Installing an SSL Certificate on a Shared IP

 

It was kind of annoying in the midst of cPanel 11’s release when cPanel discontinued the ability to install an SSL certificate on a shared IP.  Sure, you can do it as ‘nobody’, but this tends to mess up things when you have open_basedir set up or you’re using suPHP. Sometimes you might not have another IP to use, or you’re using an IP-based monitoring system and don’t want to complicate things. I, personally, prefer to install my shared SSL certificates on the shared IP. But that’s just me…and I’m right about everything.

There is a crafty way to get around this limitation, though it does require root access and it can be a little tedious when it’s something you have to do on a normal basis. Come on cPanel, just let us do this again so we don’t have to keep coming up with workarounds. I assume at this point that you already know how to use WHM to install a certificate, and you’re aware that the hostname for the certificate has to correspond with a user already on the server. Duh.

First, hop into WHM ~> Install a SSL Certificate and Setup the Domain and install the SSL normally, BUT, in the user field, put ‘nobody’ and finish the installation.

Now that the certificate is installed, you need to force cPanel to accept its fate to allow a shared SSL on the main IP. Go into /var/cpanel/userdata and run the following commands, noting that $user should be replaced with the username owning the SSL domain, $ssldomain.

mv nobody/$ssldomain_SSL* $user/

replace nobody $user — $user/*

Then edit ./nobody/main and remove the SSL domain from the sub_domains list, and run /scripts/rebuildhttpdconf to rebuild the Apache configuration, then restart Apache for the changes to take effect. Voila.

IF this is a shared SSL certificate (meaning, other users on the server can call it via https://$ssldomain/~$user):

You’ll want the SSL to show as the shared certificate on the server, which you can either select from the dropdown in WHM ~> SSL Hosts, or run:

echo $sslhostname > /var/cpanel/.sharedcrtname

If you use mod_php with open_basedir, and/or you have mod_userdir enabled, you need to exclude the user ‘owning’ the SSL certificate from both, to allow other sites on the server to use its certificate. These can both be set in WHM ~> Security Center

Don't be selfish, share!Tweet about this on TwitterShare on RedditShare on TumblrBuffer this pageDigg thisShare on FacebookFlattr the authorEmail this to someoneShare on Google+Pin on PinterestPrint this pageShare on LinkedInShare on StumbleUpon

17 Comments

  1. Steve Reply

    Hey, I just tried to add an SSL ceet to one of my customers sites, and this worked a treat, thanks.

    Tell me, can this work with MORE than one SSL on a single IP? Or is it just a way or forcing Cpanel to host a single SSL site on the main server IP?

    Great article :)

    1. Vanessa Reply

      You actually can’t install an SSL certificate on more than one IP as far as I know…you could probably do it manually by adding a file to /var/cpanel/userdata/$user and rebuilding httpd.conf, but SSL is dependent on an IP, so whatever entry is first in httpd.conf will be the one that is served when a site on that IP is loaded via https.

  2. Eric Gillette Reply

    Yeah, I agree with Vanessa. I actually tested this, and exactly what she said would happen is what happened — it simply defaulted to the first entry in httpd.conf =0/

    Well, at least cPanel leaves this opportunity available even if it is a work-around — Plesk on the other hand does it in a more ambiguous manner, but that’s a whole ‘nother conversation. . .

  3. Syed Haider Hassan Reply

    Hello every one..
    i have never installed a certificate before so dont know much that how to install one..

    i have a reseller account..and the hosting i have got for my self its on SSL connection.. but its only appears on cpanel and in whm. with different ports..
    like usually cpanel port is 2082
    so its port is 2083

    and i have shared ip address..
    so is it possible that i give hosting to my clients with SSL support that my client when open site it should come like
    https://www.domain.com ??

    also is it possible that to install the ssl on two ore more clients..

    and also they wont recieve any problem on their end..

    Looking forward to reply..

    please tell is it possible without having any problems or not..

  4. Eric Gillette Reply

    Yeah, Syed, it’s not that they’re operating on different ports, cPanel/WHM is just configured that way out of the box — even if your SSL was self signed, WHM for example would still answer on port 2086 AND port 2087.

    I manage servers for clients who run WHM/cPanel, and I’ve configured their hosts so that the SSL port still answers whether a proper certificate exists or not.

    The easiest way would be what Vanessa suggested, buy yourself a wildcard SSL cert, and then you’d be able to share an SSL certificate for all your clients like this:

    https://www.yourdomain.com/~client's username]/[client's secure page]/

    But your best bet (and most secure) is to simply assign a unique IP for each of your clients, and install an SSL certificate for each domain that has a unique IP.

    If you don’t do it this way, then people will simply get a “Unable To Connect” message, rather than the browser still showing the page, but with an insecure/self-signed certificate (I personally prefer the latter case, since the client can still view the site).

    Here’s an example:

    This is a host that is either misconfigured or doesn’t have proper SSL ports setup:

    https://www.rachelwoods.com

    So in this example, even trying to connect to WHM results in the same error message:

    https://www.rachelwoods.com/whm

    While these examples don’t:

    http://www.rachelwoods.com:2087

    http://www.rachelwoods.com:443 (redirects to Apache’s default page, which leaves this host open to other vulnerabilities that I won’t mention here to protect the owner of that server)

    It’s simply because cPanel/WHM is listening on the ports specifically and redirects the user accordingly, but if you’re SSL ports aren’t configured properly, then you end up like the host above.

    And there ya have it. . .if you still need help, post again, and we’ll try to help you out.

  5. Pingback: paico | Usando SSL no seu VPS + Erro 500 ao usar SSL

  6. Mazlan Reply

    Hi,
    1 SSL for 1 dedicated IP, yes, but now I know TLS technology offer a better solution by only use one port for unsecure and secure connection (like no need 443) and no need dedicated IP for each SSL. It is offered by SNI extension or subjectAltName based on here http://en.wikipedia.org/wiki/Server_Name_Indication and http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

    But this thing seems new to me. I found this can be configure in Apache 2.2.x server as mention here: http://serverfault.com/questions/109766/ssl-site-not-using-the-correct-ip-in-apache-and-ubuntu and http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port/

    I wondering if it can be done in cPanel so any of my domains can gat a SSL cert and apply without buying another dedicated IP. I am looking to see this is possible in cPanel/WHM server.

  7. Pingback: Multiple SSL Certificates on reseller account without purchasing another dedicated IP

  8. Paul Reply

    Great tip. Worked perfectly, still. Thanks!
    Two notes you might want to change:

    1. The command:
    replace nobody $user — $user/*
    should read:
    replace nobody $user — $user/*

    2. The command:
    /scripts/rebuildhttpconf
    is spelt incorrectly and should be:
    /scripts/rebuildhttpdconf

    Oh and for convenience, the script to restart apache is:
    /usr/local/cpanel/scripts/restartsrv httpd

    ;)

  9. onel0ve Reply

    I tried to install 2 ssl on one shared ip and its nt working .

    Error

    SSL install aborted due to error: example.com is already configured for SSL on xxx.xxx.xxx.xxx. Only one SSL VirtualHost is allowed per IP address!
    Certificate verification passed

    example.com is already configured for SSL on xxx.xxx.xxx.xxx.
    Only one SSL VirtualHost is allowed per IP address!

  10. Jenna Reply

    Hi,

    On the “replace nobody $user — $user/*” stage, I’m getting “replace: No to-string for last from-string” as a return. I’m a bit of a newbie so I’d greatly appreciate a hand, thanks.

  11. Mango Reply

    Thank you VERY much for this. I figured it out once before three years ago but forgot what I did when it came time to renew my certificate. I should have written it down; good thing you did.

    Also, in case it’s useful for you, disabling the wptexturize filter should make your double dash appear properly. Email me if you want a plugin that does this. (Yes, that email IS valid.)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Log in