Setting Service SSL Certificate as Primary
We occasionally get a ticket from users that apparently still have non-SNI compliant systems and cannot properly load cPanel. Usually they are worried they've been hacked because they are presented with an SSL certificate for another website alltogether, the one automatically listed as primary under SSL Hosts. In our ideal world the fallback for a non-SNI enabled system would be to use the service SSL certificate that matches our hostname, at least then it's clear that the certificate is our own rather than exposing the domain of another user on the system (and making the user think there has been an exploit because of the mismatch). However setting the primary domain under SSL Hosts only shows domains hosted properly as cPanel accounts, not the hostname of the server. What is the best course of action here?
-
You should be able to manage the redirection location from WHM>>Server Configuration>>Tweak Settings under the Redirection tab. 0 -
I don't think a redirect would apply in this case. Our server hostname certificate is valid for cpanel.hostname as a URL. The issue is that when someone has an issue with SNI or some other odd bug, the certificate they see is not our own, but the primary certificate on the server which is another customers. Seems like an odd security bug to expose a customer's domain and certificate to users unless we setup an additional account with a random self-signed certificate. For an example of this see certificate #2 at We would ideally like the server hostname to be the primary certificate on the server, but the hostname is not an option under SSL Hosts in WHM and something has to be primary so it ends up being a random customer. 0 -
Our hostname is kraftwerk.yourdomain.tld and we use a certificate that secures the cpanel subdomain alias for our hostname as we prefer those URLs for users accessing cPanel versus non-standard ports, so Manage SSL Hosts. Just leave it and field the random ticket where someone is seeing a certificate that isn't their own? Feels like something we should be able to just fallback to the service SSL certificates for. 0 -
I think there's some confusion here. Manage SSL hosts will not manage the hostname SSL. The "Make Primary" function is primarily to set what site will be the primary (first SSL VirtualHost in the apache configuration) on systems with multiple IP's. In your case what seems to be happening is either one of two things: 1. The redirection for sites with no SSL certificate is not set to go to the hostname which can be managed in Tweak Settings as I noted before or 2. The sites that are getting random sites when attempting to access over SSL are on a different IP address than the hostname and are getting the first domain with an SSL VirtualHost for that IP in the Apache configuration. The workaround for this would be to ensure that all domains, including those without SSL's have an SSL VirtualHost which can be achieved by installing a Self-Signed SSL certificate. 0
Please sign in to leave a comment.
Comments
5 comments