Skip to main content

Domain Using the First SSL on the IP Instead of Its Own

Comments

31 comments

  • ffeingol

    This sounds like there is not a valid cert for mail.example.com.  If Apache can't find a matching SSL site it goes to the first/default domain.

    1
  • vatra

    Yes, it looks that way, but that isn't the case because there is a valid certificate, I checked with WHM. Although this cert is self-signed, it is valid and covers the mail.example.net.

    How to troubleshoot this?

    0
  • ffeingol

    I'd use a SSL checker like SSL Shopper to verify what the web server is actually serving up.

    0
  • vatra

    Could this be the reason?

    1. My account is on a dedicated IP. example.net is on my account using this dedicated IP.
    2. However, I set mail.example.net to use the server's shared IP.

    Nonetheless, I thought that SSL is installed on a domain, regardless of the IP it is hosted on.

    0
  • vatra

    Some facts:

    1. I wish to mention that I'm proxying all DNS records through Cloudflare, except mail.example.net.
    2. I have HSTS enabled on Cloudflare.
    3. A record for mail.example.net points to my shared IP.
    4. MX for example.net points to mail.example.net.
    5. I've set up this IP in mailips file to be used for example.net's outgoing mail.

    One question though:
    In order for Exim to use a certain IP for sending mail from a domain you need to define it in the mailips file.

    But is it required that the A record (for the MX hostname) resolves to that IP? Do they need to match?

    0
  • vatra

    I just talked to my hosting support, they say the redirect isn't working because I can't put directives for mail.example.net in the example.net's .htaccess file. I need to create the mail.example.net subdomain and put the .htaccess there.

    Is it possible to just create a VirtualHost entry for mail.example.net in the "WHM > Include Editor > Post VirtualHost Include file"?

    0
  • cPRex Jurassic Moderator

    It would likely cause less confusion in the long-term to create a parked domain in cPanel than to manually adjust the includes, but either should work for your purpose.

    1
  • vatra

    Remember that I'm not using AutoSSL, but Cloudflare or even I may consider certbot installed Let's Encrypt, so SSL coverage of a parked domain due to cPanel logic would not be possible.

    0
  • vatra

    Is this code correct and enough to do the job:

    <VirtualHost 1.1.1.1:80 1.1.1.1:443>
        ServerName mail.example.net
        <IfModule ssl_module>
            SSLEngine on
            SSLCertificateFile /var/cpanel/ssl/apache_tls/sub.main.com/combined
        </IfModule>
    </VirtualHost>

    And where should I add this code, maybe to the post_virtualhost_global.conf?

    0
  • cPRex Jurassic Moderator

    I'm actually going to recommend not adding that code.

    I've been thinking about your situation a bit and it seems there are some underlying issues I'm not understanding, and most of them seem to relate to SSL problem.  We had the problem with SSLs not installing, files not being created in /var/cpanel/ssl/domain_tls, and other similar issues over the past few weeks.

    It's likely better to take a step back and ask *why* you need to have such a customized SSL environment.  The more tweaks you make to something, the more chances there are for things to go wrong in the future.  And like I've mentioned in the older threads, we haven't seen another user experience these same issues.

    So I think would be best to get to the bottom of the *why* behind the problems rather than propose solutions like this, which are ultimately bandaids that will cause confusion in the future.

    0
  • vatra

    Rex, you read my mind on this. I've been asking myself the same question with each step. Just so you know I run a pretty tight ship when it comes to complexity, taking notes, and simplifying the entire system. But I'm building a system that works regardless of its perceived complexity.

    Here's the why and it's a two-parter (sorry if it goes too long):

    1. First has nothing to do with SSL. Some DNS A records are not pointing to Apache VirtualHosts, like Nameservers', Server Hostname's, rDNS' (PTR), and MX hostname's A records. All of these hostnames can be accessed by visitors. I want to 301 redirect them to my main Web Hosting company site. It seems like a good practice that big companies do. Since these are not VirtualHosts but only DNS records, they don't have a physical representation (root folder) where you can put redirection directives to achieve these redirections. There are two solutions: 1) Create a subdomain for each hostname and put redirections in the .htaccess or 2) Just create a VirtualHost entry for each and put the redirections in one Apache Include file. I find this more elegant because I avoid dealing with subdomains, which are more work.
    2. I want the CDN plus some other security and performance options. Cloudflare (CF) offers that. To host sites on CF, most of my records are proxied and resolved to CF IPs, except those that aren't proxied (all A records mentioned above) since they need to resolve to their IPs for their services to work. Now, CF implements another SSL (edge) layer in front of my server's (origin) SSL which increases security. The edge layer is a CA-issued certificate. For the origin layer, I gave up on AutoSSL and adopted CF's self-signed SSL which is valid for 15 years! The fact that it's self-signed doesn't matter because CF is the only entity communicating with my server and it recognizes its cert. I get a two-layer SSL setup and no hassle with renewing for 15 years. Just to mention that CF edge SSL is self-renewable and managed by them, which is perfect. You may consider this a complication but it is relatively easy to set up. Now, the only problem here is those unproxied A records. If they are not proxied by CF, then the edge SSL layer is not active and visitors land on my server (origin) with a self-signed SSL, which, as you know, triggers the unsafe site browser warning. Plus I'm using the HSTS header which doesn't even allow the visitor to proceed with an unsafe protocol. We're still talking about those few A record hostnames. Some may consider this not a big deal, but I run my ships tight, and I want to deal with this by redirecting them to, as I said, my main site. But, redirections don't work if SSL is down. So the solution would be to install Let's Encrypt, but I don't want to go back to AutoSSL so I may consider using a certbot for its installation. Also, since Let's Encrypt's (LE) acme-challenge requires HTTP and I can't use a setting from CF to force HTTPS, because LE won't renew. So for CF proxied records I must create a force HTTPS rule on CF which excludes /.well-known/acme-challenge path and the same rule on the origin server for unproxied CF records since they are managed there.

    So now you know my entire plan. This has been a monthly journey, just to figure out how things work and navigate my way to a solution that is OK by me.

    0
  • cPRex Jurassic Moderator

    Let me think about this and I'll get you a decent reply later tonight or tomorrow!

    1
  • cPRex Jurassic Moderator

    For issue #1, would the following two things address that?

    https://support.cpanel.net/hc/en-us/articles/1500005458561-How-to-set-the-default-HTTPS-VirtualHost
    https://support.cpanel.net/hc/en-us/articles/360061002473-How-do-I-set-a-default-VirtualHost-for-each-IP-address-

    That would ensure that no matter what someone types in, they would get pointed to *something* besides the "Sorry" page.

    I'm still dwelling on number 2, but that will likely be a tomorrow item.

    1
  • vatra

    Thank you! Let me get back to you tomorrow as well.

    0
  • vatra

    cPRex,

    That other link is halfway through what I need. It is used to create a VirtualHost (page/site) for each IP address on your server. So, when someone tries to access the IP, the location from the VirtualHost is displayed. I will use this, but it is not what I wanted. I want to create a VirtualHost for a DNS record that is pointed to my server.

    For example, when you create a domain/subdomain cPanel creates a VirtualHost, DNS zone records, root folder, SSL (if you opted for that), and some other things. But, when you manually create a DNS A record that is pointed to your site, when people try to access the hostname from that A record your server doesn't have a specified location for it, so it shows either the primary website on the IP from your A record or, if set, the manually created VirtualHost for the IP mentioned above.

    Since I don't want to create a domain/subdomain just to get the VirtualHost created, I wish to manually create a VirtualHost for my A record. The code I posted a few posts back is an improvisation of mine by just observing other VirtualHosts in my httpd.conf. Can you help me create a VirtualHost that will only serve the purpose of defining a location that will be displayed plus contain other necessary things like SSL location and other things? Someone's gotta have this in a template and knows how to do this.

    This is the first part of my quest. After I solve this, I will come back for the second posted part to dissect it.

    0
  • vatra

    Also, everywhere I go it is recommended to use the "Pre VirtualHost Include" file to put my custom code in. Why not use the "Post VirtualHost Include"? I guess probably due to the higher chances of overriding any default Apache settings, is that it?

    0
  • cPRex Jurassic Moderator

    That makes sense to me :D  And I don't think a custom include in this sense is as bad as I thought after seeing that full explanation.

    Since the IP address must be linked to a domain name, is there a reason you couldn't just create a full cPanel account for this customization work?  So that way, randomdomain.com has a page you can access AND edit in a real public_html?

    As far as pre vs post, that literally means just that - where the code you are creating is read in the Apache config file.  The code itself is placed in your custom file, and Apache reads the includes in a certain order.  I don't really think it matters where your example would be included since it's a separate vhost.

    1
  • vatra

    The hostnames I wish to create virtual hosts and redirects for are subdomains, so I can't create cPanel accounts from them. Anyway, it's easy and elegant to just create VHs for the things I need. Everything seems to work fine after creating VHs.

    Now to the second part of the task, which is to replace Cloudflare origin with Let's Encrypt SSLs. I'm still reluctant to use AutoSSL and considering the certbot installation. What do you think about that?

     

    0
  • cPRex Jurassic Moderator

    I personally use Let's Encrypt, and have been since we made it an option, so I can only say good things about it on my end.  Whether it will work for your needs or not I can't say.  You can always try it on one account and see what happens!

    1
  • vatra

    I asked what you think about installing Let's Encrypt via Auto SSL vs. manually using a certbot?

    I've used it before and it has a huge flaw in my opinion. If you have multiple domains, CN and SAN fields in the certificate will be mixed for all domains. For example, example.com's cert in its CN will display example.net. I know that CN is not considered but the coverage in the SAN field is. Imagine a site that covers camping gear having a CN of a pharmacy's domain.

    0
  • cPRex Jurassic Moderator

    I don't have any opinion on certbot, so I'm not going to be the best to answer that. 

    1
  • vatra

    About the Include Editor and Pre or Post VirtualHost includes for modifying the VirtualHosts. Which one takes precedence? I know Apache reads VH from top to bottom, so if it finds a match for VH it will stop looking further. In that logic, the Pre Include file will be the one considered first before the code in httpd.conf and Post Include file?

    0
  • cPRex Jurassic Moderator

    Right, it's not precedence-based but order-based, so it would read the pre data first.

    1
  • vatra

    Just to confirm again. Is this how the code inside httpd.conf is built:

    1. <code>
    2. <pre-vh-include-file-code>
    3. <vh-code>
    4. <post-vh-include-file-code>

    So let's say you have the same VH in sections 2-3-4. If Apache follows its native order, only VH in section 2 is considered, the ones in 3 and 4 are not used. If so, the pre-include file's content will take precedence over httpd.conf's VH content and post-include file's content.

    I'm asking this because the documentation on this claims the opposite, that the post-include content overrides any code you have before it in httpd.conf.

    0
  • cPRex Jurassic Moderator

    I'm not sure why you'd have the same vhost data in multiple areas, as that just seems odd to me.  If there is a possible duplicate, the last thing read (aka, the bottom/post section) will take precedence.

    1
  • vatra

    I already explained this before and it has to do with certain A records that point to my server but don't have a virtual host representation and, therefore don't exist on my server. One of those records is mail.domain.com. By default when creating VHs, cPanel adds mail.domain.com to ServerAlias directive for example.com VH. I've also created VH for mail.domain.com which can now be used to achieve things that I want:

    # My VH for mail.domain.com in pre_virtualhost_global.conf
    <VirtualHost 1.1.1.1:443>
    ServerName mail.domain.com
    </VirtualHost>

    # cPanel's VH for domain.com in httpd.conf
    <VirtualHost 1.1.1.1:443>
    ServerName domain.com
    ServerAlias mail.domain.com www.domain.com
    </VirtualHost>

    But you said that the last code read in the file will take precedence. I don't think so. Apache doc states that if there are two exact matches for a VH, the first one that gets read is the one that will be used. Others are disregarded.

    This is the opposite way of how Apache handles all of its directives and directive containers beside VH, which means that the pre_virtualhost include file will be taken into consideration before the httpd.conf's VH section and post_virtualhost include file, even though cPanel's documentation claims otherwise. Feel free to correct me if I'm wrong, but I would need to see the doc for it.

    0
  • vatra

    Is there a way to add hostnames to the AutoSSL when requesting a certificate?

    Look, AutoSSL tries to cover the domain and all of its subdomains in a cert. But, let's say you manually created an A record for a subdomain that you don't want to add as a cPanel subdomain. Is there a way to include that subdomain in the list of hostnames for which the AutoSSL requests coverage?

    0
  • cPRex Jurassic Moderator

    No, there's no way to manually tell AutoSSL what to cover.

    Apparently it is the first, which I suppose goes along with the "Apache loading first vhost based on IP address" issue:

    "The first vhost in the config file with the specified IP address has the highest priority and catches any request to an unknown server name, or a request without a Host: header field (such as a HTTP/1.0 request)."

    So you'll want your important things near the top.

    1
  • vatra

    Thank you. But FROM WHERE exactly does the AutoSSL pick up names to cover in the cert? If it does from a virtual host maybe that can be influenced. Can you please ask the team for specifics?

    I have private nameservers and as you know these are just DNS A records. I want to redirect them somewhere. But to apply redirection I need to either:

    1. Add them as subdomains through cPanel.*
    2. Create virtual hosts for them. I've tried and AutoSSL doesn't cover them.

    *A potential problem: Nameserver records point to server IP, but my cPanel account is on a dedicated IP, so if I add them as subdomains they will be hosted on a dedicated IP. I don't think this is a problem since their DNS records point to the server IP. The fact that they are hosted on a different IP is just how my server serves them through HTTP. What do you think?

    0
  • cPRex Jurassic Moderator

    Here's what I got from the devs:

    "The domains that AutoSSL uses will start with vhosts belonging to the user, but it will additionally try to obtain coverage for service subdomains like mail., cpanel., etc. It then filters that list by domains that are already secured by another certificate not currently up for renewal."

    I wouldn't expect your subdomain issue to be a problem as long as the DNS works.

    If you have a vhost, even a custom one, where the cert isn't being issued, we'd likely want to see a ticket on that.

    1

Please sign in to leave a comment.