Skip to main content

SSL for services won't update

mathx
Services wont update its ssl certificates when I apply a new wildcard cert to it (and all other) services via WHM except Exim (smtps port 465). It updated and works fine but all the other keys (ftp, https, imaps, pop3s) are reporting the old server certificate. I am checking with openssl s_client -showcerts -host server190.example.com -port 443

Comments

8 comments

Date Votes
  • mathx
    I see that /var/cpanel/ssl/installed/certs/ and /var/cpanel/ssl/system/certs/ do not have any new certs in them.
    0
  • cPanelMichael
    Hello @mathx, You'll need to disable the following option under the Domains tab in WHM >> Tweak Settings: Replace service SSL certificates that do not match the local hostname When this option is enabled, the checkallsslcerts script will replace any service SSL certificates that do not match the hostname of the server with a cPanel-signed certificate. This includes wildcard certificates. Thank you.
    0
  • mathx
    This is on an older version of cpanel that doesnt have that option, we're trying to migrate off of it in the meantime we need to update our wildcard key. Can I manually replace them?
    • CENTOS 5.8 x86_64
    • [ WHM 56.0 (build 52)
    0
  • mathx
    Figured out the issue - you can use the wildcard cert even without the replace option on WHM 56, just need to ensure no SSL customer hosts are on the same ip. (We also had an old server wildcard host setup as seperate host on each main ip, removed those and it works.) We'll have to work on freeing up the main IP of the server that the customer is sharing somehow (before my time) then I expect I can apply a wildcard to all services for the server. Good rule: dont install any customer anything on the main server IP, use other IPs. Can marked as solved but really it was 2 issues, one for new WHM one for old WHM.
    0
  • cPanelMichael
    Hello @mathx, Let us know if you need any help migrating the accounts to CentOS 7 and a supported cPanel & WHM version. Thank you.
    0
  • mathx
    Ok this got worse now haha :) On the updated server (on centos 7 with the latest WHM) I had a working wildcard master SSL key. But any time we move a customer to this server, its replaced with a self signed cert for the customer that takes over the master wildcard key for all services on the server. Is it true that all customers should be on a different IP than the master? (It would be easier to have the master move to a new ip at this point, changing that many customers would be a pain). Please advise proper IP management when using SSL keys - can customers be on the same IP as the main server? (I assume wildcard use for the master isnt the issue here).
    0
  • mathx
    Ok removing all the self signed certs for customers without their own certs restores the main (wildcard in this case) cert for the server. I assume any customer with their own cert therefore has to be on a separate IP from the main server itself or we'll just run into this problem again with their cert being presented instead of the main server cert.
    0
  • cPanelMichael
    Hello @mathx,
    But any time we move a customer to this server, its replaced with a self signed cert for the customer that takes over the master wildcard key for all services on the server.

    A self-signed SSL certificate is automatically installed on new accounts when the following option under the Security tab in WHM >> Tweak Settings is enabled (the option is enabled by default): Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains. Here's the description of this option: [QUOTE]When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users" browser.?To avoid both of these concerns, we strongly recommend that you enable AutoSSL.
    Can you provide an example of how a user is accessing one of the services? Also, can you browse to WHM >> Manage AutoSSL >> Logs and confirm if AutoSSL is enabled and working for the the affected domains?
    Is it true that all customers should be on a different IP than the master? (It would be easier to have the master move to a new ip at this point, changing that many customers would be a pain).

    Assigning accounts to a separate IP address is not typically required. The Domain TLS functionality makes use of SNI: What is Domain TLS - cPanel Knowledge Base - cPanel Documentation Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post