Author Topic: How to install multiple SSL certificates on shared IP  (Read 41875 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
How to install multiple SSL certificates on shared IP
« on: August 20, 2014, 01:56:28 PM »
How to install multiple SSL certificates on shared IP
Now you can have unlimited number of SSL certificates on one shared IP address (no additional IP's are needed)

autoSSL Valid SSL Certificate (no exception needs to be added in your browser)
1. go to SSL Manager and install this Certificate for user/domain/subdomain you need.

Install SSL Certificate (Self Singed - exception needs to be added in your browser)
1. Use CWP SSL Generator (in admin are under Security) for generating your SSL key and SelfSinged Certificate.
2. go to SSL Manager and install this Certificate for user and path which you need it
Great Now you Have installed Self Singed SSL Certificate


Install Browser Valid SSL Certificate (no exception needs to be added in your browser)
1. Use CWP SSL Generator (in admin are under Security) for generating your SSL key and SelfSinged Certificate.
2. You will get SSL output and now you will need buy SSL Certificate providing output of "BEGIN CERTIFICATE REQUEST" to SSL seller company.
3.Once you have received new SSL Certificate from valid seller you can install it by clicking on "Browse installed SSL Certificates" in CWP SSL Generator
and edit file "/etc/pki/tls/certs/DOMAIN.COM.cert"
4. go to SSL Manager and install this Certificate for user and path which you need it
Great Now you Have installed Valid SSL Certificate

** Don't forget to download your SSL Certificate and KEY from the server to your local computer for backup!!!
** Don't forget to check if your Apache is Listening on the port 443!!!

Use the following site for SSL check
https://www.sslshopper.com/ssl-checker.html
« Last Edit: May 07, 2017, 08:19:22 PM by Administrator »
AntiDDoS Protection (web + mail)
http://centos-webpanel.com/website-ddos-protection-proxy

Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp


Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor


Do you need Fast and FREE Support included for your CWP linux server?
http://centos-webpanel.com/noc-partner-list
Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #1 on: June 12, 2015, 12:36:50 PM »
Quote
** Don't forget to check if your Apache is Listening on the port 443!!!

How do I check that ??

using web service to check 443 seems to be blocked in my CWP installation !!

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #2 on: November 08, 2015, 11:43:11 AM »
Maybe you need a better tutorial …

in summary:
you need 5 files:
  • /etc/pki/tls/certs/yourdomain.tld.csr (generate with SSL generator)
  • /etc/pki/tls/private/yourdomain.tld.key (generate with SSL generator)
  • /etc/pki/tls/certs/yourdomain.tld.crt (by your SSL dealer, the web server certificate inside, you adapt)
  • /etc/pki/tls/certs/yourdomain.tld.bundle (by your SSL dealer, the CA intermediate inside, you adapt)
  • a symbolic link /etc/pki/tls/certs/yourdomain.tld.cert pointing on yourdomai.tld.crt
in CWPanel → apache settings → SSL Cert Manager → Install SSL Certificate:
choose yourdomain.tld.crt, the domain user, the domain (yourdomain.tld) and click install SSL, it's possible httpd don't restart, in this case reboot server

note: if you have some www.yourdomain.tld 5 files (.csr .key etc.) you must correct the "serverAlias www.www.yourdomain.tld" for "serverAlias yourdomain.tld" in /usr/local/apache/conf.d/vhosts-ssl.conf after Install SSL

 
OK, for humans now, maybe you can follow this one more detailed:

1) First of all, buy the SSL certificate
To buy a SSL certificate, you need:
  • a public key (with all yours informations inside) named "yourdomain.tld.csr"
  • a private key named "yourdomain.tld.key"

To create its, go in your CWPanel → Apache settings → SSL cert Manager.
In SSL vHost Manager, you go on SSL generator and fill all informations request, (an advice: in your domain case, put www.yourdomain.tld, and not yourdomain.tld, without the "www" in csr file, there is no certificate for "www.yourdomain.tld", oops).
CWPanel generate now two files: www.yourdomain.tld.csr and www.yourdomain.tld.key. (I explain like if you fill www.yourdomain.tld in SSL generator)

OK, now you can buy a certificate, in the certificate generation process, you need to give the .CSR (key inside www.yourdomain.tld.csr) to your SSL Dealer.

Well, now, you receive two other files by your SSL dealer, a web server certificate and a CA intermediate certificate

2)Next step: adapt files or config and setup
At this point you have inside your CWPanel the .csr and .key files, inside your e-mail box web certificate and CA certification.

Now, it's time to make a choice: the clean way or the easy way.
The clean way consist to rename correctly all the certificate files to make a standard SSL setup, the easy way consist to make a standard SSL setup and correct inside the vhosts-ssl.conf the little mistakes.

A) the clean way:
  • in your CWPanel → Apache settings → SSL cert Manager
  • follow the /etc/pki/tls/cert web-link for File Manager in this directory
  • rename the www.yourdomain.tld.csr for yourdomain.tld.csr
  • on your computer, create a file yourdomain.tld.crt and put the web certificate key inside
  • create an other file  yourdomain.tld.bundle and put the CA certificate key inside
  • upload this two files in your /etc/pki/tls/certs directory (with file manager or .. like you want)
  • with file manager go to /etc/pki/tls/private/ (put in directory case, or follow .. web-link and private web-link)
  • rename the www.yourdomain.tld.key for  yourdomain.tld.key
  • at this point, you have five files: .key .csr .crt .bundle files and a false symbolic link www.yourdomain.tld.cert pointing on www.yourdomain.tld.crt (in /etc/pki/tls/certs) we must correct this point
  • in your CWPanel → Service SSH → Send shell command send this two commands:
    • rm /etc/pki/tls/certs/www.yourdomain.tld.cert (of course you replace "yourdomain.tld")
    • ln -s /etc/pki/tls/certs/yourdomain.tld.crt /etc/pki/tls/certs/yourdomain.tld.cert (you replace "yourdomain.tld" two times the command goal is "ln -s target link")
  • now, we have the 5 correct files (.key .csr .crt .bundle and .cert link) to make the standard SSL setup
  • OK, wait a moment to ask yourself if it's a good time for reboot your server, if no, restart here when it's a good time, if yes, go back in  CWPanel → Apache settings → SSL cert Manager
  • in  Install SSL certificate, choose the "yourdomain.tld.crt", the correct user for yourdomain.tld, fill the domain case with "yourdomain.tld" and finally click on "Install SSL" button. CWPanel work and don't restart correctly httpd (apache is fall, bad new), all is correct, just reboot the server in CWPanel → CWP Setting → Reboot Server → Reboot Server now button.
  • When the server is restarted, in CWPanel → dashboard, check if httpd is running, if it's work correctly, it's all right, if it isn't, there is a big problem (not solved in this tutorial), go back in  CWPanel → Apache settings → SSL cert Manager and delete the SSL and reboot server to come back at the original situation (without SSL).

B) the easy way
  • on your computer, create a file www.yourdomain.tld.crt and put the web certificate key inside
  • create an other file  www.yourdomain.tld.bundle and put the CA certificate key inside
  • upload this two files in your /etc/pki/tls/certs directory (with file manager or .. like you want)
  • at this point, you have five files: www.yourdomain.tld.key (in /etc/pki/tls/private/ directory) www.yourdomain.tld.csr www.yourdomain.tld.crt www.yourdomain.tld.bundle files and a symbolic link www.yourdomain.tld.cert pointing on www.yourdomain.tld.crt .
  • OK, wait a moment to ask yourself if it's a good time for reboot your server, if no, restart here when it's a good time, if yes, go back in  CWPanel → Apache settings → SSL cert Manager
  • in  Install SSL certificate, choose the "www.yourdomain.tld.crt", the correct user for www.yourdomain.tld, fill the domain case with "www.yourdomain.tld" and finally click on "Install SSL" button. CWPanel work and don't restart correctly httpd (apache is fall, bad new), all is correct.
  • In CWPanel → Apache settings → SSL cert Manager, click on "/usr/local/apache/conf.d/vhosts-ssl.conf" web-link
  • look after " serverAlias www.www.yourdomain.tld", replace by  "serverAlias yourdomain.tld" (suppress the www.www.) and click on "save change" button.
  • Now, just reboot the server in CWPanel → CWP Setting → Reboot Server → Reboot Server now button.
  • When the server is restarted, in CWPanel → dashboard, check if httpd is running, if it's work correctly, it's all right, if it isn't, there is a big problem (not solved in this tutorial), go back in  CWPanel → Apache settings → SSL cert Manager and delete the SSL and reboot server to come back at the original situation (without SSL, sorry).

3)some verifications and other tasks
good, at this point, normally you have https for www.yourdomain.tld and yourdomain.tld (check yourself in your web browser)

for a better check, in  CWPanel → Apache settings → SSL cert Manager, click on Check SSL Certificate and test the two way  www.yourdomain.tld and yourdomain.tld.

If you have a problem with chain it's the .bundle file not correct, if you have a problem with certificate, it's the .crt file the problem. it's possible the file .csr in your server is not the same one who SSL dealer have (if you have restart all but in the middle).

If it's all OK, you can do something else now:
like make a backup of the .csr .key .crt and .bundle, files
or like make a donate for CentOS Web Panel
(maybe I can suggest you to give +10% of your project price: server+hostname+certificate, you know a free advice is not the same price of a free beer, copy of CentOSWebPanel is free, server and work to create and maintain this project is not)

note: sorry if there are some English mistakes, I'm French, English is really not my native language

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #3 on: November 08, 2015, 01:20:23 PM »


Thanks fafache ! Can you maybe also if you have the time, explain how to secure the CWP panel https://domainname.ext:2031 
with an bought SSL certificate.

I am used to Parallels / Odin Plesk with this panel securing the Control panel login can be done through the GUI.I know
Plesk is license based and CWP is free. Would be great if it could be done through gui though.

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #4 on: April 21, 2016, 01:26:01 PM »
How can i add letsencyrpt ssl for multi domains in the same ip?

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #5 on: June 16, 2016, 02:57:59 PM »
It would be nice if you would include somewhere in your post for us newbies how badly this can mess your s*** up if it doesn't work. Tried this and my whole server shut down. He says simply go in and delete the SSL certificate files and your back to normal..... only if it was that simple. Took me hours but I finally managed to get my server back up with no SSL certificate installed yay me!  >:( Something happened to my mail server and it still isn't working. It's been about 3 days and I still haven't got that figured out. No errors, I rebuilt the mail server I've checked and tried everything, but still can't send or receive mail..

*******SO NEWBIES YOU'VE BEEN WARNED!!!! PROCEED WITH CAUTION!!!*******

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #6 on: July 26, 2016, 07:09:58 PM »
To enable SNI you have to do little more works

1. Add to apache config
Code: [Select]
NameVirtualHost *:4432. Change every ssl VirtualHost from
Code: [Select]
<VirtualHost IP Address:443>to
Code: [Select]
<VirtualHost *:443>3.Restart apache

This setup is tested with 1 certificate from certificate authority and 1 lets encrypt. Both certificates work fine.
Files for ssl vhosts are located (in my case):
Code: [Select]
/usr/local/apache/conf.d/vhosts-ssl.conf
/usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf
« Last Edit: July 29, 2016, 10:52:16 AM by Neo2SHYAlien »
“Would you tell me, please, which way I ought to go from here?”
“That depends a good deal on where you want to get to,” said the Cat.
“I don’t much care where–” said Alice.
“Then it doesn’t matter which way you go,” said the Cat.
Neo2SHYAlien's Blog

Offline
***
Re: How to install multiple SSL certificates on shared IP
« Reply #7 on: July 29, 2016, 10:31:57 AM »
How can i add letsencyrpt ssl for multi domains in the same ip?

edit /usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf , add this line
Quote
NameVirtualHost *:443
Listen 443

Please take note NameVirtualHost *:443 must above Liten 443
If you dont add that line above the Listen, you will get this warning when you restart httpd
Quote
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
and the SSL is valid for first domain only

And... If you want to install SSL for multiple domains, you should change to * , instead of your actual ip
For example :


# vhost_start your_domain.com
<VirtualHost *:443>
 ServerName your_domain.com
 ServerAdmin no-reply@your_domain.com

...
...
# vhost_end your_domain.com

# another domain in same VPS, same shared ip
# vhost_start your_domain2.com
<VirtualHost *:443>
 ServerName your_domain2.com
 ServerAdmin no-reply@your_domain2.com
...
...
# vhost_end your_domain2.com

You are good to go with Let's encrypt for multiple domains.


-------------------
Another thing need to consider, If you try to add certificate on a webpage protected with username and password, with .htaccess – you’ll get an error like this. Let’s encrypt cannot read the file under .well-known, so you need to temporary disable the .htaccess security by moving or renaming the file, while doing the let’s encrypt process.
-------------------
« Last Edit: July 29, 2016, 10:39:48 AM by locvfx »

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #8 on: December 24, 2017, 01:23:58 PM »
Thanks for good topic
« Last Edit: December 24, 2017, 01:27:30 PM by aktm69 »

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #9 on: April 15, 2018, 08:25:47 AM »
cant install generated ssl, have eroor:
Code: [Select]
Invalid certificate/key pair on server.why?

Offline
*
Re: How to install multiple SSL certificates on shared IP
« Reply #10 on: May 12, 2018, 11:48:52 AM »
Dear reader,

Since two weeks I have a cloud server with a Dutch provider, Neostrada.
I have been with Neostrada as an affiliate marketer for 10 years and have several domains. For speed, and therefore a plus point to rank in Google, you really need a Cloud Server. Ok, I have one now. 10cpu / 20gb ram and enough ssd storage space.

I am a user, not a programmer. I have been working with Appel for 20 years and am used to working with a computer with software without having to solve all kinds of problems related to the functionality of the system. Before I switched to Apple, I always worked with Suse Linux. So I have an obsolete knowledge base to work with a linux system. Once again I am a clear user and want a system to work for me.

The first virtual server installation was done by Neostrada. CentOS server with cPanel and WHM installation. I pay 16 euros per month on top of the monthly costs of the cloud server. Everything works fine, I can install wordpress without any effort. And I can do what I like to do, make affiliate websites to earn money!

Website copied from a standard hosting domain, and put on the cloud server. Everything is fine, I only had to adjust the php.ini, the maximum size of an upload file. Standard seemingly 2m, I made 1024m. Furthermore, no problem.

Now I'm going to test the speed of my webpage. That was ultimately my reason to rent a cloud server. The most important test site for me is Google's speed insights. If I do not get 100% here, my website will not go online!
With a standard hosting I normally do not go beyond 86 - 91%. The problem is always the server response time. This is normally between .8 and 1.3 sec. If I want to reach 100%, I have to have a server response time that is faster than 200ms (0.2sec).
Ok everything on the cloud server is ready and the test shows that I am not faster than a standard hosting. (Standard hosting at Neostrada is 6 cpu / ssd for 96 euro per year excluding VAT). For the cloud server I pay 99.95 euros per month (10cpu / 20gB memory plus 27.95 for cPanel with ssl certificate.

Dam, the cloud server is nothing faster than standard hosting. But much more expensive. Performed several tests, and came to the conclusion that it is a save installation. Always working, fully guaranteed, but really not fast. I decided to set up my cloud server myself. It can not be true that a cloud server of more than 100 euros per month is not faster than a standard hosting of 8 euros per month ?!

I have a choice of CentOS, debian, freeBSD and Ubuntu. First I have to have a replacement before Cpanel is not too expensive. Because at first the preinstalled cloud server with CentOS is too slow, I did not look at CWP7. After some searching on the net, I came to Vitual min. 60 euros per year per IP address. cPanel Solo is 15 euros per month x 12 = 180 euros per year.

VirtualMin works great on my first test with a debian server. I use NgiNx as a replacement for Apache. Works fine with VirtualMin, but .... The ngiNx version for VirtualMin on Debian is 1.10.2 and I can not install a PageSpeed module. At least I've been trying it for three days and I'm not getting it working. Not a good combination for me. And my web performence does not exceed 91% with Speed Insights from Google.

On the cloud server of my provider the installation of FreeBSD and Ubuntu failed completely. Why? I do not know. I think it's up to the provider. I am now sufficiently worried, if my provider can not provide a good installation, I will not go far to find out why that is. I am afraid that I will only get more problems because apparently their support is not sufficient for these Linux packages.

Ok, back to CentOS 7.4. New cloud server created without virtual manager. Everything just old fashioned installed by hand. Yep everything works, NgiNx 1.13 with pagespeed, mysql, mariaDB, php and wordpress. Cloudcmd as browser file manager. Apple terminal as terminal manager. Yes, Speed insights 96%. All I have to do is compress my css and I will be 100%. great, very satisfied. Top.

But .... suddenly there is an update of CentOS which consists of 357 updates. Nothing works after the update. After a few hours of dabbling and heavy frustration, I find out that my / var directory has changed to / fs / var ???? No program could therefore still find the PID file. Nginx and some more programs manually adjusted and the PID files in a different directory. Yep everything works again, but still some problems. 5 hours later and 20 reboots the / fs / var directory is suddenly back to normal and just / var. I fall from my chair, tend to throw my computer against the wall. I want to kill my girlfriend and shoot the neighbor dead.

After hyperventilating for 1 hour, I put everything back as it was. Everything works properly again but the speed test does not go beyond 91% and I suddenly have no browser compression anymore !! That is really too much for me. I then decide to look for another virtual manager. This is how I end up here at the CentOS web panel. In the hope that they have designed a manager who installs ssl and nginx without any problems. Without having to trudge for hours to get it running. Do I ask too much? Is it special what I want? Just wordpress with NgiNx. Speed Insight at 100% with a server response time of less than 200ms. That does not seem too much, does it? For the time being I have been working for two weeks, without any satisfactory result.

I confess immediately that my basic knowledge is limited (at least that is what I learned from the past two weeks). But surely there will be a Virtual Manager who understands what a user wants and that also simply installs without any problems? Or should I hire an expert for 500 euros, to make an installation that just does it?

I hope that there is someone who reads this story and understands my frustration. Hopefully an expert, and then informed me that he is ordering my installation for a small amount.

Because CWP7pro also starts immediately with some frustration. I have created a new CentOS with the necessary updates and a clean CWP7 installation. 1 user created as proposed in the documentation of CWP7. Next I want to install my SSL certificate for my domain. That is already a frustration in itself.

I start with "How to install multiple SSL certificates on shared IP". What? multiple SSL on shared IP? I only have 1 certificate with key and bunddle. I have searched in the documentation of CWP7 but nowhere can I find how I simply install 1 certificate for a website domain!

Then continue reading in "How to install multiple SSL certificates on shared IP".

1. Install Browser Valid SSL Certificate (no exception needs to be added in your browser). That seems to be what I need. Oh, I have to fill in a few things and then request a certificate. Pfff, I do not need that because I already have a certificate!

I then start at point 3.
3.Once you have received new SSL Certificate from valid seller you can download it by clicking on "Browse installed SSL Certificates" in CWP SSL Generator
and edit file "/etc/pki/tls/certs/DOMAIN.COM.cert"

I go to SSL Generator and look for "Browse installed SSL Certificates". Frustrating, its not existing! Maybe they mean SSL Certificate Manager? Ok, i click on it. Yep, now I see an option "/etc/pki/tls/certs/DOMAIN.COM.cert". I click on it.
Yep the filemanager goes to / etc / pki / tls / certs /. Mmmm there I seem to find DOMAIN.COM.cert.

Unfortunately, the file DOMAIN.COM.cert is not there. There are only 2 files that end in .CERT And that are make-dummy-cert and renew-dummy-cert. Ok I stop here, because the documentation does not match the actual installation.

As I read further in the documentation, someone named fafache responded on November 08, 2015, with the title "Maybe you need a better tutorial ..." He explains clearly how it should be done! That the makers of CWP7 have not yet adapted their documentation after 2015 is incomprehensible. But it also tells me something about the product they are trying to promote.

I continue reading "A) the clean way:"
Ok, I go to SSL Generator and fill all the fields. Domain name with WWW.
Youre-domain.com.KEY is generated.

Next step:
"OK, now you can buy a certificate, in the certificate generation process, you need to give the .CSR (key inside www.yourdomain.tld.csr) to your SSL Dealer."
I already had a certificate, so I skip this step.

Next step:
1. in your CWPanel → Apache settings → SSL cert Manager
2. follow the / etc / pki / tls / cert web-link for File Manager in this directory.
Then I suddenly have a file manager that completely makes my screen unreadable. That means that I end up on a blank screen. There is everything at the bottom of the screen. But because the screen is only half legible, I can not do anything with it. This is a part of the error message that appears at the bottom of the screen:
"fiets.nl.cert →
Fatal error: Uncaught Error: Call to undefined function ereg () in /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager.php:0 Stack trace: # 0 / usr / local / cwpsrv / htdocs / resources / admin / modules / file_manager.php (0): simplify_path ('/ etc / pki / tls / ce ...') # 1 /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager.php(0) : relative2absolute ('/ etc / pki / tls / ce ...', '/ etc / pki / tls / ce ...') # 2 / usr / local / cwpsrv / htdocs / resources / admin / modules / file_manager. php (0): listing (Array) # 3 /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager.php(0): listing_page () # 4 / usr / local / cwpsrv / htdocs / admin / admin /index.php(0): unknown () # 5 {main} thrown in /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager.php on line 0

Fantastic, but what do I have to do with it? Half legible. Ok, I decide to reboot, maybe that helps.

Reboot

Nope, no change. The file manager still has a distorted picture.

I go to the Advanced PHP File manager. Locate the directory / etc / pki / tls / certs /.
I find NO file www.yourdomain.tld.csr there.
But a file www.yourdomain.tld.cert
I rename the www.yourdomain.tld.cert for yourdomain.tld.cert. Why, it's a gamble. I do not know it either!

Hey, that's weird, I can not change this file!

This is the end of my trip with CWP7. I followed the documentation on the letter. Now I do not know what to do anymore. Meanwhile spent 5 hours on CWP7, to come to the conclusion that the package is simply not good and full of mistakes. The documentation does not match the program.