When changing IP address for domain/account, SSL no longer works?

linuxserver

Registered
Feb 20, 2020
4
0
1
a
cPanel Access Level
DataCenter Provider
I've spent a week troubleshooting this problem.
  • fresh server install.
  • one /30 subnet as root ip, and one /28 subnet installed.
  • all has been running for a week, so propagation is not the issue.
  • ipv4
When I change the IP from the root IP which is created when creating the user's account, the SSL certificate is no longer valid, and when I click why on the page which says it is not secure, I can see the certificate for the server, not for the domain on the account.
  • Attempts to delete all certificates for that domain and install a new one (valid let's encrypt cert) have no effect, the new certificate is also not being served.
  • Attempts to delete all certificates from the server does not work, it still shows the server certificate on the "insecure" page when visiting the site (instead of the domain's cert).
  • restarting server, httpd, and rebuildinstalledssldb and buildhttpdconf all have no effect.
Switching back to the original root IP works immediately solves the problem. Switching it back to the new IP causes the same problem again.
Every site needs its own dedicated IP. I cannot have all using the same root IP.

Here a couple more outputs. (I used the placeholder `555.55...` in the IPs in this post to maintain privacy.)

Code:
   # cat /etc/hosts
    127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1             localhost localhost.localdomain localhost6 localhost6.localdomain6
    55.555.2.250    host.domain.com
where 55.555.2.250 is my root IP.

Code:
  # cat /etc/ips
    55.555.7.79:255.255.255.240:55.555.7.93
    55.555.7.80:255.255.255.240:55.555.7.93
    55.555.7.81:255.255.255.240:55.555.7.93
    55.555.7.82:255.255.255.240:55.555.7.93
    55.555.7.83:255.255.255.240:55.555.7.93
    55.555.7.84:255.255.255.240:55.555.7.93
    55.555.7.85:255.255.255.240:55.555.7.93
    55.555.7.86:255.255.255.240:55.555.7.93
    55.555.7.87:255.255.255.240:55.555.7.93
    55.555.7.88:255.255.255.240:55.555.7.93
    55.555.7.89:255.255.255.240:55.555.7.93
    55.555.7.90:255.255.255.240:55.555.7.93
    55.555.7.91:255.255.255.240:55.555.7.93
    55.555.7.92:255.255.255.240:55.555.7.93
The above IPs are the /28 subnet. These are the IPs I'm trying to use for the other domains.

Code:
  # cat /etc/sysconfig/network
    # Created by anaconda
    HOSTNAME=host.domain.com
    GATEWAY=55.555.2.249
Where 55.555.2.249 is the gateway for the /30 subnet of the root IP.

Code:
  # cat /etc/sysconfig/network-scripts/ifcfg-eno1
    TYPE="Ethernet"
    PROXY_METHOD="none"
    BROWSER_ONLY="no"
    BOOTPROTO="static"
    DEFROUTE="yes"
    IPV4_FAILURE_FATAL="no"
    IPV6INIT="yes"
    IPV6_AUTOCONF="yes"
    IPV6_DEFROUTE="yes"
    IPV6_FAILURE_FATAL="no"
    IPV6_ADDR_GEN_MODE="stable-privacy"
    NAME="eno1"
    UUID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
    DEVICE="eno1"
    NM_CONTROLLED="no"
    ONBOOT="yes"
    IPADDR="55.555.2.250"
    PREFIX="30"
    GATEWAY="55.555.2.249"
    NETMASK="255.255.255.252"
    IPV6_PRIVACY="no"
    DNS1="8.8.8.8"
    DNS2="8.8.4.4"
Where the UUID is the correct one, `xxxx` was used as a placeholder.

Old DNS A record:

Code:
    www.example.com IN CNAME example.com
    example.com IN A 55.555.2.250
New DNS A record:

Code:
    www.example.com IN CNAME example.com
    example.com IN A 55.555.7.81
After restarting httpd, doing `rebuildinstalledssldb` and `buildhttpdconf`, and restarting server, the server is serving the SSL certificate for `host.domain.com` which is the hostname of the server (resulting in a "`not trusted, we couldn't identify since the SSL is for host.domain.com and not example.com`", despite the certificate for `example.com` being successfully installed on the server.

But, if I change the IP for `example.com` back to the root IP `55.555.2.250`, then the correct and valid SSL certificate is served and the website goes back to the green "Trusted".

How to solve this problem?
 
Last edited:

linuxserver

Registered
Feb 20, 2020
4
0
1
a
cPanel Access Level
DataCenter Provider
If cpanel doesn't work and the support doesn't reply for days, then I don't see the point of renewing my cpanel license for forty-five dollars per month next month. I'm going to go check out directadmin, maybe their panel works and maybe they actually have a support staff.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
I feel the need to set expectations for the community forums.

At no point are you guaranteed a response in a specific amount of time here. This is a community-driven forum. In the event you need immediate assistance I would implore you to open a ticket where our staff is present 24 hours a day 7 days a week.

We do not make that same guarantee here and issues requiring immediate attention should be directed to our ticket system.

I will take a look at your issue today but I will not guarantee the time, if you'd like to open a ticket let us know here and we'll update the ticket with your notes here.
 

linuxserver

Registered
Feb 20, 2020
4
0
1
a
cPanel Access Level
DataCenter Provider
I feel the need to set expectations for the community forums.

At no point are you guaranteed a response in a specific amount of time here. This is a community-driven forum. In the event you need immediate assistance I would implore you to open a ticket where our staff is present 24 hours a day 7 days a week.

We do not make that same guarantee here and issues requiring immediate attention should be directed to our ticket system.

I will take a look at your issue today but I will not guarantee the time, if you'd like to open a ticket let us know here and we'll update the ticket with your notes here.
Thanks. looking forward to your reply.

Additional items found is that when on another ip, it does to the defaultwebpage. And, in fact, if, in SSH, I do the command, "links 127.0.0.1", it also gives the defaultwebpage error in the SSH window.

The defaultwebpage by the way is ridiculously annoying because it caches in the web browser and I know that cpanel does not have a way to reject the request to a 500 error (MUCH more preferable) instead of sending to the defaultwebpage which caches in user's browsers causing those visitors to never see your website again even after fixing, since most people don't know how to clear cache. BUT, that's another topic for another day.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
Hi @linuxserver

How are you changing the site's IP address? cPanel/WHM expects you to do this through WHM>>Account Functions>>Change Site's IP address or WHM>>Multi Account Functions >>Change Multiple Sites' IP Addresses as it automatically updates references to the site/IP throughout the server, including the VirtualHost. From what I'm seeing from your responses it looks like you're changing the A record only - this would definitely cause the default site page.

Something to keep in mind:



sending to the defaultwebpage which caches in user's browsers causing those visitors to never see your website again even after fixing, since most people don't know how to clear cache. BUT, that's another topic for another day.
That's not completely true - while the page does easily become cached in people's browsers - the cached content does become stale without them clearing their cache allowing them to see the site when this does occur.
 

linuxserver

Registered
Feb 20, 2020
4
0
1
a
cPanel Access Level
DataCenter Provider
Hi @linuxserver

How are you changing the site's IP address? cPanel/WHM expects you to do this through WHM>>Account Functions>>Change Site's IP address or WHM>>Multi Account Functions >>Change Multiple Sites' IP Addresses as it automatically updates references to the site/IP throughout the server, including the VirtualHost. From what I'm seeing from your responses it looks like you're changing the A record only - this would definitely cause the default site page.

Something to keep in mind:





That's not completely true - while the page does easily become cached in people's browsers - the cached content does become stale without them clearing their cache allowing them to see the site when this does occur.
I'm changing it through

WHM>>Account Functions>>Change Site's IP address
or
WHM>>Multi Account Functions >>Change Multiple Sites' IP Addresses

I DID NOT ONLY CHANGE AN A RECORD. I ONLY POSTED THE OUTPUT FOR CLARITY ABOUT THE SERVER'S CONFIGURATION. I DID NOT MAKE ANY MANUAL CHANGES.

I ONLY NEED 1 DEDICATED IP PER ACCOUNT. I DON'T NEED ANY UPSUPPORTED FEATURE LIKE "multiple ips in account" AND I NEVER SAID I WANTED THAT STRANGE THING.

Why are all other IP addresses going to the default webpage and why can't I use any other IPs?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,263
313
Houston
I think it'd be best if you opened a ticket, that way there won't be any further confusion about what's already been done.
You can use the link in my signature to get instructions on how to open a ticket. Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!