Installing an SSL Certificate on a Shared IP
Posted by Vanessa | Tagged under howto,ssl,tricks,whm | Posted on December 30, 2009
3
It was kind of annoying in the midst of cPanel 11′s release when cPanel discontinued the ability to install an SSL certificate on a shared IP. Sure, you can do it as ‘nobody’, but this tends to mess up things when you have open_basedir set up or you’re using suPHP. Sometimes you might not have another IP to use, or you’re using an IP-based monitoring system and don’t want to complicate things. I, personally, prefer to install my shared SSL certificates on the shared IP. But that’s just me…and I’m right about everything.
There is a crafty way to get around this limitation, though it does require root access and it can be a little annoying when it’s something you have to do on a normal basis. Come on cPanel, just let us do this again so we don’t have to keep coming up with workarounds. I assume at this point that you already know how to use WHM to install a certificate, and you’re aware that the hostname for the certificate has to correspond with a user already on the server. Duh.
First, hop into WHM ~> Install a SSL Certificate and Setup the Domain and install the SSL normally, BUT, in the user field, put ‘nobody’ and finish the installation.
Now that the certificate is installed, you need to force cPanel to accept its fate to allow a shared SSL on the main IP. Go into /var/cpanel/userdata and run the following commands, noting that $user should be replaced with the username owning the SSL domain, $ssldomain.
mv nobody/$ssldomain_SSL* $user/
replace nobody $user — $user/*
Then edit ./nobody/main and remove the SSL domain from the sub_domains list, and run /scripts/rebuildhttpconf to rebuild the Apache configuration, then restart Apache for the changes to take effect. Voila.
IF this is a shared SSL certificate (meaning, other users on the server can call it via https://$ssldomain/~$user):
You’ll want the SSL to show as the shared certificate on the server, which you can either select from the dropdown in WHM ~> SSL Hosts, or run:
echo $sslhostname > /var/cpanel/.sharedcrtname
If you use mod_php with open_basedir, and/or you have mod_userdir enabled, you need to exclude the user ‘owning’ the SSL certificate from both, to allow other sites on the server to use its certificate. These can both be set in WHM ~> Security Center
Related posts:
sending...
Hey, I just tried to add an SSL ceet to one of my customers sites, and this worked a treat, thanks.
Tell me, can this work with MORE than one SSL on a single IP? Or is it just a way or forcing Cpanel to host a single SSL site on the main server IP?
Great article :)
You actually can’t install an SSL certificate on more than one IP as far as I know…you could probably do it manually by adding a file to /var/cpanel/userdata/$user and rebuilding httpd.conf, but SSL is dependent on an IP, so whatever entry is first in httpd.conf will be the one that is served when a site on that IP is loaded via https.
Yeah, I agree with Vanessa. I actually tested this, and exactly what she said would happen is what happened — it simply defaulted to the first entry in httpd.conf =0/
Well, at least cPanel leaves this opportunity available even if it is a work-around — Plesk on the other hand does it in a more ambiguous manner, but that’s a whole ‘nother conversation. . .