Author Topic: Want to install Wildcard SSL in CWP  (Read 10991 times)

0 Members and 1 Guest are viewing this topic.

Offline
***
Want to install Wildcard SSL in CWP
« on: March 04, 2018, 11:33:56 AM »
Hello,

I want to install wildcard SSL in CWP. Can anyone tell me how to do this or point me to any tutorial?


Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #1 on: March 15, 2018, 08:11:12 PM »
This is very hard. I whink they should take this easy to us. I will post the problems I have facing with this in another thread.

To install a Wildcard SSL, first, you generate a CSR. You need to use *.domain.com in CN. The file will be generated with "*." in name, this is your first problem, because it is not recognized by panel.
Login in SSH and rename file "*.domain.com.csr" to just "domain.com.csr". Do the same with key file.
These files are located in "/etc/pki/tls/certs" and "/etc/pki/tls/private".
After this, get your CSR and order your certificate.
After you receive your certificate, you must paste the certificate in file "domain.com.cert" inside "/etc/pki/tls/certs". I don't remember if this file is created empty. If not, create yourself using panel file manager.

When you go to install your cert for your domain, the panel suggest the "*.domain.com" as domain, you need use only "domain.com" as domain, otherwise, will not work. This is the second problem, because the panel use the domain name you specify as file name.

When you go to install the certificate for other subdomains of your domain, the panel use a diferent file for each subdomain, but this certificate is a Wildcard, there is no sense to use diferent filenames for this, just specify other domain and your are ok.
In this case, you will need to copy the content of certificate file to this new created subdomain file, and for the bundle file too.

The bundle file must contain the certificate for your domain (the one you bought) and below the root certificate from your certificate provider.

This is a bit confusing.

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #2 on: April 30, 2018, 03:09:28 PM »
Hi Could you please breakdown the steps to install Wildcard SSL.

I am having issues doing the process, and I really do not know what content I should be copying where.
-Mohammed Wasayuddin Ahmed
- IASHINE CWPHOSTING

Offline
***
Re: Want to install Wildcard SSL in CWP
« Reply #3 on: April 30, 2018, 04:34:16 PM »
Unfortunately I was not able to install Wildcard SSL by any mean and CWP team was not helping regarding this.

So, I have to pay CWP team to install WC SSL.  :(

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #4 on: November 27, 2018, 10:40:21 AM »
1 Log into your CWP admin area and locate 'Apache Settings' from the left-hand navigation menu

2 Select the 'SSL Certificates' option from 'Apache Settings' and switch to the 'Manual Install' tab

3 Now choose your domain name from the drop-down list provided.

4 Next, copy the certificate code you received by email from Comodo including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, pasting it to the 'Certificate' box. The code can be found in the file with .crt extension or you can copy it directly from the email you received.

5 Paste your Private Key code into the corresponding box. It should look like a block of code with the header -----BEGIN PRIVATE KEY----- and footer -----END PRIVATE KEY----. Please make sure to use the same Private Key code that was generated with your CSR code.

Note: If your CSR/Private Key pairing was generated in CentOS Web Panel (CWP), the key will be automatically fetched by the system when you select your domain name. If for some reason it does not happen automatically, the key can also be found via this path: File Manager -> etc -> pki -> tls -> private.

6 Now copy and paste the chain of intermediate certificates (CA Bundle) into the 'Certificate Authority' box. Alternatively, you can select the 'Generate Intermediate Certificates' button.

7 Click the 'Validate Certificate' button to ensure the certificate matches the Private Key.

8 Click 'Save'.

Offline
***
Re: Want to install Wildcard SSL in CWP
« Reply #5 on: November 27, 2018, 03:10:21 PM »
Also, don't forget to add following line in NGINX config file located at "/etc/nginx/conf.d" if you are using NGINX too.

Code: [Select]
server_name yourdomain.com *.yourdomain.com;

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #6 on: June 01, 2019, 12:52:03 AM »
There's an easier way.
Add the domain name to another web control panel. For eample directadmin.
Create the CSR code with wildcard.
Create the SSL certificate and add it manually to the CWP.

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #7 on: June 08, 2019, 07:33:12 PM »
Lets Encrypt now offers wildcard SSL, can anyone tell you how to convert this to CWP so it works for all domains?

Offline
***
Re: Want to install Wildcard SSL in CWP
« Reply #8 on: July 10, 2019, 08:55:42 AM »
Lets Encrypt now offers wildcard SSL, can anyone tell you how to convert this to CWP so it works for all domains?

CWP currently does not support wildcard SSL for domains but they promised that it will be launched soon.

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #9 on: October 02, 2019, 10:32:34 PM »
Any update on the implementation of this feature?

Having access to a 'Lets Encrypt wildcard SSL' would make a heap of difference w.r.t. virtual hosts mail servers.

+1 this feature request

Offline
***
Re: Want to install Wildcard SSL in CWP
« Reply #10 on: October 17, 2019, 04:31:09 PM »
Much needed feature but not implemented yet. :(

Offline
*
Re: Want to install Wildcard SSL in CWP
« Reply #11 on: April 24, 2020, 09:51:01 PM »
Any update on the implementation of this feature?

Having access to a 'Lets Encrypt wildcard SSL' would make a heap of difference w.r.t. virtual hosts mail servers.

+1 this feature request

That's why I'm looking for a Wildcard also. Would be great to have, so customer didn't get an error when setting up email accounts.

Offline
***
Re: Want to install Wildcard SSL in CWP
« Reply #12 on: April 25, 2020, 12:23:44 AM »
You can generate your own.  Here is how I did it: (Note my hostname is server3.schaffner.org).  Change schaffner.org to your domain.

Install haveged:  yum install haveged

Generate a tsig: 
cd /etc/named/
dnssec-keygen -a HMAC-SHA512 -b 512 -n acme

Create a new zone called acme.schaffner.org:
/etc/named.conf
Code: [Select]
zone "acme.schaffner.org" {
        type master;
        file "/var/named/acme.schaffner.org.db";
        allow-update {
                key "acme";
        };
};

/var/named/acme.schaffner.org.db
Code: [Select]
$ORIGIN .
$TTL 86400      ; 1 day
acme.schaffner.org      IN SOA  ns1.schaffner.org. rcschaff82.gmail.com. (
                                2020021035 ; serial
                                86400      ; refresh (1 day)
                                7200       ; retry (2 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
$TTL 14400      ; 4 hours
                        NS      ns1.schaffner.org.  ;   THIS IS IMPORTANT.  DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.schaffner.org.
$TTL 60 ; 1 minute

Now the fun part.  You must add a cname for every domain that you want to have a wildcard certificate.  Add the following to those domains dns entries ((**NOTE: This also works for domains not hosted on your server, ex godaddy))
Code: [Select]
_acme-challenge 600     IN      CNAME   _acme-challenge.acme.schaffner.org.
_acme-challenge.* 600     IN      CNAME   _acme-challenge.acme.schaffner.org.

Now you are setup to generate wildcard certificates.  IN this example I added the above cnames to domain.com
Code: [Select]
NSUPDATE_SERVER=localhost NSUPDATE_KEY=/etc/named/acme.key ./.acme.sh/acme.sh --issue --test -d *.domain.com --challenge-alias acme.schaffner.org --dns dns_nsupdate --debug 2
Please not the challenge-alias.  This basically forwards the request for EVERY domain to acme.schaffner.org, and hence why domain.com has to have the CNAME.  I do this so that I only have the one dynamically updated zone.
Google Hangouts:  rcschaff82@gmail.com