm considering adding another IP to the machine to place all the hosted accounts on, giving my parent site its own IP and purchasing a single certificate for that site. Then, I suppose, I could remove all the cpanel subdomains and aliases, and have everybody sign in to their accounts from my domain.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
After doing a rather exhaustive search on the matter, all I've really turned up is that using cPanel outside of an SSL connection is unrecommended. This is for obvious reasons, and I'm not disputing the need; however I can't afford to purchase a signed cert for every domain I'm going to set up on my server, and some of my clients will be very very frightened by the warning screens modern browsers are starting to use (Chrome LEAPS to mind).

What do you all do to handle this?

I'm considering adding another IP to the machine to place all the hosted accounts on, giving my parent site its own IP and purchasing a single certificate for that site. Then, I suppose, I could remove all the cpanel subdomains and aliases, and have everybody sign in to their accounts from my domain.
I would consider purchasing at least one SSL certificate for the server hostname, and then install and use this SSL certificate for all services, including cPanel/WHM/Webmail, IMAP/POP3 (Courier or Dovecot), SMTP (Exim), and FTP (Pure-FTPd or ProFTPD). Service SSL certificates can be managed using WebHost Manager (WHM) via the following navigational menu paths (with linked reference documentation): WHM: Main >> Service Configuration >> Manage Service SSL Certificates

If a domain mismatch warning is acceptable for proxy sub-domain access via Apache, I would also consider installing the same SSL certificate for the server hostname using WHM via the following menu path, while ensuring the server hostname is entered as the domain (that should not be owned by any accounts), using the main shared IP address, and using "nobody" as the username: WHM: Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain

Once installed, the SSL certificate may also be set as shared using WHM via the following menu path: WHM: Main >> SSL/TLS >> Manage SSL Hosts

After installing the new SSL certificate, I recommend customizing the redirection preferences for access to cPanel, WHM, and Webmail, so that access is always redirected to SSL and to ensure the redirect destination is always that of the Hostname or SSL Certificate Name (where the SSL certificate should match the server hostname). The aforementioned redirection options can be modified using WebHost Manager (WHM) via the following navigational menu path: WHM: Main >> Server Configuration >> Tweak Settings >> Redirection
 

Infopro

Well-Known Member
May 20, 2003
17,113
511
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
After doing a rather exhaustive search on the matter, all I've really turned up is that using cPanel outside of an SSL connection is unrecommended. This is for obvious reasons, and I'm not disputing the need; however I can't afford to purchase a signed cert for every domain I'm going to set up on my server, and some of my clients will be very very frightened by the warning screens modern browsers are starting to use (Chrome LEAPS to mind).

What do you all do to handle this?

I'm considering adding another IP to the machine to place all the hosted accounts on, giving my parent site its own IP and purchasing a single certificate for that site. Then, I suppose, I could remove all the cpanel subdomains and aliases, and have everybody sign in to their accounts from my domain.
I may not understand the question properly, but you could go to:

WHM > Tweak Settings > Redirection section and change:

Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc. Ticked.

When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to: Hostname.

When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to: SSL Cerificate Name.

When a user visits that page for the first time, they can choose to accept that cert into their browser and the warning will be gone from then on.

If the user is running Vista for example, accepting that cert is more work than in XP, but you do it in Vista like this:

1. Run IE as an administrator (Right-click the desktop icon for your browser)
2. Visit the site http://yourdomain.com/cpanel/ or for your users who access only webmail http://yourdomain.com/webmail/
3. Click through the certificate error
4. Click the “Certificate Error” button in the address bar.
5. Click View Certificate
6. Click Install Certificate
7. Unlike on XP which stores automatically for you, you must click the “Place all certificates in the following store” radio button, and choose the “Trusted Root Certification Authorities” store. If you don’t do this, the certificate goes in your personal store, and it isn’t trusted by Vista's IE.

I should add here that going to yourdomain.com/cpanel/ is of course now redirected to the server.hostname.com (if you change the settings described above) They can bookmark that, or edit a bookmark to point to the yourdomain.com/cpanel

Which is far easier to remember.

I'm so used to this I don't even have a bookmark for cPanel or webmail to my own account. While at my site, domain.com, I just add /cpanel to the end and hit enter. (Or /webmail and hit enter) and I'm on my way in, no warnings, no problems.

Be sure to explain to your users to use the full email address for the username on login to webmail. ;)