Skip to main content

How to get an SSL Client Certificate for the same Addon Domain on 2 different cPanel servers?

Comments

7 comments

  • ffeingol
    Can you tell is if you are using the cPanel supplied DNS or Let's Encrypt. I'm 100% sure this will not work for Let's encrypt. In order for Let's Encrypt to issue the SSL cert it has to resolve to the server (i.e. it puts a file in .well-known for verification). Since the site can't resolve to two different servers, it will always fail on the non-active server. I believe that the cPanel issued certs work in the same way, but we don't use them, so I can't tell you with 100% certainty. This is part of what makes HA complex.
    0
  • Michael-Inet
    Can you tell is if you are using the cPanel supplied DNS or Let's Encrypt.

    AutoSSL is cPanel (powered by Sectigo). I"m using external, completely independent, cPanel DNSOnly servers for a DNS cluster. (Which is a bit of a pita as updates are basically manual, but it makes life much easier on the web servers themselves, as their DNS is no longer used.)
    I'm 100% sure this will not work for Let's encrypt. In order for Let's Encrypt to issue the SSL cert it has to resolve to the server (i.e. it puts a file in .well-known for verification). Since the site can't resolve to two different servers, it will always fail on the non-active server. I believe that the cPanel issued certs work in the same way, but we don't use them, so I can't tell you with 100% certainty.

    My thoughts on a .well-known workaround were to use incron and rsync to push the non-active server /pki-validation/temp-file.txt to the active server for resolution. While a bit dodgy, it should work unless the timing is excessively tight. I think mostly my questions boil down to can two different Common Name certs contain the same domain name. I"m sure the technical answer is no they shouldn"t, but do the issuers actually scan all existing certs? Or do they just rely on the pki-validation (which is spoof-able if you actually do own the domain in question).
    This is part of what makes HA complex.

    Yup :) Best, Michael
    0
  • cPRex Jurassic Moderator
    I think it would be best to manually sync the cert between the systems, as there aren't any official cPanel tools at this point to handle high-availability.
    I think mostly my questions boil down to can two different Common Name certs contain the same domain name.

    I know our provider checks as they won't issue multiple certs for the same domain. If we run into a situation where mutliple orders happen (IP or hostname changes causing delays) we manually kill the older orders so the newest will validate.
    0
  • Michael-Inet
    I think it would be best to manually sync the cert between the systems, as there aren't any official cPanel tools at this point to handle high-availability.

    Hi Rex, I"ll admit SSL land is not one of my in-depth knowledge areas, so probably a really newb question. Do SSL certs not include an IP reference of some sort? (I thought they did, which is why the OP is worded the way it is.) If not, then yeah, manually syncing is going to be the easiest way. I don"t seem to be able to pull out just "example.com"s" cert, just "example.com.servernameA.com": WHM >> Home "SSL/TLS "SSL Storage Manager Is there somewhere else in the GUI to extract them? Or are the certs stored on the server in individually "extractable" format somewhere? Thanks, and best, Michael
    0
  • cPRex Jurassic Moderator
    There's no relation to IP addresses and SSLs. In fact, IP addresses can't be secured (well, in most circumstances...) with an SSL, which is why we developed the cprapid automated hostname system, so users could have a secure login to WHM right from the start of their hosting experience. You'll find individual SSL data in the /var/cpanel/ssl/apache_tls directory, with each domain having a subdirectory there.
    0
  • Michael-Inet
    Thank you Rex, I'll go play with a junk domain I can switch DNS on without creating issues. One last question ('snort, yeah right!), I see the combined file contains the private key and the certificates file contains 3 certs. In (servernameB.com): WHM >> Home "SSL/TLS "Install an SSL Certificate on a Domain I should copy/paste the whole certificates file into the Certificate: box? Or just the first cert in that file? Best, Michael PS: When I get it working I"ll update here the steps I took (in case you want to create a guide).
    0
  • cPRex Jurassic Moderator
    When you're on the "Install an SSL Certificate on a Domain" page in WHM you'll get presented with three different boxes for each portion of the certificate. If you look at the "combined" file in the domain's directory you'll see a section for the private key between these blocks: -----BEGIN RSA PRIVATE KEY----- ************stuff************** -----END RSA PRIVATE KEY-----
    so you can paste each section into the appropriate area. It may be helpful to use a tool like CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker to see which portions are the actual domain cert and which are the provider's CA bundle, although if you're doing this work in the WHM interface it will usually fetch the bundle automatically for you if you don't provide it.
    0

Please sign in to leave a comment.