Call for Comments
Currently, when a cPanel user acquires a SSL certificate, they can only install it for Apache. There is currently no way for a cPanel user to use their own certificate for other SSL-powered services like IMAP over SSL, webdisk etc.
The proposal is to allow cPanel users to install SSL certificates for their own domains for all services, including cpdavd (webdisk), cpsrvd (webmail, cPanel and WHM), IMAP, POP, SMTP etc. One can install a wildcard certificate to cover all services or install individual certificates for each service.
Original thread: http://forums.cpanel.net/f145/ssl-certificate-per-domain-all-services-case-55985-a-200492.html
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
I like this idea 
Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:
https://documentation.cpanel.net/display/ALD/60+Release+Notes
If you would like to vote for the support of proxy subdomains you can vote on that over here:
https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt
If you have any questions, feel free to follow your typical support path, or send me an email.
Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:
https://documentation.cpanel.net/display/ALD/60+Release+Notes
If you would like to vote for the support of proxy subdomains you can vote on that over here:
https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt
If you have any questions, feel free to follow your typical support path, or send me an email.
Yes,
Please make it so that if you install and SSL for a particular domain the services under that domain in cpanel will use the same SSL.
Yes,
Please make it so that if you install and SSL for a particular domain the services under that domain in cpanel will use the same SSL.
I'd like (or be happy with) the "in-between" position of being able to install a set of certs for each reseller, so that the end user sees the reseller's hostname for secure email, for example, instead of mine. At the moment I have a reseller who gets users to use unencrypted email just to mask the fact that the server runs under my domain name.
I'd like (or be happy with) the "in-between" position of being able to install a set of certs for each reseller, so that the end user sees the reseller's hostname for secure email, for example, instead of mine. At the moment I have a reseller who gets users to use unencrypted email just to mask the fact that the server runs under my domain name.
Just to add that there's a forum thread for this.
This also seems to have had a developer case number since December 2011.
Just to add that there's a forum thread for this.
This also seems to have had a developer case number since December 2011.
The capability to use multiple SSL certificates at least for Dovecot/Courier and Exim should be pushed on top of cPanel's agenda.
Customers having purchased and installed their SSL cert often expect to equally secure their email comms with it. A customer attempting to use his mail.domain.ext as server in any email client will cause the display of a certificate verification error message, which in many cases results in a support complaint.
In the current conjuncture, after all the revelations of comms snooping by various authorities, the last thing we need are customers being turned off believing we don't care about their privacy. The situation is already bad enough with some major european governments now systematically dismissing bids from US businesses due to security worries. IMHO, cPanel should not take the risk to convey a negative impression due to a missing feature.
The capability to use multiple SSL certificates at least for Dovecot/Courier and Exim should be pushed on top of cPanel's agenda.
Customers having purchased and installed their SSL cert often expect to equally secure their email comms with it. A customer attempting to use his mail.domain.ext as server in any email client will cause the display of a certificate verification error message, which in many cases results in a support complaint.
In the current conjuncture, after all the revelations of comms snooping by various authorities, the last thing we need are customers being turned off believing we don't care about their privacy. The situation is already bad enough with some major european governments now systematically dismissing bids from US businesses due to security worries. IMHO, cPanel should not take the risk to convey a negative impression due to a missing feature.
This would make a huge differnce for some customers. It would make them able to use their domain name instead of the server hostname.
This would make a huge differnce for some customers. It would make them able to use their domain name instead of the server hostname.
Agree!
Please include this great feature in the future updates.
Agree!
Please include this great feature in the future updates.
This can already be done at the host level. Meaning you can apply an SSL cert for your hostname and then apply it for the following services on the server: FTP Server, Exim (SMTP) Server, Dovecot Mail Server, and cPanel/WHM/Webmail Service. Also, tweak the login settings so that it redirects them to the hostname and everything is secure. While the client can just use their cert for the application they are hosting.
But I agree I would like this option as well.
This can already be done at the host level. Meaning you can apply an SSL cert for your hostname and then apply it for the following services on the server: FTP Server, Exim (SMTP) Server, Dovecot Mail Server, and cPanel/WHM/Webmail Service. Also, tweak the login settings so that it redirects them to the hostname and everything is secure. While the client can just use their cert for the application they are hosting.
But I agree I would like this option as well.
Having got truly fed up of the time this is taking to implement (I have been watching this request since its inception back in march 2011), I have started to modify my own scripts to do this.
Currently I am testing the attached script with dovecot, which is based on the original script attached to the forum post.
Pre-requisites:
Server with main shared IP, and server wide ssl certificate, eg
1.2.3.4 host.provider.com
Reseller account, with dedicated IP and SSL, for example
2.3.4.5 resellerdomain.com
This should be set as the resellers main shared ip.
Currently the attached script does the following:
Reads /etc/ssldomains and /etc/userdomains to build a list of reseller domain name, username and ip.
Reads userdata from /var/cpanel/userdata/username/domain.name_SSL and extracts the key, crt, and cabundle paths.
Merges the key, crt and cabundle into a .pem file under /etc/ssl/certs/domain.name.pem
Clones the dovecot config template from /var/cpanel/templates/dovecot2.2/main.default to /var/cpanel/templates/dovecot2.2/main.local (and saves any existing main.local as main.local.1)
Adds ip specific SSL certificates to the main.local template.
Invokes /usr/local/cpanel/scripts/builddovecotconf
and restarts dovecot.
I have *only* tested this script on 11.40 with dovecot.
I have left in (and in some cases commented out) the original courier components of the script.
Todo:
Make sure this still works for courier
Add support for Exim, and Cpanel/whm/webmail services
Hopefully this can get cpanel in gear to make this fairly simple request a standard part of cpanel, to happen automatically when a user installs an SSL certificate on their dedicated ip's domain.
My resellers love it, as now their clients can access email services securely using SSL on resellerdomainname.com, rather than having to accept security warnings, or connect directly to server.hostingprovider.com.
Having got truly fed up of the time this is taking to implement (I have been watching this request since its inception back in march 2011), I have started to modify my own scripts to do this.
Currently I am testing the attached script with dovecot, which is based on the original script attached to the forum post.
Pre-requisites:
Server with main shared IP, and server wide ssl certificate, eg
1.2.3.4 host.provider.com
Reseller account, with dedicated IP and SSL, for example
2.3.4.5 resellerdomain.com
This should be set as the resellers main shared ip.
Currently the attached script does the following:
Reads /etc/ssldomains and /etc/userdomains to build a list of reseller domain name, username and ip.
Reads userdata from /var/cpanel/userdata/username/domain.name_SSL and extracts the key, crt, and cabundle paths.
Merges the key, crt and cabundle into a .pem file under /etc/ssl/certs/domain.name.pem
Clones the dovecot config template from /var/cpanel/templates/dovecot2.2/main.default to /var/cpanel/templates/dovecot2.2/main.local (and saves any existing main.local as main.local.1)
Adds ip specific SSL certificates to the main.local template.
Invokes /usr/local/cpanel/scripts/builddovecotconf
and restarts dovecot.
I have *only* tested this script on 11.40 with dovecot.
I have left in (and in some cases commented out) the original courier components of the script.
Todo:
Make sure this still works for courier
Add support for Exim, and Cpanel/whm/webmail services
Hopefully this can get cpanel in gear to make this fairly simple request a standard part of cpanel, to happen automatically when a user installs an SSL certificate on their dedicated ip's domain.
My resellers love it, as now their clients can access email services securely using SSL on resellerdomainname.com, rather than having to accept security warnings, or connect directly to server.hostingprovider.com.
Any update on this feature? It was started back in 2012 and I love to see this featured added in. The ability to control the SSL certificate per dedicated IP (domain) would be amazing!
Any update on this feature? It was started back in 2012 and I love to see this featured added in. The ability to control the SSL certificate per dedicated IP (domain) would be amazing!
It would seem to be basic functionality to be able to easily connect a certificate to all features in a given domain/ip.
It would seem to be basic functionality to be able to easily connect a certificate to all features in a given domain/ip.
Apache/OpenSSL via SNI can support multiple SSL domains on a given IP. Please include this functionality for all cPanel/WHM/Webmail services on a given host. My customers expect to see THEIR domain name when they have purchased an SSL for their secured services and to not be redirected to the host server domain name for cPanel/WHM/Webmail.
Apache/OpenSSL via SNI can support multiple SSL domains on a given IP. Please include this functionality for all cPanel/WHM/Webmail services on a given host. My customers expect to see THEIR domain name when they have purchased an SSL for their secured services and to not be redirected to the host server domain name for cPanel/WHM/Webmail.
I am a reseller of shared hosting, as it is not economically viable to pay for virtual server bandwidth and sell high speed shared hosting in Australia. My host refuses to add this feature as it would void their cPanel support contract.
There are two major issues: 1) it takes a long time to get each end user to correctly type a long complex host name; 2) every time my host moves my account to another server, I have to provide support for every end user to change their mail server address! The added time spent compensating for this missing feature makes me question the viability of this business. I want to make things easy for my clients and their users, but currently there is no viable way to do so.
Please add this feature asap, or failing that please vary the support contract to allow the installation of an App to provide this functionality and I will have the App written.
As tandyuk has demonstrated above, it's not that difficult. Developer Case 55985 was opened over 2 years ago, is there any chance we could get a progress update?
I am a reseller of shared hosting, as it is not economically viable to pay for virtual server bandwidth and sell high speed shared hosting in Australia. My host refuses to add this feature as it would void their cPanel support contract.
There are two major issues: 1) it takes a long time to get each end user to correctly type a long complex host name; 2) every time my host moves my account to another server, I have to provide support for every end user to change their mail server address! The added time spent compensating for this missing feature makes me question the viability of this business. I want to make things easy for my clients and their users, but currently there is no viable way to do so.
Please add this feature asap, or failing that please vary the support contract to allow the installation of an App to provide this functionality and I will have the App written.
As tandyuk has demonstrated above, it's not that difficult. Developer Case 55985 was opened over 2 years ago, is there any chance we could get a progress update?
Now that dovecot 2.x supports muliple SSL and that cPanel supports dovecot 2.2 as of 11.40 could we at least have some form of includes for dovecot configuration to do this manually while waiting for an easier method to become available ?
Resellers need to have either their domain or their customer's domaine and not our hostname's URL for their customers.
This would be for dovecot, exim, ftp, webmail and cPanel services.
It would make a real differnce for them to be able to have everything in their name so their customers would have to search harder to find who they are.
We need this for ourselves and for our reseller customers while it would make things easier for all customers as SSL certs with SNI can be quite cheap.
Now that dovecot 2.x supports muliple SSL and that cPanel supports dovecot 2.2 as of 11.40 could we at least have some form of includes for dovecot configuration to do this manually while waiting for an easier method to become available ?
Resellers need to have either their domain or their customer's domaine and not our hostname's URL for their customers.
This would be for dovecot, exim, ftp, webmail and cPanel services.
It would make a real differnce for them to be able to have everything in their name so their customers would have to search harder to find who they are.
We need this for ourselves and for our reseller customers while it would make things easier for all customers as SSL certs with SNI can be quite cheap.
If domain doesn't have an SSL cert then revert to hostname SSL and redirect the /cpanel /webmail etc
If domain doesn't have an SSL cert then revert to hostname SSL and redirect the /cpanel /webmail etc
Lack of this feature is a real pain for sites that have to be PCI Compliant. They fail with error "SSL Certificate with Wrong Hostname" for pop3 and imap, so special exemption has to be negotiated after each scan. Please implement it ASAP.
Lack of this feature is a real pain for sites that have to be PCI Compliant. They fail with error "SSL Certificate with Wrong Hostname" for pop3 and imap, so special exemption has to be negotiated after each scan. Please implement it ASAP.
Would also really like an update on this feature. Being able to use my own SSL certificate for pop3 & imap would save so much hassle. Please implement this feature ASAP.
Would also really like an update on this feature. Being able to use my own SSL certificate for pop3 & imap would save so much hassle. Please implement this feature ASAP.
Because of the lack of this feature we just lived through 2 days of hell support for our client which has over 100 emails accounts. He initially wanted to use his mail.hisdomain.com, in the end we had to use our server name. What a disaster!
*Bump* to get this feature in a future release!
Because of the lack of this feature we just lived through 2 days of hell support for our client which has over 100 emails accounts. He initially wanted to use his mail.hisdomain.com, in the end we had to use our server name. What a disaster!
*Bump* to get this feature in a future release!
Ive only been running as a host for 12 months, and already I find it absolutely shocking that this feature hasn't been implemented.
All my clients should be default be able to use mail.theirdomain.tld - but unless they do it unencrypted they have to use mail.mydomain.tld.
Its very confusing for my clients, and in all honesty - really naff!
I vote for this feature to be bumped up the priorities too.
Ive only been running as a host for 12 months, and already I find it absolutely shocking that this feature hasn't been implemented.
All my clients should be default be able to use mail.theirdomain.tld - but unless they do it unencrypted they have to use mail.mydomain.tld.
Its very confusing for my clients, and in all honesty - really naff!
I vote for this feature to be bumped up the priorities too.
Having to explain the lack of this feature to clients is painful.
Please commit developer time to this ASAP.At least I now have a statement from Tristan J. Wallace that I will quote to clients, so we can at least side step some of the hostility. It still doesn't stop them asking to be moved to our Plesk servers and have them ask why we chose a cPanel solution in the first place.
Having to explain the lack of this feature to clients is painful.
Please commit developer time to this ASAP.At least I now have a statement from Tristan J. Wallace that I will quote to clients, so we can at least side step some of the hostility. It still doesn't stop them asking to be moved to our Plesk servers and have them ask why we chose a cPanel solution in the first place.
YES!
This would be a great feature!
YES!
This would be a great feature!
The lack of communication from cPanel regarding this issue is appalling. Thankfully, I don't have to put up with the lack of this feature any longer... I'm biting the bullet and setting up my own server without any cPanel whatsoever. Goodbye cPanel, RIP.
The lack of communication from cPanel regarding this issue is appalling. Thankfully, I don't have to put up with the lack of this feature any longer... I'm biting the bullet and setting up my own server without any cPanel whatsoever. Goodbye cPanel, RIP.
Will this ever be done ?
Will this ever be done ?
This is a serious pain for PCI compliance scanning. It's long over-due to be able to use multiple SSL certificates for email, ftp, etc.
This is a serious pain for PCI compliance scanning. It's long over-due to be able to use multiple SSL certificates for email, ftp, etc.
You should add this feature... is really needed! Is there any workaround? ="(
You should add this feature... is really needed! Is there any workaround? ="(
i do agree this feature request.
+1 from me...
cPanel Team Please at least work on implementing this request as quick as possible.
i do agree this feature request.
+1 from me...
cPanel Team Please at least work on implementing this request as quick as possible.
I do Agree this Feature Request.
I do Agree this Feature Request.
I was looking into this to support this for one of my clients for PCI compliance and found out that exim and dovecot are capable of this (or at the very least SNI) so this should make it easier for cpanel to add this functionality.
This has been requested for a while now, it would be nice to see them finally release this functionality especially since they now support SNI in apache.
I was looking into this to support this for one of my clients for PCI compliance and found out that exim and dovecot are capable of this (or at the very least SNI) so this should make it easier for cpanel to add this functionality.
This has been requested for a while now, it would be nice to see them finally release this functionality especially since they now support SNI in apache.
I,m really needing this feature as my Business is too small to buy more IP's currently and i only have enough for one dedicated licence atm, if my business is going to grow with reseller's then they need to offer them to display there own name for SSL. Please Cpanel come up with a solution where we can add multiple SSL Certs to FTP, Exim, Dovecot, Cpanel, WHM, Webmail
I,m really needing this feature as my Business is too small to buy more IP's currently and i only have enough for one dedicated licence atm, if my business is going to grow with reseller's then they need to offer them to display there own name for SSL. Please Cpanel come up with a solution where we can add multiple SSL Certs to FTP, Exim, Dovecot, Cpanel, WHM, Webmail
Why CPanel is so slow to add this feature... it's really needed, customers don't want to use another domain for secure SSL mail. Is someone has do it with a script, this should be easier for Cpanel devlopers!! ="(
Why CPanel is so slow to add this feature... it's really needed, customers don't want to use another domain for secure SSL mail. Is someone has do it with a script, this should be easier for Cpanel devlopers!! ="(
Finally in progress.. Thank you cPanel.
Finally in progress.. Thank you cPanel.
Much needed. I hope it arrives soon.
Much needed. I hope it arrives soon.
We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.
cpsrvd & webdisk are not in this update.
We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.
cpsrvd & webdisk are not in this update.
Great to see an official statement, @ Matt Dees, and one that's so positive. Do we have an ETA at all?
Great to see an official statement, @ Matt Dees, and one that's so positive. Do we have an ETA at all?
with the new changes in browsers that limits access on selfsigned ssl pages, it is getting very hard for the user to use webmail... we need this as soon as possible!
with the new changes in browsers that limits access on selfsigned ssl pages, it is getting very hard for the user to use webmail... we need this as soon as possible!
We're looking for a way to add to migrate an old server onto a new one but keep the hostname working for customers who have email accounts setup with SSL and the previous hostname. It's just occured to me that this will solve my problem as I will be able to create an account with the old hostname and install a ssl cert for this account in dovecot
We're looking for a way to add to migrate an old server onto a new one but keep the hostname working for customers who have email accounts setup with SSL and the previous hostname. It's just occured to me that this will solve my problem as I will be able to create an account with the old hostname and install a ssl cert for this account in dovecot
Yes this feature is required. Customers expect emails to work on SSL.
Yes this feature is required. Customers expect emails to work on SSL.
Please please please... this feature will save me, and I believe the rest of us too, a lot of problems.
Please please please... this feature will save me, and I believe the rest of us too, a lot of problems.
Is there any ETA for this change? Even a pessimistic best case? At the moment we have an urgent need and no idea of when we might see this implemented.
Is there any ETA for this change? Even a pessimistic best case? At the moment we have an urgent need and no idea of when we might see this implemented.
Yes this feature is required!
Yes this feature is required!
This would be excellent...
+1,989,271 from me...
You should now have enough +1s to implement this solution!
This would be excellent...
+1,989,271 from me...
You should now have enough +1s to implement this solution!
I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).
Cam i install One single (Domain Name) SSL Certificate on that Server?
is it will effect other Domain names?
Can i install SSL Certificate for emails in a particular Domain Name?
can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?
Please explain the details.
Thanks....
I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).
Cam i install One single (Domain Name) SSL Certificate on that Server?
is it will effect other Domain names?
Can i install SSL Certificate for emails in a particular Domain Name?
can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?
Please explain the details.
Thanks....
Could we get an ETA from one of the cPanel team?
Could we get an ETA from one of the cPanel team?
We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.
We have not yet worked on extending this to cpsrvd or webdav.
We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.
We have not yet worked on extending this to cpsrvd or webdav.
How can this be configured? I updated cpanel and this reseller SSL for services was not automatically configured.
How can this be configured? I updated cpanel and this reseller SSL for services was not automatically configured.
I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).
Cam i install One single (Domain Name) SSL Certificate on that Server?
is it will effect other Domain names?
Can i install SSL Certificate for emails in a particular Domain Name?
can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?
Please explain the details.
Thanks....
I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).
Cam i install One single (Domain Name) SSL Certificate on that Server?
is it will effect other Domain names?
Can i install SSL Certificate for emails in a particular Domain Name?
can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?
Please explain the details.
Thanks....
Please provide documentation for this feature (or a pointer to it). I looked on my WHM, which is on the correct release, and didn't see how to do this.
Please provide documentation for this feature (or a pointer to it). I looked on my WHM, which is on the correct release, and didn't see how to do this.
I'm not 100% clear on what this means. Does this mean that it will use one SSL cert for all services (except Apache) on all domains/accounts? This does seem to be case for me right now, but I'm hoping that each account will be able to set its own cert for mail services. If you're saying that that is now possible, what are the steps necessary to do it?
Thanks!
Dale
I'm not 100% clear on what this means. Does this mean that it will use one SSL cert for all services (except Apache) on all domains/accounts? This does seem to be case for me right now, but I'm hoping that each account will be able to set its own cert for mail services. If you're saying that that is now possible, what are the steps necessary to do it?
Thanks!
Dale
Just click on enable mail sni in the users ssl cert management page.
Just click on enable mail sni in the users ssl cert management page.
Just checking to see if you guys have already started working on extending this to cpsrvd and webdav.
Thanks in advance!
Just checking to see if you guys have already started working on extending this to cpsrvd and webdav.
Thanks in advance!
Hope to see support for cpsrvd (webmail, cPanel and WHM), IMAP, POP, SMTP
VERY SOON so our resellers can use this.
Hope to see support for cpsrvd (webmail, cPanel and WHM), IMAP, POP, SMTP
VERY SOON so our resellers can use this.
It's unclear to me what Matt Dees response actually means. Does this mean that with cPanel version 11.48 that we can have a VPS server with multiple sub-cPanels and allow users to send and receive mail via SSL using their own domain name instead of forcing them to use the primary server's name?
It's unclear to me what Matt Dees response actually means. Does this mean that with cPanel version 11.48 that we can have a VPS server with multiple sub-cPanels and allow users to send and receive mail via SSL using their own domain name instead of forcing them to use the primary server's name?
It should be the domain used for ssl like with mail sni so it would be something like :
https://DOMAIN.TLD:2096
so when a user uses :
http://DOMAIN.TLD/webmail
They would be redirected to :
https://DOMAIN.TLD:2096
Which would use their certificate.
It would also be nice if it could also make use of their IP if they have a dedicated IP.
It should be the domain used for ssl like with mail sni so it would be something like :
https://DOMAIN.TLD:2096
so when a user uses :
http://DOMAIN.TLD/webmail
They would be redirected to :
https://DOMAIN.TLD:2096
Which would use their certificate.
It would also be nice if it could also make use of their IP if they have a dedicated IP.
years to develop this funcition ?
years to develop this funcition ?
Isn't the reseller functionality is broken because of this. How can I resell something if it can't properly run services on its secure certificate
Isn't the reseller functionality is broken because of this. How can I resell something if it can't properly run services on its secure certificate
This will be great function for resellers!
This will be great function for resellers!
Here is a screen capture that shows where to enable the SNI feature if you want to use a sub-cpanel domain name for sending and receicving mail via SSL.
Here is a screen capture that shows where to enable the SNI feature if you want to use a sub-cpanel domain name for sending and receicving mail via SSL.
I'm hoping this will be enabled for cpsrvd soon! If I install a cert for a domain, URL like https://mydomain.com:2096 should work automatically...
I'm hoping this will be enabled for cpsrvd soon! If I install a cert for a domain, URL like https://mydomain.com:2096 should work automatically...
It should be available for all the domains .
default SSL certificate installed for server should be used by all domains cPanel services.
It should be available for all the domains .
default SSL certificate installed for server should be used by all domains cPanel services.
This is long overdue. Without giving too much away, we have a client using Security Metrics (SM) as their PCI ASV and SM simply won't pass any cpanel domain because a request to https://customerdomain:2083 is served with the main hostname's SSL certificate - a mismatch that SM insist is creating a MiM vulnerability (which is irrelevant bullshit for several reasons - but I digress). It's simply not possible to redirect or do anything with such a request until SNI is supported for all cpsrvd services.
Incidentally, Security Metrics
This is long overdue. Without giving too much away, we have a client using Security Metrics (SM) as their PCI ASV and SM simply won't pass any cpanel domain because a request to https://customerdomain:2083 is served with the main hostname's SSL certificate - a mismatch that SM insist is creating a MiM vulnerability (which is irrelevant bullshit for several reasons - but I digress). It's simply not possible to redirect or do anything with such a request until SNI is supported for all cpsrvd services.
Incidentally, Security Metrics
Having the ability for cPanel/WHM/Webmail support multiple SSL certificates (even just one per IP the old fashioned way) would be a big help for when we're migrating people to new servers (such as right now from CentOS 5 to 6). We get a lot of complaints because they bookmarked their cPanel login which contains the redirected hostname in it which is no longer valid.
Having the ability for cPanel/WHM/Webmail support multiple SSL certificates (even just one per IP the old fashioned way) would be a big help for when we're migrating people to new servers (such as right now from CentOS 5 to 6). We get a lot of complaints because they bookmarked their cPanel login which contains the redirected hostname in it which is no longer valid.
Hey all - One of our developers is working on this as he can (it will likely be included in v60, but may take as long as v62), but it currently will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those three to be more clear when we start updating this one, which can be found here:
https://features.cpanel.net/topic/sni-support-for-mysql
https://features.cpanel.net/topic/sni-support-for-mariadb
https://features.cpanel.net/topic/sni-support-for-ftp
Hey all - One of our developers is working on this as he can (it will likely be included in v60, but may take as long as v62), but it currently will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those three to be more clear when we start updating this one, which can be found here:
https://features.cpanel.net/topic/sni-support-for-mysql
https://features.cpanel.net/topic/sni-support-for-mariadb
https://features.cpanel.net/topic/sni-support-for-ftp
Thanks Benny for the update! :)
Thanks Benny for the update! :)
Why not just instruct people to ALWAYS go to theirdomain.com/cpanel or theirdomain.com/webmail ?
Sure, people don't listen, but just because they don't listen doesn't mean you move the world for them.
Or am I missing something? Why is it so difficult for users to remember /cpanel and /webmail and /whm ?
This request actually makes more sense for FTP, MySQL, MariaDB, and any other service that doesn't provide a redirect function. Apache and HTTP provides a redirect. So no matter what server you move the account to - theirdomain.com/cpanel will always redirect to the proper secure link.
That's my 2 cents on this.
Why not just instruct people to ALWAYS go to theirdomain.com/cpanel or theirdomain.com/webmail ?
Sure, people don't listen, but just because they don't listen doesn't mean you move the world for them.
Or am I missing something? Why is it so difficult for users to remember /cpanel and /webmail and /whm ?
This request actually makes more sense for FTP, MySQL, MariaDB, and any other service that doesn't provide a redirect function. Apache and HTTP provides a redirect. So no matter what server you move the account to - theirdomain.com/cpanel will always redirect to the proper secure link.
That's my 2 cents on this.
Looking forward to expanding sni to cover this.
Looking forward to expanding sni to cover this.
Just weighing in on this in case it helps. We have hit a brick wall with security metrics because of this issue and need the feature to be ready as soon as possible please. We are looking at the expense of just moving each of these clients into their own VPS environment, which completely defeats the point of having cpanel. I am surprised to see only a few comments here. Is everyone just living with the non compliance at this point and just paying the fees associated?
Just weighing in on this in case it helps. We have hit a brick wall with security metrics because of this issue and need the feature to be ready as soon as possible please. We are looking at the expense of just moving each of these clients into their own VPS environment, which completely defeats the point of having cpanel. I am surprised to see only a few comments here. Is everyone just living with the non compliance at this point and just paying the fees associated?
+1 for hoping for this to include cpsrvd (& webdisk) as soon as possible. It's something that has been bugging me for a long time. It's great that my clients can now use their own domain for POP/IMAP/SMTP over SSL - have been really appreciating that - but, I still really wish I could give clients their own domain link to things like webmail (:2096) and cPanel (:2083) and have that SSL secured, without directing them to the server hostname or a page with nasty security warning on it.
+1 for hoping for this to include cpsrvd (& webdisk) as soon as possible. It's something that has been bugging me for a long time. It's great that my clients can now use their own domain for POP/IMAP/SMTP over SSL - have been really appreciating that - but, I still really wish I could give clients their own domain link to things like webmail (:2096) and cPanel (:2083) and have that SSL secured, without directing them to the server hostname or a page with nasty security warning on it.
just came across this issue too moving my resellers back to my main server, would like to see an update on this progress? ui just need it for 1 other domain
just came across this issue too moving my resellers back to my main server, would like to see an update on this progress? ui just need it for 1 other domain
Hey all - One of our developers is working on expanding our SNI support to include cpsrvd (cPanel, webmail). It will likely be included in v60, but may take as long as v62, and it's being tracked currently another feature request. I do want to mention that the work currently being done will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those to be more clear when we start updating this one, which can be found here:
https://features.cpanel.net/topic/sni-support-for-mysql
https://features.cpanel.net/topic/sni-support-for-mariadb
https://features.cpanel.net/topic/sni-support-for-ftp
If you have any further questions, please do let me know!
Hey all - One of our developers is working on expanding our SNI support to include cpsrvd (cPanel, webmail). It will likely be included in v60, but may take as long as v62, and it's being tracked currently another feature request. I do want to mention that the work currently being done will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those to be more clear when we start updating this one, which can be found here:
https://features.cpanel.net/topic/sni-support-for-mysql
https://features.cpanel.net/topic/sni-support-for-mariadb
https://features.cpanel.net/topic/sni-support-for-ftp
If you have any further questions, please do let me know!
thanks! since i only need this for one other domain, would creating a SAN ssl certificate solve the issue for me?
thanks! since i only need this for one other domain, would creating a SAN ssl certificate solve the issue for me?
Hi everyone! The developer working on this has a functionality question:
If we use “x.y.tld” as our example domain, on any given cPanel & WHM server there are a multiple services that might use an SSL certificate. For example, if 3 different SNI-enabled services will host content, is there any reason for those 3 services not to use the same certificate for that domain?
Put another way: what would be the disadvantages of having a single SSL repository that Exim, Dovecot, cPanel, webmail, and other SNI-capable services (eventually even Apache) would use for loading keys/certs?
We haven't come up with any use-cases that would make this behavior undesirable. Do you guys have any?
Hi everyone! The developer working on this has a functionality question:
If we use “x.y.tld” as our example domain, on any given cPanel & WHM server there are a multiple services that might use an SSL certificate. For example, if 3 different SNI-enabled services will host content, is there any reason for those 3 services not to use the same certificate for that domain?
Put another way: what would be the disadvantages of having a single SSL repository that Exim, Dovecot, cPanel, webmail, and other SNI-capable services (eventually even Apache) would use for loading keys/certs?
We haven't come up with any use-cases that would make this behavior undesirable. Do you guys have any?
I can't see any disadvantages either. That's already how we configure the main cPanel cert but maybe other people might have some different use cases.
I can't see any disadvantages either. That's already how we configure the main cPanel cert but maybe other people might have some different use cases.
The one that springs to mind is clients who assume mail uses 'mail.domain.com' rather than 'domain.com'.
Unless all these certs are wildcard of course.
The one that springs to mind is clients who assume mail uses 'mail.domain.com' rather than 'domain.com'.
Unless all these certs are wildcard of course.
I haven't read through this all completely (a lot to read!) so forgive me if I'm commenting on something that's already been stated.
But what services are we talking about here? I'm just not sure how useful this is.
Are we talking about cPanel/WHM/Webmail? Why not just direct your clients to ALWAYS use http://example.tld/cpanel or http://example.tld/whm or http://example.tld/webmail and use the Tweak Settings feature to always redirect these links to the secure server link, i.e. http://example.tld/cpanel -> https://full.servername.tld:2083
I do see where this could possible be beneficial for mail. But Exim and Dovecot are already set up to handle SNI. I would just expand the AutoSSL feature to automatically add a mail.example.tld CN to the certificate and install this certificate for use in Exim and Dovecot. This way userse can use mail.example.tld or example.tld as their secure host name for mail.
What other services are really accessed via a secure link?
Is this feature really needed?
I haven't read through this all completely (a lot to read!) so forgive me if I'm commenting on something that's already been stated.
But what services are we talking about here? I'm just not sure how useful this is.
Are we talking about cPanel/WHM/Webmail? Why not just direct your clients to ALWAYS use http://example.tld/cpanel or http://example.tld/whm or http://example.tld/webmail and use the Tweak Settings feature to always redirect these links to the secure server link, i.e. http://example.tld/cpanel -> https://full.servername.tld:2083
I do see where this could possible be beneficial for mail. But Exim and Dovecot are already set up to handle SNI. I would just expand the AutoSSL feature to automatically add a mail.example.tld CN to the certificate and install this certificate for use in Exim and Dovecot. This way userse can use mail.example.tld or example.tld as their secure host name for mail.
What other services are really accessed via a secure link?
Is this feature really needed?
I agree with James, I have many clients who prefer "mail.domain.com" to "domain.com", same with FTP and other services.
I agree with James, I have many clients who prefer "mail.domain.com" to "domain.com", same with FTP and other services.
Also I should point out a lot use mail.domain.com so that if they ever move to office365 for example, the migration is smoother - as long as mailbox names/passwords match, they dont need to update any settings in mail clients.
Also I should point out a lot use mail.domain.com so that if they ever move to office365 for example, the migration is smoother - as long as mailbox names/passwords match, they dont need to update any settings in mail clients.
The more complicated you make it, the harder it is to use. I think you should go with the simple one. If you want mail.domain.com, then get a wildcard certificate. Period.
The more complicated you make it, the harder it is to use. I think you should go with the simple one. If you want mail.domain.com, then get a wildcard certificate. Period.
To clarify for everyone, we wouldn't be limiting the SSLs that could be installed/defined for an account. Currently if an SSL is installed for a domain x.domain.tld, it's configured for Apache, and then (assuming you enable MailSNI services for the domain) it's also installed (in a different location) for Dovecot and Exim.
In our example, our thought is that an SSL for x.domain.tld would installed in one place on the system, and then all SNI-enabled services (which would include cpsrvd, in addition to Apache and mail, once we get this feature added) would be configured to use that single SSL certificate for any connections to x.domain.tld.
The question stated in a different way: is there ever a time where you might want to use one SSL for x.domain.tld in Apache, and a different SSL for x.domain.tld in exim?
To clarify for everyone, we wouldn't be limiting the SSLs that could be installed/defined for an account. Currently if an SSL is installed for a domain x.domain.tld, it's configured for Apache, and then (assuming you enable MailSNI services for the domain) it's also installed (in a different location) for Dovecot and Exim.
In our example, our thought is that an SSL for x.domain.tld would installed in one place on the system, and then all SNI-enabled services (which would include cpsrvd, in addition to Apache and mail, once we get this feature added) would be configured to use that single SSL certificate for any connections to x.domain.tld.
The question stated in a different way: is there ever a time where you might want to use one SSL for x.domain.tld in Apache, and a different SSL for x.domain.tld in exim?
Some users have an EV cert for Apache and wish to use another or free ssl for cpanel services.
It would be great if AutoSSL could be used for these services?
Customer have asked for their own SSL on:
mail.domain.tld, cpanel.domain.tld and webmail.domain.tld.
These are the most important subdomains to get up and running on a SSL.
Some users have an EV cert for Apache and wish to use another or free ssl for cpanel services.
It would be great if AutoSSL could be used for these services?
Customer have asked for their own SSL on:
mail.domain.tld, cpanel.domain.tld and webmail.domain.tld.
These are the most important subdomains to get up and running on a SSL.
This is now officially in progress. We're hoping to see this land in version 60, still, but it's far too early to tell. I will update you here as soon as I know more!
This is now officially in progress. We're hoping to see this land in version 60, still, but it's far too early to tell. I will update you here as soon as I know more!
This feature is now live in the EDGE tier, as of version 59.9999.86. (note: 59 is the development build version for 60). cpsrvd and cpdavd both now support SNI, and we'd love for you to take a look! cPanel, WHM, webmail, webdav and caldav all use domain-specific SSLs now.
This feature is now live in the EDGE tier, as of version 59.9999.86. (note: 59 is the development build version for 60). cpsrvd and cpdavd both now support SNI, and we'd love for you to take a look! cPanel, WHM, webmail, webdav and caldav all use domain-specific SSLs now.
Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:
https://documentation.cpanel.net/display/ALD/60+Release+Notes
If you would like to vote for the support of proxy subdomains you can vote on that over here:
https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt
If you have any questions, feel free to follow your typical support path, or send me an email.
Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:
https://documentation.cpanel.net/display/ALD/60+Release+Notes
If you would like to vote for the support of proxy subdomains you can vote on that over here:
https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt
If you have any questions, feel free to follow your typical support path, or send me an email.
Replies have been locked on this page!