The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL untrusted connection, or "Should I send them elsewhere?"

Discussion in 'Security' started by mwaterous, Sep 22, 2010.

  1. mwaterous

    mwaterous Member

    Joined:
    Sep 19, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NV
    After doing a rather exhaustive search on the matter, all I've really turned up is that using cPanel outside of an SSL connection is unrecommended. This is for obvious reasons, and I'm not disputing the need; however I can't afford to purchase a signed cert for every domain I'm going to set up on my server, and some of my clients will be very very frightened by the warning screens modern browsers are starting to use (Chrome LEAPS to mind).

    What do you all do to handle this?

    I'm considering adding another IP to the machine to place all the hosted accounts on, giving my parent site its own IP and purchasing a single certificate for that site. Then, I suppose, I could remove all the cpanel subdomains and aliases, and have everybody sign in to their accounts from my domain.
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I would consider purchasing at least one SSL certificate for the server hostname, and then install and use this SSL certificate for all services, including cPanel/WHM/Webmail, IMAP/POP3 (Courier or Dovecot), SMTP (Exim), and FTP (Pure-FTPd or ProFTPD). Service SSL certificates can be managed using WebHost Manager (WHM) via the following navigational menu paths (with linked reference documentation): WHM: Main >> Service Configuration >> Manage Service SSL Certificates

    If a domain mismatch warning is acceptable for proxy sub-domain access via Apache, I would also consider installing the same SSL certificate for the server hostname using WHM via the following menu path, while ensuring the server hostname is entered as the domain (that should not be owned by any accounts), using the main shared IP address, and using "nobody" as the username: WHM: Main >> SSL/TLS >> Install a SSL Certificate and Setup the Domain

    Once installed, the SSL certificate may also be set as shared using WHM via the following menu path: WHM: Main >> SSL/TLS >> Manage SSL Hosts

    After installing the new SSL certificate, I recommend customizing the redirection preferences for access to cPanel, WHM, and Webmail, so that access is always redirected to SSL and to ensure the redirect destination is always that of the Hostname or SSL Certificate Name (where the SSL certificate should match the server hostname). The aforementioned redirection options can be modified using WebHost Manager (WHM) via the following navigational menu path: WHM: Main >> Server Configuration >> Tweak Settings >> Redirection
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    199
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I may not understand the question properly, but you could go to:

    WHM > Tweak Settings > Redirection section and change:

    Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc. Ticked.

    When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to: Hostname.

    When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to: SSL Cerificate Name.

    When a user visits that page for the first time, they can choose to accept that cert into their browser and the warning will be gone from then on.

    If the user is running Vista for example, accepting that cert is more work than in XP, but you do it in Vista like this:

    1. Run IE as an administrator (Right-click the desktop icon for your browser)
    2. Visit the site http://yourdomain.com/cpanel/ or for your users who access only webmail http://yourdomain.com/webmail/
    3. Click through the certificate error
    4. Click the “Certificate Error” button in the address bar.
    5. Click View Certificate
    6. Click Install Certificate
    7. Unlike on XP which stores automatically for you, you must click the “Place all certificates in the following store” radio button, and choose the “Trusted Root Certification Authorities” store. If you don’t do this, the certificate goes in your personal store, and it isn’t trusted by Vista's IE.

    I should add here that going to yourdomain.com/cpanel/ is of course now redirected to the server.hostname.com (if you change the settings described above) They can bookmark that, or edit a bookmark to point to the yourdomain.com/cpanel

    Which is far easier to remember.

    I'm so used to this I don't even have a bookmark for cPanel or webmail to my own account. While at my site, domain.com, I just add /cpanel to the end and hit enter. (Or /webmail and hit enter) and I'm on my way in, no warnings, no problems.

    Be sure to explain to your users to use the full email address for the username on login to webmail. ;)
     
Loading...

Share This Page