[Case 158673] SSL redirection not working
Hello,
One of my machines upgraded to WHM 11.48.0 (build 5) recently and I started getting complains about SSL issues with accessing cpanel.
Apparently the SSL Redirection Settings under Tweak Settings are no longer working. This are the current settings:
.vB
Even if I set it as "Always redirect to SSL" if a client tries example.com/cpanel he gets sent to cpanel.example.com resulting on a certificate error.
Before, with my config the clients were redirected to the server hostname with the right domain for the certificate. Why is this happening now?
Thank you.
-
Hello :) This could be related to an internal case we have open (158673) with a similar description. Let us know if the following workaround helps: 1. Browse to "WHM >> Tweak Settings" and save after each step (step order could be reversed depending on what you have enabled). 2. Disable "Require SSL" under the "Security" tab. 3. Disable Proxy Subdomains under the "Domains" tab. 4. Change redirection settings under the "Redirection" tab from "Hostname" to something else Save, then back to "Hostname" again. 5. Enable "Require SSL" under the "Security" tab. 6. Enable "Proxy Subdomains" under the "Domains" tab. Thank you. 0 -
Hello, I followed the steps and the first time I tried to go domain.com/cpanel it redirected to the hostname with the SSL certificate, however after that it stopped working again. Edit: I tried it again but this time it didn't work at the first time. :( Thank you. 0 -
You may need to disable proxy subdomains until the resolution is pushed out if the workaround steps listed in my previous response are not helpful. Thank you. 0 -
When the user visits the page they still get an SSL error after the latest update. Please advise how to fix these SSL errors. 0 -
Yeah I'm still waiting for a fix to this issue. The steps provided didn't help, and the update had no effect on this... 0 -
If your user has an SSL error on domain.com/webmail because they are taken to webmail.domain.com then I believe the correct fix is to apply the latest version and then apply this setting: 1. - Disable Proxy Subdomains. 2. Enable Always Redirect to SSL 3. Enable Require SSL My issue is when the user visit domain.com/webmail it works perfect but when they visit webmail.domain.com they get errors from their browser. 0 -
]If your user has an SSL error on domain.com/webmail because they are taken to webmail.domain.com then I believe the correct fix is to apply the latest version and then apply this setting: 1. - Disable Proxy Subdomains. 2. Enable Always Redirect to SSL 3. Enable Require SSL My issue is when the user visit domain.com/webmail it works perfect but when they visit webmail.domain.com they get errors from their browser.
The problem is that in the past if a user went to0 -
Re: How change the webmail url in Proxy subdomains What is the correct setting to use if you want the user when visiting webmail.domain.com to get directed to domain.com/webmail? 0 -
This issue was addressed in cPanel version 11.48.0.7: Fixed case 158673: Fix proxy subdomains redirect issue in unprotected/redirect.html. Could you verify if the issue persists after updating to the most recent version available on your build tier? If so, please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Maybe this is related to the issue I'm having ? I installed an SSL cert at the weekend to a customer domain. If I go to which doesn't have a cert. 0 -
I have a ticket open for this, # 6106243, and I vehemently assert that the current behaviour is a bug. 0 -
could you keep me updated with the outcome please 0 -
They don't work for me, so i guess i have something wrong. If i go to , which doesn't yet have SSL. (only self signed) If I go to 0 -
Maybe this is related and needs some testing. I removed and reinstalled the cert last night and the redirect now works. 0 -
Hello :) I believe much of this discussion centers on a feature request rather than a bug in the product. The following feature request would address most of these concerns: [url=http://features.cpanel.net/responses/support-for-per-domain-proxy-subdomain-certificates]Support for per domain proxy subdomain certificates | cPanel Feature Requests There are two options as it stands now: 1. Enable proxy subdomains, which forces the use of the SSL Certificate in "WHM Home " Service Configuration " Manage Service SSL Certificates". 2. Disable proxy subdomains, and manually configure redirects for the subdomains to the proper SSL ports. Thank you. 0 -
This is a bug, not a feature request. When using the default WHM settings the user is shown a message that states "hackers are trying to steal your credit card." In any event, the linked feature request will not resolve the issue for 99% of users. 0 -
Could you elaborate on the exact behavior that you would prefer to see? Also, you mentioned a "hackers are trying to steal your credit card" message. Is this simply part of the the "Untrusted" message issued by your browser? Thank you. 0 -
The WHM server already knows which domains have and which do not have SSL certificates. It should be able to tell if the certificate is a wildcard certificate or not. 99% of domains won't have a wildcard certificate. However with WHM defaulting to use SSL it should be common best practice for any production WHM server to have a proper SSL certificate issued by a common CA to the WHM server's hostname. When a user attempts to access webmail, etc for e.g. by visiting webmail.domain.com the server is already parsing the request and making redirections. Unfortunately WHM has not kept up with the times and these redirections are being performed inappropriately. This causes the users to be presented with scary messages (such as: "hackers are trying to steal your credit cards") meanwhile users are trained to watch out for these errors and also for phisihing emails and other sorts of malware that attempt to steal the users's credit cards, bank details, passwords, etc, etc. So while this behaviour may not have been an issue 10 years ago when implemented, today it is. Today any software intentionally using this behaviour is considered to have a bug. Cpanel needs to fix this major bug as soon as possible. One solution would be instead of performing redirections to perform proxying. For e.g. if the user visits or . This sort of functionally will be the most ideal. That way the user's data and password is protected by TLS encryption (especially important with todays mobile devices and public wifi access points), the user does not see any scary messages which increases their confidence and reduces support costs, and finally the ability to access webmail and Cpanel in situations where a restrictive firewall blocks access to the legacy Cpanel ports is also maintained. 0 -
To note, I do see that internal case number 169013 was opened on your behalf with the support ticket that you opened. The case aims to add redirects from webmail.domain.com to domain.com/webmail if proxy subdomains is disabled. That being said, it's still a good idea to submit a feature request for the overall change to the system that you prefer to see. Thank you. 0 -
Has this bug been resolved yet? 0 -
Has this bug been resolved yet?
No progress has been made on case 169013 at this time. Were you able to submit a feature request for the overall change to the system that you prefer to see? Thank you.0 -
Has this bug been resolved yet? 0 -
Hello, This is now tracked via our feature request system: Allow to make certificate for subdomains like cPanel.example.com and mail.Example using Lets Encrypt Support for per domain proxy subdomain certificates The most recent update is found under the "Comments" section at: SSL certificate per domain on cpanel, webmail, dav, caldav, and whm services (SNI). cPanelFelipe ? 3 weeks ago Proxy subdomains are a tough nut to crack because this will require re-engineering the virtual hosts in httpd.conf. Currently all of the proxy subdomains are in one vhost, but since Apache ties SSL certificates to vhosts rather than domains (grr "), extending SNI coverage to proxy subdomains is much trickier than we"d like. It may be more feasible with some of the newer tricks in Apache " of course, the need to support old Apache versions (2.2.12 will be the minimum in 11.60) will be a handicap for anything that would rely on things that are new to 2.4.
Thank you.0
Please sign in to leave a comment.
Comments
24 comments