wildcard SSL certificate and WHM incompatible?!

[uprightdog]

As tech support are going around in circles with this issue, I thought I'd see if anyone in forum-land can help me (and them).

Previously I ran a site on a Jag server running Plesk. There is the core site, and multiple subdomains. All required an SSL certificate, so I got a wildcard certificate. I installed it, they all ran off the one IP, and everything was fine for several months.

Recently we decided to migrate to another machine, this time running WHM/cPanel. Migration went smoothly until we try to re-install the wildcard certificate. It wouldn't work for any more than one subdomain. If it works for https://subdomain1.mydomain.com, for instance, then https://subdomain2.mydomain.com also points to subdomain1. Which isn't what we want. We are told we need to buy more IPs (which we hadn't needed before). So we buy them. Doesn't work. We are told we need to set up the subdomains as their own accounts. So we do. Doesn't work. This has been going on since Friday morning, our sites are down, and it is increasingly clear that tech support don't have a clue.

Anyone out there got any idea? I can't believe WHM is completely incompatible with wildcard certificates.

[JPC-Masood]

Anyone out there got any idea? I can't believe WHM is completely incompatible with wildcard certificates.

Yes, cPanel/WHM is not very good with wildcard certificates. It is sad but true.

[the_ancient]

To Restate

it is true that cpanel is sad

[thisisit3]

I don't know what the fuss is about, i'm using WHM/cPanel with a lot of wildcard domains without problems.

For example, its easy to create a wildcard certificate from cacert.org (free certificates but their root cert isn't included by default) and then add it to WHM.

You can also use the same certificate for multiple domains by modifying the httpd.conf and adding the same cert file to many vhosts. Just make sure you know how auto-update works in cPanel so your changes aren't lost.

[JPC-Zishan]

You can also use the same certificate for multiple domains by modifying the httpd.conf and adding the same cert file to many vhosts.

If you are running cPanel 11 and EA3, then manually editing httpd.conf is not recommended because it will not be preserved and httpd.conf will be regenerated on adding new domain. cPanel generates the httpd.conf based on the entries in /var/cpanel/userdata/ directory.

[uprightdog]

I don't know what the fuss is about, i'm using WHM/cPanel with a lot of wildcard domains without problems.

Apparently this is a problem new to cPanel 11.

[thisisit3]

err thats weird because i my certificate related problems were in cPanel 10 and since my upgrade to cPanel 11 some months ago i'm able to install certificates without problems.

the only limitation in cPanel 11 is that you can't install a vhost-based certificates for /cpanel and /whm, since these don't run under apache's port 80, but under cPanel daemons.

[uprightdog]

err thats weird because i my certificate related problems were in cPanel 10 and since my upgrade to cPanel 11 some months ago i'm able to install certificates without problems.

Yes that is weird. Jag support have been in touch with cPanel support and have now reached the conclusion that the only way to get a wildcard certificate working is to create the 'subdomains' as stand-alone accounts (so they aren't subdomains at all), dedicate an IP to each, manually create the entry and then rebuild Apache. That's convenient then.

thisisit - feel free to describe the process you go through to install your wildcard certificates...

[brooky]

Uuuugh.. I have exactly the same problem. Astonished that cPanel is so crap and starting to wish I chose something else. My managed dedicated hosting support team cant get it working and their enterprise level support back from cPanel directly was useless.

I'm going to experiment with some apache mod rewrite. If I have success I'll post my results. If you have fixed your setup I'd apreciate if you can share the solution.

[uprightdog]

It is now working, but support had to make changes manually. We no longer have subdomains, however - each 'subdomain' has to have it's own account and dedicated IP. Below is support's 'how to' guide:

1.
Copy the file for one of already installed certs e.g. in this case I copied file '/var/cpanel/userdata/myusername1/mysubdomain1.mydomain.net_SSL' to '/var/cpanel/userdata/myusername2/' .

/var/cpanel/userdata/ is the path where each account has a folder with its apache and cpanel configuration files. The _SSL file is the one which contains the entries for ssl vhost for any domain.

2.
Rename that according to subdomain i.e. in this case rename '/var/cpanel/userdata/myusername2/mysubdomain1.mydomain.net_SSL' to '/var/cpanel/userdata/myusername2/mysubdomain2.mydomain.net_SSL'.

3.
Edit the file '/var/cpanel/userdata/myusername2/mysubdomain2.mydomain.net_SSL' and update user name to myusername2 where there is old username and update IP, viewing this file will clear any confusion.

4.
Run : /usr/local/cpanel/bin/build_apache_conf
to rebuild apache configuration from the newly created file.

5.
Then restart apache to make it load newly built configuration.

[brooky]

Ok great. I don't really want to take that route but I'll bear it in mind. Thanks for getting back to me.
I'm currently experimenting with this:

I can't get this to work but I think I am close with this in a
.htaccess file in the /home/user/public_html folder:

RewriteEngine On
RewriteCond RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} ^([^.]+)\.example\.com
RewriteRule ^/(.*)$ /%1/$1 [L]

I can't get it to work though. It probably needs an exception for the www subdomain too maybe. I'll let you know if I can get it to work.

[hunterwille]

"uprightdog" what changes did support have to do? Everyone that got this working can confirm if the only way to achieve this using WHM/cP is with "'subdomain' has to have it's own account and dedicated IP"?

Is it not possible to simply bypass WHM/cPanel?

For example with the following SSH commands:
Ref: http://www.justinsamuel.com/2006/03/...l-certificate/

Code:

mkdir /usr/share/ssl/certs/hostname.domain.com
cd /usr/share/ssl/certs/hostname.domain.com
openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
...[enter *.domain.com for the Common Name]...
openssl x509 -noout -fingerprint -text < host.cert > host.info
cat host.cert host.key > host.pem
chmod 400 host.pem

[JPC-Masood]

Is it not possible to simply bypass WHM/cPanel?

Not any more. There should not be any control panel if you want total control.

[hunterwille]

According to cPanel-support Wildcard SSL Certificates are now supported in version 11.23x