We love SNI and the ability for our users to have SSL on a shared IP...
We often get tickets such as these:
====
When I go to https://www.redacted-user-domain.com/ I get redirected to a totally different site other then my own at http://www.redacted-user-domain.com/
, I can't seem to find any relevant information on this and I am new to
owning and administrating a website. Can someone point me in the right
direction on?
====
In short - they are on a shared IP and somebody else has an SSL installed with SNI. When SSL/HTTPS is attempted on a site on this shared IP that does not have an SSL certificate installed - the first vHost for SSL on that IP is returned resulting in a certificate mismatch error followed by the content of a different user's site either on the SSL domain of the account without SSL or, if the other user has re-direction set up, it will re-direct to their site.
This is not ideal.
It would be ideal that, if there is an SNI SSL installation on a shared IP, that there also be an SSL vHost listed for that IP for the default server hostname/cPanel error page/whatever before the user-level SNI vHost.
This won't prevent users from seeing an SSL Certificate Error when accessing their site using HTTPS without SSL installed - they will still get an error for the server hostname SSL but there are two huge upsides:
1. It will not reveal the other customer's domain .
2. It will not re-direct to another users' domain or display their content on another user's domain.
I did look at modifying the httpd.conf or making includes to make this work but I've, thus far, not found a good way to do this permanently that doesn't interfere with cPanel as cPanel updates/makes changes.
Example
Server Hostname: srv1.hostingcompany.com
Account 1: primoblog.example
Account 2: funpasta.test
Shared IP: 1.2.3.4
Both account 1 and account 2 are on the shared IP address:
- <VirtualHost 1.2.3.4:80>
- ServerName funpasta.test
- </VirtualHost>
- <VirtualHost 1.2.3.4:80>
- ServerName primoblog.example
- </VirtualHost>
An SSL Certificate gets installed on funpasta, which results in the following on httpd.conf:
- <VirtualHost 1.2.3.4:443>
- ServerName funpasta.test
- </VirtualHost>
However visitors to https://primoblog.example will get the funpasta SSL certificate. primoblog does not have an SSL Certificate. What is proposed is the following be created for the Shared IP address:
- <VirtualHost 1.2.3.4:443>
- ServerName srv1.hostingcompany.com
- </VirtualHost>
And placed before the VirtualHost for funpasta, resulting in the following in httpd.conf:
- <VirtualHost 1.2.3.4:443>
- ServerName srv1.hostingcompany.com
- </VirtualHost>
- <VirtualHost 1.2.3.4:443>
- ServerName funpasta.test
- </VirtualHost>
I like this idea 
There is a viable work around which is to generate a free self signed certificate and install it to the shared IP. This is because users can only use the shared IP it if it's not already in use by another SSL cert.
We are conferring with our documentation department to get this work around added into our documentation as well.
There is a viable work around which is to generate a free self signed certificate and install it to the shared IP. This is because users can only use the shared IP it if it's not already in use by another SSL cert.
We are conferring with our documentation department to get this work around added into our documentation as well.
Hi
I don't think that works. I can see 2 users installed ssl certs on our shared Ip address ( server ip )
Hi
I don't think that works. I can see 2 users installed ssl certs on our shared Ip address ( server ip )
Don't you have to copy the http default virtualhost and put it in the pre virtualhost include enabeling SSL on it ?
It should defenetly be done by default and we shouldn't have to do this…
Don't you have to copy the http default virtualhost and put it in the pre virtualhost include enabeling SSL on it ?
It should defenetly be done by default and we shouldn't have to do this…
Your work around doesn't work. Multiple ssl cert can be installed on a shared IP. Please give us a solution soon.
Your work around doesn't work. Multiple ssl cert can be installed on a shared IP. Please give us a solution soon.
I should add that this could possibly be optional in the cPanel Tweak settings - perhaps for those that work hard to keep their httpd.conf as short as possible.
Additionally it would be ideal not to have this applied to any site on a dedicated IP - or to make applying it to dedicated IPs optional as well.
I should add that this could possibly be optional in the cPanel Tweak settings - perhaps for those that work hard to keep their httpd.conf as short as possible.
Additionally it would be ideal not to have this applied to any site on a dedicated IP - or to make applying it to dedicated IPs optional as well.
Wow MikeDVB what a great idea, we do get this question from clients quite often. (Usually in a panic about their site being 'hacked'.
Wow MikeDVB what a great idea, we do get this question from clients quite often. (Usually in a panic about their site being 'hacked'.
cPanel has a default vhost for http but not for https. The solution support gave us was to create a https virtualhost in the include editor.
It's not just an issue with the wrong website showing but also with the wrong ssl showing.
I find it quite difficult to believe that cPanel didn't think of this when implementing sni support, I created a feature request for this some time ago but it didn't gain any traction, maybe this one will !
cPanel has a default vhost for http but not for https. The solution support gave us was to create a https virtualhost in the include editor.
It's not just an issue with the wrong website showing but also with the wrong ssl showing.
I find it quite difficult to believe that cPanel didn't think of this when implementing sni support, I created a feature request for this some time ago but it didn't gain any traction, maybe this one will !
This is much needed because we currently have to manually edit httpd.conf to make cPanel/Apache work the way it really should work automatically.
This is much needed because we currently have to manually edit httpd.conf to make cPanel/Apache work the way it really should work automatically.
I'm also aware of this issue, thanks for bringing it up Mike.
I'm also aware of this issue, thanks for bringing it up Mike.
It's so stupid to allowing SSL on shared IP!
Users can install self-signed SSL on IP and make a problems such as https://domain.com redirects to the site with SSL.
We ask, we require to dissable SSL on shared IP with one click.
It's so stupid to allowing SSL on shared IP!
Users can install self-signed SSL on IP and make a problems such as https://domain.com redirects to the site with SSL.
We ask, we require to dissable SSL on shared IP with one click.
Hi,
the problem is for SNI, we need the chance to disable SNI or that "Is Primary Website on IP Address?" work.. cause now (with cloudlinux) if cusotmer installal SSL with SNI, the the resto of the sites with https go on site of last customer installed SSL with SNI...
Hi,
the problem is for SNI, we need the chance to disable SNI or that "Is Primary Website on IP Address?" work.. cause now (with cloudlinux) if cusotmer installal SSL with SNI, the the resto of the sites with https go on site of last customer installed SSL with SNI...
Just stumbled across this same problem today. Left me scratching my head as to what was "broken" with my config until I found this thread and it suddenly made the sense.
This sounds like a great solution to a (somewhat) vexing issue. Hope to see it in a future release!
Just stumbled across this same problem today. Left me scratching my head as to what was "broken" with my config until I found this thread and it suddenly made the sense.
This sounds like a great solution to a (somewhat) vexing issue. Hope to see it in a future release!
Hello! You may set your primary SSL VirtualHost either through WHM or via WHM API 1. The page in WHM where this is located is 'Manage SSL Hosts'. On that page there is a 'Make Primary' button that will make the selected domain name the primary VirtualHost for that IP & port combination in Apache.
There is also a WHM API 1 function to do the same thing via the API. Please see the following documentation for more information: http://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+set_primary_servername
The functionality is also available in cPanel for users that are on a dedicated IP address if they have the Install SSL feature available to them. The options for setting the primary host is under SSL/TLS Manager >> Manage SSL sites.
Is that what you're looking for?
Thanks!
Hello! You may set your primary SSL VirtualHost either through WHM or via WHM API 1. The page in WHM where this is located is 'Manage SSL Hosts'. On that page there is a 'Make Primary' button that will make the selected domain name the primary VirtualHost for that IP & port combination in Apache.
There is also a WHM API 1 function to do the same thing via the API. Please see the following documentation for more information: http://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+set_primary_servername
The functionality is also available in cPanel for users that are on a dedicated IP address if they have the Install SSL feature available to them. The options for setting the primary host is under SSL/TLS Manager >> Manage SSL sites.
Is that what you're looking for?
Thanks!
This really does need resolving.
Is there really not a way to resolve this completely with SNI, rather than the "always show the server cert" idea posted above?
Would making no domain "primary" for the IP and dealing with all SSL domains via SNI be a possible solution? I imagine the virtualhost for the proxy cpanel. whm. etc addresses would also then be relevant in some way?
This really does need resolving.
Is there really not a way to resolve this completely with SNI, rather than the "always show the server cert" idea posted above?
Would making no domain "primary" for the IP and dealing with all SSL domains via SNI be a possible solution? I imagine the virtualhost for the proxy cpanel. whm. etc addresses would also then be relevant in some way?
Our own experience is that we can temporarily patch the problem by moving the server's shared SSL certificate to be read first in the httpd.conf file, however this frequently breaks when a client installs a new self-signed certificate and it goes to the top of the httpd.conf to be read first.
It would definitely be a temporary solution if we could prevent clients from installing SSL on the server's shared SSL certificate, but the real fix here is for the cPanel developers to implement a fix so the server's shared SSL certificate takes priority and it must always be read first in the httpd.conf file before any other certificates on the server's main IP address. This will solve it for clients who want to install an SNI certificate and for normal clients who probably never use SSL and simply want their HTTPS website to display neutral content (i.e. not another client's website!)
I was told cPanel had a development case 163469 open for this but I've received an update that it has been closed "as essentially the Shared SSL Certificate function should have reached obsolescence as SNI became implemented across more servers". This is frustrating that no progress is being made and clients are complaining!
Our own experience is that we can temporarily patch the problem by moving the server's shared SSL certificate to be read first in the httpd.conf file, however this frequently breaks when a client installs a new self-signed certificate and it goes to the top of the httpd.conf to be read first.
It would definitely be a temporary solution if we could prevent clients from installing SSL on the server's shared SSL certificate, but the real fix here is for the cPanel developers to implement a fix so the server's shared SSL certificate takes priority and it must always be read first in the httpd.conf file before any other certificates on the server's main IP address. This will solve it for clients who want to install an SNI certificate and for normal clients who probably never use SSL and simply want their HTTPS website to display neutral content (i.e. not another client's website!)
I was told cPanel had a development case 163469 open for this but I've received an update that it has been closed "as essentially the Shared SSL Certificate function should have reached obsolescence as SNI became implemented across more servers". This is frustrating that no progress is being made and clients are complaining!
This issue is very important and i dont understand why cpanel dont work to solve... The once solution is disbaled SSL from the faeture and enable just if cusotmer by dedicated IP, but then they cannot use/see the shared SSL of the server.
In the "Manage SSL Hosts" dont have sense set "Make primary domain", if custmerA install an SSL on the IP and all https://site-with-nossl show the ssl of the custmerA
This issue is very important and i dont understand why cpanel dont work to solve... The once solution is disbaled SSL from the faeture and enable just if cusotmer by dedicated IP, but then they cannot use/see the shared SSL of the server.
In the "Manage SSL Hosts" dont have sense set "Make primary domain", if custmerA install an SSL on the IP and all https://site-with-nossl show the ssl of the custmerA
This is a very critical issue. I have a WHM setup with 26 websites and only one has SSL installed. I cannot access any of the 25 sites via https:// because it redirects to the one site that has SSL installed. Please fix the issue.
This is a very critical issue. I have a WHM setup with 26 websites and only one has SSL installed. I cannot access any of the 25 sites via https:// because it redirects to the one site that has SSL installed. Please fix the issue.
I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).
I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).
It can be solution as well:
##########
I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).
##########
It can be solution as well:
##########
I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).
##########
I got the same issue on my server. I didn't see this request, so i sent a ticket to cpanel thinking it was a bug.
I got the same issue on my server. I didn't see this request, so i sent a ticket to cpanel thinking it was a bug.
Plesk uses a self-signed certificate and then shows the client's website with it. I always liked this since the clients could access their WordPress install through SSL even though they didn't have a certificate. Not really fully secure, but at least encrypted.
Coming to cPanel we had to deal with this quirk. I have included some code here which we put into "Pre VirtualHost Include".
We actually have some more settings somewhere else since we run nginx as reverse proxy, but the below should give a starting point on a regular system. We run cpanel/whm/webmail on a different IP address than the regular sites, so I don't know if some additional rewrite conditions need to check that it doesn't catch the correct domain for the forwards...or if you need a separate IP.
We forward all webmail.... requests for example to https://webmail.makbiz.ca on which we run our SSL certificate.
I hope this helps as a starting point until cPanel fixes this.
In the first part we just add the path to our own SSL certificate.
<VirtualHost ###.###.###.###:443>
ServerName default.no.ssl
ServerAdmin ###@####.###
UseCanonicalName Off
SSLEngine on
SSLCertificateFile /var/cpanel/ssl/installed/certs/#####################.crt
SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/#####################.key
SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/#####################.cabundle
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost ###.###.###.###:80 ###.###.###.###:80 ###.###.###.###:443 ###.###.###.###:443>
ServerName randomsubname.#####.##
ServerAlias cpanel.* whm.* webmail.*
ServerAdmin ###@####.###
RewriteEngine On
RewriteCond %{HTTP_HOST} ^webmail\.
RewriteRule (.*) https://webmail.####.### [R,L]
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteRule (.*) https://cpanel.####.### [R,L]
RewriteCond %{HTTP_HOST} ^whm\.
RewriteRule (.*) https://whm.####.### [R,L]
</VirtualHost>
Plesk uses a self-signed certificate and then shows the client's website with it. I always liked this since the clients could access their WordPress install through SSL even though they didn't have a certificate. Not really fully secure, but at least encrypted.
Coming to cPanel we had to deal with this quirk. I have included some code here which we put into "Pre VirtualHost Include".
We actually have some more settings somewhere else since we run nginx as reverse proxy, but the below should give a starting point on a regular system. We run cpanel/whm/webmail on a different IP address than the regular sites, so I don't know if some additional rewrite conditions need to check that it doesn't catch the correct domain for the forwards...or if you need a separate IP.
We forward all webmail.... requests for example to https://webmail.makbiz.ca on which we run our SSL certificate.
I hope this helps as a starting point until cPanel fixes this.
In the first part we just add the path to our own SSL certificate.
<VirtualHost ###.###.###.###:443>
ServerName default.no.ssl
ServerAdmin ###@####.###
UseCanonicalName Off
SSLEngine on
SSLCertificateFile /var/cpanel/ssl/installed/certs/#####################.crt
SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/#####################.key
SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/#####################.cabundle
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost ###.###.###.###:80 ###.###.###.###:80 ###.###.###.###:443 ###.###.###.###:443>
ServerName randomsubname.#####.##
ServerAlias cpanel.* whm.* webmail.*
ServerAdmin ###@####.###
RewriteEngine On
RewriteCond %{HTTP_HOST} ^webmail\.
RewriteRule (.*) https://webmail.####.### [R,L]
RewriteCond %{HTTP_HOST} ^cpanel\.
RewriteRule (.*) https://cpanel.####.### [R,L]
RewriteCond %{HTTP_HOST} ^whm\.
RewriteRule (.*) https://whm.####.### [R,L]
</VirtualHost>
This need to be fixed. We had a lot of clients complaining about this issue, also resellers with dedicated IP that hosts their clients on that IP address.
This need to be fixed. We had a lot of clients complaining about this issue, also resellers with dedicated IP that hosts their clients on that IP address.
The temporary work around that we came up with was to create a custom theme for the customers that are on the shared IP so when they click on the SSL/TLS Manager in cPanel it takes them to a page that asks them to call us to get setup with a dedicated IP. This prevents accounts on the shared IP from installing SSL's.
We then tracked down all the accounts with SSL's on the shared IP and set them up on dedicated IP's. This left the servers SSL as the only one on the shared IP and redirected sites to our default page.
The only catch is to remember to change the theme when an account gets a dedicated IP for an SSL.
This is not intended to be a permanent fix, just a temporary one until cPanel can fix the SNI. I hope it helps others.
The temporary work around that we came up with was to create a custom theme for the customers that are on the shared IP so when they click on the SSL/TLS Manager in cPanel it takes them to a page that asks them to call us to get setup with a dedicated IP. This prevents accounts on the shared IP from installing SSL's.
We then tracked down all the accounts with SSL's on the shared IP and set them up on dedicated IP's. This left the servers SSL as the only one on the shared IP and redirected sites to our default page.
The only catch is to remember to change the theme when an account gets a dedicated IP for an SSL.
This is not intended to be a permanent fix, just a temporary one until cPanel can fix the SNI. I hope it helps others.
For those interested, we added this to the pre vhost include section in cPanel :
Just replace MAIN_IP and YOUR_COMPANY_MAIL by your details.
cPanel seem's to be looking into doing something more complex than this instead of just fixing this bug though.
For those interested, we added this to the pre vhost include section in cPanel :
Just replace MAIN_IP and YOUR_COMPANY_MAIL by your details.
cPanel seem's to be looking into doing something more complex than this instead of just fixing this bug though.
Hey folks! A fix for this specific problem isn't on our roadmap yet, but we are working on a plugin to satisfy this Let's Encrypt request. Once that plugin is public I'll be able to take a closer look at the ways it will or will not help, but I believe that it will act as an acceptable workaround for this request. I'll update everyone again once I have more information!
Hey folks! A fix for this specific problem isn't on our roadmap yet, but we are working on a plugin to satisfy this Let's Encrypt request. Once that plugin is public I'll be able to take a closer look at the ways it will or will not help, but I believe that it will act as an acceptable workaround for this request. I'll update everyone again once I have more information!
We now just create a default virtual host for port 443, based on the port 80 one cPanel already creates and include it in the apache include editor in WHM. It completly solves the problem of showing another site's website.
I still don't see why cPanel does this for port 80 by default but refuses to also do it by default for port 443.
We now just create a default virtual host for port 443, based on the port 80 one cPanel already creates and include it in the apache include editor in WHM. It completly solves the problem of showing another site's website.
I still don't see why cPanel does this for port 80 by default but refuses to also do it by default for port 443.
Surely cPanel should simply move the block (shown below from v58) within the /var/cpanel/templates/apache2_4/main.default to somewhere in front of the rest of the vhosts.
This problem has been around for like forever and it's a no brainer to fix - come on cPanel!
Surely cPanel should simply move the block (shown below from v58) within the /var/cpanel/templates/apache2_4/main.default to somewhere in front of the rest of the vhosts.
This problem has been around for like forever and it's a no brainer to fix - come on cPanel!
Hey all! While the Let's Encrypt plugin isn't yet public, and this specific problem has not yet been addressed, v58 now has a public feature called AutoSSL that will help with this problem specifically. After AutoSSL is enabled, cPanel & WHM will automatically attempt to issue certificates for the domains on your server. You can read more about AutoSSL in our release notes, and Documentation site. Let me know if you have any questions!
Hey all! While the Let's Encrypt plugin isn't yet public, and this specific problem has not yet been addressed, v58 now has a public feature called AutoSSL that will help with this problem specifically. After AutoSSL is enabled, cPanel & WHM will automatically attempt to issue certificates for the domains on your server. You can read more about AutoSSL in our release notes, and Documentation site. Let me know if you have any questions!
Somehow I missed updating you all here, but this feature has been added as of version 62. From the release notes:
https://documentation.cpanel.net/display/ALD/62+Release+Notes
As always, feel free to let me know if you have questions!
Somehow I missed updating you all here, but this feature has been added as of version 62. From the release notes:
https://documentation.cpanel.net/display/ALD/62+Release+Notes
As always, feel free to let me know if you have questions!
Replies have been locked on this page!