Tweak settings/security tab/require SSL

[Data 1]

OK when I check this, everyone on the server has to confirm a security exception to enter their cpanel or webmail. It seems like a good idea but I had to turn it off because the masses were confused.

Now my confusion. What kind of SSL cert setup would it take in order for them to not be scared? I'm thinking one for the host name and have them log in with that instead of their site URL?

How do you hosts handle this if you have it on?

 

[Infopro]

customerdomain.com/webmail/ customerdomain.com/cpanel/ are redirected to my.serverdomain.com as thats the one the cert matches. Once they have added the exception or installed/accepted the cert into their browser, there is no more warning. But you'll need to educate them on how to do this.

customerdomain.com does not have it's own IP, nor cert so we redirect them to ours.

WHM > Tweak Settings > Redirection tab:

Always redirect to SSL Yes
Non-SSL redirect destination Hostname
SSL redirect destination SSL Certificate Name

 

[Data 1]

Sounds good, thank you. I'll grab a cert soon and check it out.

 

[Infopro]

Sounds good, thank you. I'll grab a cert soon and check it out.

You should already have a cert for the server.

 

[Data 1]

Please explain.

I know there is a self signed one, but I had a flood of support requests only hours after I turned it on freaked out by the "untrusted site" message.

My goal is to buy a cert (a scam in my opinion) so it doesn't display the untrusted site please add exception message. You don't know my customer base

Anyway will getting and installing a cert for the hostname work and give me the result I am looking for or have I overlooked something obvious?

 

[Infopro]

The "Untrusted site" you mention is because of what's already been explained briefly, above.

Try it this way. Enable the settings mentioned above, close all browsers and open a new one. Then visit either cpanel.domain.com or domain.com/cpanel/, depending on your setup.

Next, depending on your browser, you should be notified about the certificate in some way.

You've set traffic to be redirected from domain.com/cpanel/ (now basically just an easy to remember URL for your users) to https://your.server.com:2083, so, that secure cert can and should be accepted into the end users browser. Or, in the case of firefox adding the exception as it is a trusted URL that your users know, they should, their sites are hosted on that server.

The default cert is for the hostname: your.server.com

There is no cert for the users domain: https://domain.com:2083

So, if you allow them to visit https://domain.com:2083 the cert will not match and you'll get a warning about it.

If your end user needs to have https://domain.com/cpanel/ match properly, he'd want to purchase an IP and secure cert for it.

As mentioned, you'll need to figure out the proper way to accept the cert into the browsers your users use, and educate them on doing so. That is, once you've got them directed to the proper secure URL.


This setup of redirecting users to the servers secure URL should be fine for most situations.

HTH.

 

[mtindor]

Please explain.

I know there is a self signed one, but I had a flood of support requests only hours after I turned it on freaked out by the "untrusted site" message.

My goal is to buy a cert (a scam in my opinion) so it doesn't display the untrusted site please add exception message. You don't know my customer base

Anyway will getting and installing a cert for the hostname work and give me the result I am looking for or have I overlooked something obvious?

Trust me... You will have a much lower support ticket volume if you just buy a cheap 256-bit (don't know if anyplaces issues anything less now) certificate for your primary server hostname, and then:

* Always redirect to SSL : On
* Non-SSL redirect destination : Hostname
* SSL redirect destination : SSL Certificate Name

Of course, you still may encounter a few people who wonder why when they go to http://www.theirsite.com/[whm|cpanel|webmail] they are redirected to the primary hostname. But i'm betting it will be a LOT less hassle.

And... your customerbase and my customerbase must be the same people

Mike

 

[Tam]

You don't have to get an SSL certificate for your hostname, you can get it for the top tld of the hostname i.e. instead of 'hostname.domain.com' just 'domain.com' will do (has to be more useful than just one for the hostname). You'd have to add the certificate to all services using the "Manage Service SSL Certificates" link under Service Configuration. If you have an eNom reseller account you can pick up a certificate for less than $20 (US)

 

[mtindor]

You don't have to get an SSL certificate for your hostname, you can get it for the top tld of the hostname i.e. instead of 'hostname.domain.com' just 'domain.com' will do (has to be more useful than just one for the hostname). You'd have to add the certificate to all services using the "Manage Service SSL Certificates" link under Service Configuration. If you have an eNom reseller account you can pick up a certificate for less than $20 (US)

You're right... but a wildcard certificate typically costs more, and there is 100% functionality with no SSL errors or warnings by using a simple certificate tied to the hostname and signed by a trusted authority.

Unless a bunch of your hosted customers happen to have subdomains under your primary domain, I don't see where it would be any more useful to have a wildcard cert. I could be missing something, but I've used a certificate tied to the primary hostname for years and my customers have never complained.

But if wildcard certs can be had for $20 these days, then I suppose it makes more sense to get one of those.

Mike

 

[Tam]

You're right... but a wildcard certificate typically costs more, and there is 100% functionality with no SSL errors or warnings by using a simple certificate tied to the hostname and signed by a trusted authority.

Unless a bunch of your hosted customers happen to have subdomains under your primary domain, I don't see where it would be any more useful to have a wildcard cert. I could be missing something, but I've used a certificate tied to the primary hostname for years and my customers have never complained.

But if wildcard certs can be had for $20 these days, then I suppose it makes more sense to get one of those.

Mike

Never said anything about a wildcard certificate, totally not needed

http://matbrite.com/images/cp-1.gif

 

[mtindor]

Never said anything about a wildcard certificate, totally not needed

Because your WHM settings and my settings are both using Always Redirect to SSL : On and SSL Redirect Destination : SSL Certificate Name , all requests are going to be redirected to SSL ports on "SSL Certificate Name", which is the domain listed in the SSL certificate used by cPanel, WHM, and webmail.

If you purchase a certificate for "domain.com" and "domain.com" resides on that server, then of course that will work. However, most of the time the people running serious servers do not have www.domain.com or domain.com active on that server; rather, they have specific subdomain hostnames assigned to their cPanel servers. (ex: server1.domain.com, server2.domain.com, server3.domain.com are all cPanel servers, and www.domain.com / domain.com are their corporate web service on another server [often not even a cPanel server].

So, most of the time people are going to want to purchase a certificate tied to the primary hostname of the server -- and then use that certificate for their cpanel / whm / webmail services.

A "domain.com" specific certificate will not work in that case -- well it would, but with warnings. A wildcard certificate for "domain.com" would work though, and it would work on all servers --- even if you had 100 servers.

So I think my advice is still applicable and proper. If a person has one cPanel server, then get the certificate for the primary hostname of that server [unless you also host www.domain.com / domain.com on that same server and have the ability to redirect to that] or get a wildcard certificate for "domain.com" [if you have a number of servers, all with a different hostname within the same domain, ex: server1.domain.com, server2.domain.com, etc.]

Mike

 

[Tam]

what planet are you on?