The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tweak settings/security tab/require SSL

Discussion in 'Security' started by Data 1, Jan 1, 2011.

  1. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    OK when I check this, everyone on the server has to confirm a security exception to enter their cpanel or webmail. It seems like a good idea but I had to turn it off because the masses were confused.

    Now my confusion. What kind of SSL cert setup would it take in order for them to not be scared? I'm thinking one for the host name and have them log in with that instead of their site URL?

    How do you hosts handle this if you have it on?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    customerdomain.com/webmail/ customerdomain.com/cpanel/ are redirected to my.serverdomain.com as thats the one the cert matches. Once they have added the exception or installed/accepted the cert into their browser, there is no more warning. But you'll need to educate them on how to do this.

    customerdomain.com does not have it's own IP, nor cert so we redirect them to ours.

    WHM > Tweak Settings > Redirection tab:

    Always redirect to SSL Yes
    Non-SSL redirect destination Hostname
    SSL redirect destination SSL Certificate Name
     
  3. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    Sounds good, thank you. I'll grab a cert soon and check it out.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should already have a cert for the server.
     
  5. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    Please explain.

    I know there is a self signed one, but I had a flood of support requests only hours after I turned it on freaked out by the "untrusted site" message.

    My goal is to buy a cert (a scam in my opinion) so it doesn't display the untrusted site please add exception message. You don't know my customer base :)

    Anyway will getting and installing a cert for the hostname work and give me the result I am looking for or have I overlooked something obvious?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    The "Untrusted site" you mention is because of what's already been explained briefly, above.

    Try it this way. Enable the settings mentioned above, close all browsers and open a new one. Then visit either cpanel.domain.com or domain.com/cpanel/, depending on your setup.

    Next, depending on your browser, you should be notified about the certificate in some way.

    You've set traffic to be redirected from domain.com/cpanel/ (now basically just an easy to remember URL for your users) to https://your.server.com:2083, so, that secure cert can and should be accepted into the end users browser. Or, in the case of firefox adding the exception as it is a trusted URL that your users know, they should, their sites are hosted on that server.

    The default cert is for the hostname: your.server.com

    There is no cert for the users domain: https://domain.com:2083

    So, if you allow them to visit https://domain.com:2083 the cert will not match and you'll get a warning about it.

    If your end user needs to have https://domain.com/cpanel/ match properly, he'd want to purchase an IP and secure cert for it.

    As mentioned, you'll need to figure out the proper way to accept the cert into the browsers your users use, and educate them on doing so. That is, once you've got them directed to the proper secure URL.


    This setup of redirecting users to the servers secure URL should be fine for most situations.

    HTH.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Trust me... You will have a much lower support ticket volume if you just buy a cheap 256-bit (don't know if anyplaces issues anything less now) certificate for your primary server hostname, and then:

    * Always redirect to SSL : On
    * Non-SSL redirect destination : Hostname
    * SSL redirect destination : SSL Certificate Name

    Of course, you still may encounter a few people who wonder why when they go to http://www.theirsite.com/[whm|cpanel|webmail] they are redirected to the primary hostname. But i'm betting it will be a LOT less hassle.

    And... your customerbase and my customerbase must be the same people :)

    Mike
     
  8. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    You don't have to get an SSL certificate for your hostname, you can get it for the top tld of the hostname i.e. instead of 'hostname.domain.com' just 'domain.com' will do (has to be more useful than just one for the hostname). You'd have to add the certificate to all services using the "Manage Service SSL Certificates" link under Service Configuration. If you have an eNom reseller account you can pick up a certificate for less than $20 (US) ;)
     
    #8 Tam, Jan 2, 2011
    Last edited: Jan 2, 2011
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    You're right... but a wildcard certificate typically costs more, and there is 100% functionality with no SSL errors or warnings by using a simple certificate tied to the hostname and signed by a trusted authority.

    Unless a bunch of your hosted customers happen to have subdomains under your primary domain, I don't see where it would be any more useful to have a wildcard cert. I could be missing something, but I've used a certificate tied to the primary hostname for years and my customers have never complained.

    But if wildcard certs can be had for $20 these days, then I suppose it makes more sense to get one of those.

    Mike
     
  10. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    Never said anything about a wildcard certificate, totally not needed ;)

    http://matbrite.com/images/cp-1.gif
     
    #10 Tam, Jan 2, 2011
    Last edited: Jan 2, 2011
  11. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Because your WHM settings and my settings are both using Always Redirect to SSL : On and SSL Redirect Destination : SSL Certificate Name , all requests are going to be redirected to SSL ports on "SSL Certificate Name", which is the domain listed in the SSL certificate used by cPanel, WHM, and webmail.

    If you purchase a certificate for "domain.com" and "domain.com" resides on that server, then of course that will work. However, most of the time the people running serious servers do not have www.domain.com or domain.com active on that server; rather, they have specific subdomain hostnames assigned to their cPanel servers. (ex: server1.domain.com, server2.domain.com, server3.domain.com are all cPanel servers, and www.domain.com / domain.com are their corporate web service on another server [often not even a cPanel server].

    So, most of the time people are going to want to purchase a certificate tied to the primary hostname of the server -- and then use that certificate for their cpanel / whm / webmail services.

    A "domain.com" specific certificate will not work in that case -- well it would, but with warnings. A wildcard certificate for "domain.com" would work though, and it would work on all servers --- even if you had 100 servers.

    So I think my advice is still applicable and proper. If a person has one cPanel server, then get the certificate for the primary hostname of that server [unless you also host www.domain.com / domain.com on that same server and have the ability to redirect to that] or get a wildcard certificate for "domain.com" [if you have a number of servers, all with a different hostname within the same domain, ex: server1.domain.com, server2.domain.com, etc.]

    Mike
     
  12. Tam

    Tam Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    16
    what planet are you on?
     
Loading...

Share This Page