Using SSL for secure cpanel login??

[nsdesign]

Using SSL for secure cpanel login - BROKEN?

I'd like to tell all customers to use the secure Cpanel login (to improve security), but i cannot get it working without an annoying "SSL certificate warning"... This is despite having 2 "proper" SSL certificates installed on the server.

I have https://secure.mydomain.com and https://anotherdomain.com both working fine, but when I do for example:
https://secure.mydomain.com/cpanel I get a security warning....

This warning is because the SSL Cert that is tring to be used is called https://servername.domain.com (the actual name of the server) which is NOT actually installed as a cert.

I cannot get it to use one of the installed certs....
Please can anyone advise.

 

[nsdesign]

bump

 

[kipper3d]

Why bump on the last post?


Please if any one has this information, I would truly appreciate it!

Thanks!

 

[Valetia]

Have you tried the "Change cPanel/WHM Certificate" option in WHM? Have not tested it but it sounds like what you're looking for.

 

[ddeans]

Don't just tell them to login using SSL. Make them login using SSL.

http://forums.cpanel.net/showthread.php?s=&threadid=19151

Great How To On this!

 

[kipper3d]

There is no how to. isnt 2083 and 2097 the ports for SSL to cpanel and WHM? WHile https://hostname/~user works the following ports do not. I get page not found.

After changing the tweak settins to use SSL on redirect, no one can get into there control panel due to page not found errors.

This is my system:
WHM 9.1.0 cPanel 9.1.0-R52
RedHat 7.3 - WHM X v2.1.2

-John

 

[ddeans]

Using that you can block out the unsecure ports through a firewall. But that wasn't the tread I thought it was. There is a really good thread on this, and when i find it i'll post it here agaain

 

[kipper3d]

Thanks!

Yeah, the firewall issue wasnt what i needed. Ive searched for that thread myself and I only get info about turning it on in tweak settings. But no info why it doesnt work for me. Or how to resolve that problem.

Thanks!

 

[electron33]

This tutorial will show you how to accomplish https connections when going to servername/whm or /cpanel for those who may still be using the insecure ways to login to WHM and CPanel forcing a secure connection for all users.

Step 1: Backup files
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.insecure

Step 2: Edit the file
pico /etc/httpd/conf/httpd.conf

Step 3: Search for the line:
Ctrl+W then ScriptAlias /cpanel /usr/local/cpanel/base/redirect.cgi

Step 4: Edit the line to show the following: ScriptAlias /cpanel /usr/local/cpanel/base/sredirect.cgi (simply change the redirect.cgi to sredirect.cgi)

Step 5: Search for the line:
Ctrl+W then ScriptAlias /whm /usr/local/cpanel/base/whmredirect.cgi

Step 6: Edit the line to show the following:
ScriptAlias /whm /usr/local/cpanel/base/swhmredirect.cgi (simply change the whmredirect.cgi to swhmredirect.cgi)

Step 7: Save and exit using the following: Ctrl+X then press Y

Step 8: Restart Apache to have changes take effect:
service httpd restart

Hope this helps

 

[ddeans]

That's the thread I was looking for!

However you weren't the one to originally post it

 

[electron33]

Originally posted by ddeans
That's the thread I was looking for!

However you weren't the one to originally post it

Thank you for pointing that out. It's good to see someone keeping an eye on the "originality" of threads as well as searching for them.

 

[kipper3d]

i got looking at the httpd.conf file and there is alias for securewhm and securecontrolpanel which go to the srwhmredirect.cgi and sredirect.cgi already. But it doesnt work. I get page not found.

https://host.domain.com/~user works using server shared cert.

but https://host.domain.com/securewhm does not work.

says connection was refused and lists the url with 2087 port.

any ideas?

thanks!

-John

 

[electron33]

Assuming that your ssl certificate for the server is set up correctly you could verfiy that the stunnel directory for cpanel exist with the correct ownership:

login to your server via ssh and issue the following command:


First see if stunnel exists:
ls /usr/local/cpanel/var/run/stunnel
1. If you don't get "No such file or directory":
chown cpanel:cpanel /usr/local/cpanel/var/run/stunnel
/usr/local/cpanel/startstunnel
And then see if https://host.domain/securewhm works

2. If you DO get "No such file or directory":
mkdir /usr/local/cpanel/var/run/stunnel
chown cpanel:cpanel /usr/local/cpanel/var/run/stunnel
/usr/local/cpanel/startstunnel

That's all I can think of
Good luck

 

[kipper3d]

Hello,

Thanks! well they were already chown to cpanel:cpanel except startstunnel which was root:cpanel i changed this to cpanel:cpanel but still same result. Cheetaweb says its probably pem key issue. So im gonna look into that when i get a chance and will update this thread.

 

[SarcNBit]

I do not think forcing secure logins was what the thread creator was looking for.

They were looking for a way to alleviate the host mismatch (or other) warnings that popup when using SSL logins.

I would be interested in knowing how to avoid this problem also.

There are a few threads that touch on this issue but I do not recall seeing a solution. If I remember correctly, it has something to do with the order of redirection within the logon process.

 

[nsdesign]

SarcNBit - that's correct - I originally started the thread because of the ssl host mismatch.

I've just resolved this by actually buying a "proper" SSL cert for the server "servername.domain.com" and installing it via WHM. Best $50 spent in a while since I can now tell customers to login at https://servername.domain.com/cpanal and have them login securely (without any warning on the certificate!)...

They still get a warning when using https://www.theirdomain.com/cpanel but that's to be expected....

So - I'm happy - and thanks to all those who tried to help.

Gary

 

[kipper3d]

What certificate authority did you get your cert from? Currently I installed mine purchased from the WHM SSL feature which is an instantSSL.

Would geotrust do?

 

[nsdesign]

I always use the geotrust certs from rackshack:
http://www.ev1servers.net/english/quickssldetails.asp

Decent price and easy process.

 

[electron33]

I get my certificates from http://www.freessl.com. The good thing about them is that everything is done online and using an automated phone confirmation system. This is handy if you're buynig for companies which most certificate providers need some form of paper identity.

 

[kipper3d]

Yeah I usually get mine at rackshack too. But when i got this cpanel for first time I noticed that you could purchase the cert via WHM so I thought that being that cpanel and company suggested this was best cert. Oh well... Will be getting a geotrust. I just got a kernel OOPS error from my machine this morning... Must deal with that first i guess before the crap hits the fan!