MoS MoS Tech – Help for Admins Tech Ramblings of MoS and assorted other musings

10Sep/112

Wildcard SSL certs and cPanel

Using cPanel? Great it helps with a lot of things for a non linux admin to be up and running.  But SSLs it is cPanel's way or the highway!  But if you have a wildcard SSL cert you can use in it a couple of ways!  One is easy if you are starting out fresh (lot more of a pain if you are not).  The second requires use of SSH and the command line (CLI)

 

1: The best way in cPanel would be to create each subdomain as a stand alone account with a dedicated IP.  Doing it this way would allow the wildcard cert to install with almost no issues just as a normal SSL install would be done via WHM (Web Host Manager).  Just change the domain name field in the install section from *.domain.com to sub.domain.com.  And make sure you put in the right username for the sub domain account you are currently installing for.  This will be the case for the IP also usually it put just 0 for the IP field, just put the dedicated IP in.

2: Now for the tricky way.  A single account with the subdomains under it sharing a dediated IP.  First install the wildcard SSL cert for the main domain.  Follow the method above to install it, but use just domain.com instead of *.domain.com or sub.domain.com.  Make sure the IP is correct and the username is the user for the domain account (see below if the account is using the main shared IP).  It should install fine.  Now for the fun part.  SSH into the server and navigate to:

cd /usr/local/apache/conf/

You will be editing the apache conf file httpd.conf  (yes I use nano got a problem with it mister pretty VIM?)

nano -w httpd.conf

In here you will find the SSL based vhost you just made via WHM.  Browse down to domain.com in the IP:443 (SSL port) section and copy it.  It would look something like this (PROTIP: do not copy my example use the actual one from your server):

<VirtualHost 127.0.0.1:443>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /home/myusername/public_html
ServerAdmin webmaster@domain.com
UseCanonicalName off
## User myusername # Needed for Cpanel::ApacheConf
<IfModule !mod_disable_suexec.c>
User myusername
Group myusername
</IfModule>

<IfModule mod_suphp.c>
suPHP_UserGroup myusername myusername
</IfModule>

CustomLog /usr/local/apache/domlogs/domain.com combined
BytesLog /usr/local/apache/domlogs/domain.com-bytes_log
ScriptAlias /cgi-bin/ /home/myusername/public_html/cgi-bin/
SSLEngine on

SSLCertificateFile /usr/share/ssl/certs/domain.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domain.com.key
SSLCACertificateFile /usr/share/ssl/certs/domain.com.cabundle
CustomLog /usr/local/apache/domlogs/domain.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/ssl/1/myusername/domain.com/*.conf"

</VirtualHost>

Now we will copy this to the pre_virtualhost_global.conf file.

cd /usr/local/apache/conf/includes/

nano -w pre_virtualhost_global.conf

Once copied we will need to edit this file to match the subdoain you are adding the wildcard SSL support for.  Only the SSL section will not change as this is using the same cert file as it is a wildcard.  Main things to get will be ServerName, ServerAlias, and DocumentRoot.  You will also want to make sure the names and paths to the log files have been modified unless you hate logs.

<VirtualHost 127.0.0.1:443>
ServerName sub.domain.com
ServerAlias www.sub.domain.com
DocumentRoot /home/myusername/public_html/subdomain
ServerAdmin webmaster@domain.com
UseCanonicalName off
## User myusername # Needed for Cpanel::ApacheConf
<IfModule !mod_disable_suexec.c>
User myusername
Group myusername
</IfModule>

<IfModule mod_suphp.c>
suPHP_UserGroup myusername myusername
</IfModule>
CustomLog /usr/local/apache/domlogs/sub.domain.com combined
BytesLog /usr/local/apache/domlogs/sub.domain.com-bytes_log
ScriptAlias /cgi-bin/ /home/myusername/public_html/subdomain/cgi-bin/
SSLEngine on

SSLCertificateFile /usr/share/ssl/certs/domain.com.crt
SSLCertificateKeyFile /usr/share/ssl/private/domain.com.key
SSLCACertificateFile /usr/share/ssl/certs/domain.com.cabundle
CustomLog /usr/local/apache/domlogs/domain.com-ssl_log combined
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

# To customize this VirtualHost use an include file at the following location
# Include "/usr/local/apache/conf/userdata/ssl/1/myusername/sub.domain.com/*.conf"

</VirtualHost>

You will also want to ensure in the main httpd.conf file under the NameVirtualHost sections there is one listed for your IP:443 .  If this doesnt exist you will want to add it to the include file as well above the vhosts you created.

NameVirtualHost 127.0.0.1:443

 

Restart apache and you should be all set.

service httpd restart

The reason for adding this to the includes/pre_main_global.conf is to keep cpanel from modifying or removing the vhost.  As we all know if you hand edit the apache httpd.conf file cPanel will not be happy and just undue your changes the next update and or rebuild.  That is why they give us the include files options for vhosts and the config as a whole.

 

If The domain is on the main shared IP the process is mainly the same.  The initial install will be install the cert under the "nobody" user as WHM will not allow a SSL to be installed on the main shared IP unless it is the apache user "nobody".   When you then make the vhosts make sure to change all of the "nobody" references to the user of the account.  This will include SUEXEC and SuPHP primarily but it can be others depending on your setup.  Also you will need to edit the main httpd.conf and modify the initial install for the mina domain's 443 vhost entry and change the "nobody" references to the user in question.  After that distill the apache conf:

/usr/local/cpanel/bin/apache_conf_distiller --update

You can then test to make sure it remembered the setting by rebuilding the conf and restarting apache:

 /scripts/rebuildhttpdconf

killall -9 httpd

service httpd restart

Now check the httpd.conf to make sure the 443 vhost did not revert to having the nobody user listed.

 

Now this wouldn't be an issue on a non cPanel box using a wildcard SSL as in the rest of the linux world shared IPs do not matter.  It is done this way in cPanel to to it being able to easily help you manage.  But on the bright side once you do this you have a nice template and can inside of WHM-Apache Configuration-Included Editor-Pre VirtualHost Include
you can copy and edit to add a new subdomain.  Another thing to note if your current setup could be a mix of the above to use a single wildcard SSL cert.  Just install each subdomain as for what is fitting for that situation.

Filed under: Tech Leave a comment
Comments (2) Trackbacks (1)
  1. Is the point 2 correct? Because it seems that WHM does not allow two accounts to share the certificates in the same ip.

    The error when you try to do that:

    SSL install aborted due to error: sub.domain.com is already configured for SSL on XX.XX.XX.XX. Only one SSL VirtualHost is allowed per IP address!
    Certificate verification passed

    sub.domain.com is already configured for SSL on XX.XX.XX.XX
    Only one SSL VirtualHost is allowed per IP address!

    • That would be correct. I am surprised I didnt catch it myself. My mind was thinking one cert installed on the same IP as other domains. But that would still only allow one cert using the user “nobody” trick. Thank you! I will shortly have a new post up on giving a addon domain or subdomain an IP that is different than the main account to allow an SSL install to happen or any other reason for wanting a sub or addon to have a different IP than the main account and site. ( )

      I have removed the old #2 and now only have 2 ways of doing this. Though I hope to test a scripted way to make this a lot less painful.


Leave a comment

%d bloggers like this: