Installing an SSL Certificate on a Shared IP
- Written by Vanessa Vasile
- Published in Apache, Howto, Security
- 25 Comments
Update: As of cPanel 11.40, you can install shared SSLs on the main/shared IP just as you do any other certificate.
It was kind of annoying in the midst of cPanel 11’s release when cPanel discontinued the ability to install an SSL certificate on a shared IP. Sure, you can do it as ‘nobody’, but this tends to mess up things when you have open_basedir set up or you’re using suPHP. Sometimes you might not have another IP to use, or you’re using an IP-based monitoring system and don’t want to complicate things. I, personally, prefer to install my shared SSL certificates on the shared IP. But that’s just me…and I’m right about everything.
There is a crafty way to get around this limitation, though it does require root access and it can be a little tedious when it’s something you have to do on a normal basis.
Come on cPanel, just let us do this again so we don’t have to keep coming up with workarounds. I assume at this point that you already know how to use WHM to install a certificate, and you’re aware that the hostname for the certificate has to correspond with a user already on the server. Duh.
First, hop into WHM ~> Install a SSL Certificate and Setup the Domain and install the SSL normally, BUT, in the user field, put ‘nobody’ and finish the installation.
Now that the certificate is installed, you need to force cPanel to accept its fate to allow a shared SSL on the main IP. Go into /var/cpanel/userdata and run the following commands, noting that $user should be replaced with the username owning the SSL domain, $ssldomain.
mv nobody/$ssldomain_SSL* $user/
replace nobody $user — $user/*
Then edit ./nobody/main and remove the SSL domain from the sub_domains list, and run /scripts/rebuildhttpdconf to rebuild the Apache configuration, then restart Apache for the changes to take effect. Voila.
IF this is a shared SSL certificate (meaning, other users on the server can call it via https://$ssldomain/~$user):
You’ll want the SSL to show as the shared certificate on the server, which you can either select from the dropdown in WHM ~> SSL Hosts, or run:
echo $sslhostname > /var/cpanel/.sharedcrtname
If you use mod_php with open_basedir, and/or you have mod_userdir enabled, you need to exclude the user ‘owning’ the SSL certificate from both, to allow other sites on the server to use its certificate. These can both be set in WHM ~> Security Center
Hey, I just tried to add an SSL ceet to one of my customers sites, and this worked a treat, thanks.
Tell me, can this work with MORE than one SSL on a single IP? Or is it just a way or forcing Cpanel to host a single SSL site on the main server IP?
Great article 🙂
You actually can’t install an SSL certificate on more than one IP as far as I know…you could probably do it manually by adding a file to /var/cpanel/userdata/$user and rebuilding httpd.conf, but SSL is dependent on an IP, so whatever entry is first in httpd.conf will be the one that is served when a site on that IP is loaded via https.
Yeah, I agree with Vanessa. I actually tested this, and exactly what she said would happen is what happened — it simply defaulted to the first entry in httpd.conf =0/
Well, at least cPanel leaves this opportunity available even if it is a work-around — Plesk on the other hand does it in a more ambiguous manner, but that’s a whole ‘nother conversation. . .
Hello every one..
i have never installed a certificate before so dont know much that how to install one..
i have a reseller account..and the hosting i have got for my self its on SSL connection.. but its only appears on cpanel and in whm. with different ports..
like usually cpanel port is 2082
so its port is 2083
and i have shared ip address..
so is it possible that i give hosting to my clients with SSL support that my client when open site it should come like
also is it possible that to install the ssl on two ore more clients..
and also they wont recieve any problem on their end..
Looking forward to reply..
please tell is it possible without having any problems or not..
You can install as many SSL certificates as you want – but each technically needs its own IP unless you’re using a wildcard SSL.
Yeah, Syed, it’s not that they’re operating on different ports, cPanel/WHM is just configured that way out of the box — even if your SSL was self signed, WHM for example would still answer on port 2086 AND port 2087.
I manage servers for clients who run WHM/cPanel, and I’ve configured their hosts so that the SSL port still answers whether a proper certificate exists or not.
The easiest way would be what Vanessa suggested, buy yourself a wildcard SSL cert, and then you’d be able to share an SSL certificate for all your clients like this:
https://www.yourdomain.com/~%5Bclient's username]/[client’s secure page]/
But your best bet (and most secure) is to simply assign a unique IP for each of your clients, and install an SSL certificate for each domain that has a unique IP.
If you don’t do it this way, then people will simply get a “Unable To Connect” message, rather than the browser still showing the page, but with an insecure/self-signed certificate (I personally prefer the latter case, since the client can still view the site).
Here’s an example:
This is a host that is either misconfigured or doesn’t have proper SSL ports setup:
So in this example, even trying to connect to WHM results in the same error message:
While these examples don’t:
http://www.rachelwoods.com:443 (redirects to Apache’s default page, which leaves this host open to other vulnerabilities that I won’t mention here to protect the owner of that server)
It’s simply because cPanel/WHM is listening on the ports specifically and redirects the user accordingly, but if you’re SSL ports aren’t configured properly, then you end up like the host above.
And there ya have it. . .if you still need help, post again, and we’ll try to help you out.
very helpful topics for me…
Pingback: paico | Usando SSL no seu VPS + Erro 500 ao usar SSL
1 SSL for 1 dedicated IP, yes, but now I know TLS technology offer a better solution by only use one port for unsecure and secure connection (like no need 443) and no need dedicated IP for each SSL. It is offered by SNI extension or subjectAltName based on here http://en.wikipedia.org/wiki/Server_Name_Indication and http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
But this thing seems new to me. I found this can be configure in Apache 2.2.x server as mention here: http://serverfault.com/questions/109766/ssl-site-not-using-the-correct-ip-in-apache-and-ubuntu and http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port/
I wondering if it can be done in cPanel so any of my domains can gat a SSL cert and apply without buying another dedicated IP. I am looking to see this is possible in cPanel/WHM server.
Is this tweak is about SNI?
Pingback: Multiple SSL Certificates on reseller account without purchasing another dedicated IP
Great tip. Worked perfectly, still. Thanks!
Two notes you might want to change:
1. The command:
replace nobody $user — $user/*
replace nobody $user — $user/*
2. The command:
is spelt incorrectly and should be:
Oh and for convenience, the script to restart apache is:
I tried to install 2 ssl on one shared ip and its nt working .
SSL install aborted due to error: example.com is already configured for SSL on xxx.xxx.xxx.xxx. Only one SSL VirtualHost is allowed per IP address!
Certificate verification passed
example.com is already configured for SSL on xxx.xxx.xxx.xxx.
Only one SSL VirtualHost is allowed per IP address!
You can’t use WHM to do this. Please read the post.
On the “replace nobody $user — $user/*” stage, I’m getting “replace: No to-string for last from-string” as a return. I’m a bit of a newbie so I’d greatly appreciate a hand, thanks.
The “–” is a double dash – WordPress doesn’t display it like this. Also, make sure you replace $user with the actual username.
Thank you VERY much for this. I figured it out once before three years ago but forgot what I did when it came time to renew my certificate. I should have written it down; good thing you did.
Also, in case it’s useful for you, disabling the wptexturize filter should make your double dash appear properly. Email me if you want a plugin that does this. (Yes, that email IS valid.)
I’m trying to figure out exactly what I need to do: I have a dedicated server that I want to set up an SSL cert on for shared ssl, just as any normal hosting company would, even though I have no intention of having anyone but me on the server. Will the regular comodo 5.00 cert work, or do I need a special “webserver” ssl cert? I do use WHM/Cpanel and Centos operating system. I have installed ssl certs on individual domains, but it has been several years and I’m afraid that I’m feeling a bit rusty, lol; it doesn’t seem to work the same way and maybe it doesn’t, judging from your post. I wish I knew where to hire someone to do this for me for a reasonable price.
Any standard SSL will work and you can install it via WHM. If you want us to do it for you, please go to http://tcaserversolutions.com and we can do it for you quickly.
Pingback: Can I Have Ssl On Shared Hosting – Export Host
We’ll update the post shortly. this functionality returned since 11.40
i still wonder , how to setup SSL on shared hosting as we do not have dedicated IP and not control over the Var folder , do you guys have video demonstration regarding the same ?
This is one of the top question and hardly any authentic answer avail on the internet , so if you guy have time put all the stuff in video and let us know the link , so we can understand far better then the writing .
Please note that installing an SSL on the shared IP is now done the same way as on a dedicated IP. However, if you are an end user and your host has this functionality disabled in cPanel, you need to contact them about this.
Pingback: No Hostname Found For Ip Address Exim Cpanel | Manage marketing Skills
I am searching on google how to install ssl certificate in cpanel and I find your post. And after reading your content, hopefully, now we can install ssl certificate easily. Thank you!