Control Web Panel
WebPanel => SSL => Topic started by: Jamshed Datori on March 04, 2018, 11:33:56 AM
-
Hello,
I want to install wildcard SSL in CWP. Can anyone tell me how to do this or point me to any tutorial?
-
This is very hard. I whink they should take this easy to us. I will post the problems I have facing with this in another thread.
To install a Wildcard SSL, first, you generate a CSR. You need to use *.domain.com in CN. The file will be generated with "*." in name, this is your first problem, because it is not recognized by panel.
Login in SSH and rename file "*.domain.com.csr" to just "domain.com.csr". Do the same with key file.
These files are located in "/etc/pki/tls/certs" and "/etc/pki/tls/private".
After this, get your CSR and order your certificate.
After you receive your certificate, you must paste the certificate in file "domain.com.cert" inside "/etc/pki/tls/certs". I don't remember if this file is created empty. If not, create yourself using panel file manager.
When you go to install your cert for your domain, the panel suggest the "*.domain.com" as domain, you need use only "domain.com" as domain, otherwise, will not work. This is the second problem, because the panel use the domain name you specify as file name.
When you go to install the certificate for other subdomains of your domain, the panel use a diferent file for each subdomain, but this certificate is a Wildcard, there is no sense to use diferent filenames for this, just specify other domain and your are ok.
In this case, you will need to copy the content of certificate file to this new created subdomain file, and for the bundle file too.
The bundle file must contain the certificate for your domain (the one you bought) and below the root certificate from your certificate provider.
This is a bit confusing.
-
Hi Could you please breakdown the steps to install Wildcard SSL.
I am having issues doing the process, and I really do not know what content I should be copying where.
-
Unfortunately I was not able to install Wildcard SSL by any mean and CWP team was not helping regarding this.
So, I have to pay CWP team to install WC SSL. :(
-
1 Log into your CWP admin area and locate 'Apache Settings' from the left-hand navigation menu
2 Select the 'SSL Certificates' option from 'Apache Settings' and switch to the 'Manual Install' tab
3 Now choose your domain name from the drop-down list provided.
4 Next, copy the certificate code you received by email from Comodo including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, pasting it to the 'Certificate' box. The code can be found in the file with .crt extension or you can copy it directly from the email you received.
5 Paste your Private Key code into the corresponding box. It should look like a block of code with the header -----BEGIN PRIVATE KEY----- and footer -----END PRIVATE KEY----. Please make sure to use the same Private Key code that was generated with your CSR code.
Note: If your CSR/Private Key pairing was generated in CentOS Web Panel (CWP), the key will be automatically fetched by the system when you select your domain name. If for some reason it does not happen automatically, the key can also be found via this path: File Manager -> etc -> pki -> tls -> private.
6 Now copy and paste the chain of intermediate certificates (CA Bundle) into the 'Certificate Authority' box. Alternatively, you can select the 'Generate Intermediate Certificates' button.
7 Click the 'Validate Certificate' button to ensure the certificate matches the Private Key.
8 Click 'Save'.
-
Also, don't forget to add following line in NGINX config file located at "/etc/nginx/conf.d" if you are using NGINX too.
server_name yourdomain.com *.yourdomain.com;
-
There's an easier way.
Add the domain name to another web control panel. For eample directadmin.
Create the CSR code with wildcard.
Create the SSL certificate and add it manually to the CWP.
-
Lets Encrypt now offers wildcard SSL, can anyone tell you how to convert this to CWP so it works for all domains?
-
Lets Encrypt now offers wildcard SSL, can anyone tell you how to convert this to CWP so it works for all domains?
CWP currently does not support wildcard SSL for domains but they promised that it will be launched soon.
-
Any update on the implementation of this feature?
Having access to a 'Lets Encrypt wildcard SSL' would make a heap of difference w.r.t. virtual hosts mail servers.
+1 this feature request
-
Much needed feature but not implemented yet. :(
-
Any update on the implementation of this feature?
Having access to a 'Lets Encrypt wildcard SSL' would make a heap of difference w.r.t. virtual hosts mail servers.
+1 this feature request
That's why I'm looking for a Wildcard also. Would be great to have, so customer didn't get an error when setting up email accounts.
-
You can generate your own. Here is how I did it: (Note my hostname is server3.schaffner.org). Change schaffner.org to your domain.
Install haveged: yum install haveged
Generate a tsig:
cd /etc/named/
dnssec-keygen -a HMAC-SHA512 -b 512 -n acme
Create a new zone called acme.schaffner.org:
/etc/named.conf
zone "acme.schaffner.org" {
type master;
file "/var/named/acme.schaffner.org.db";
allow-update {
key "acme";
};
};
/var/named/acme.schaffner.org.db
$ORIGIN .
$TTL 86400 ; 1 day
acme.schaffner.org IN SOA ns1.schaffner.org. rcschaff82.gmail.com. (
2020021035 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS ns1.schaffner.org. ; THIS IS IMPORTANT. DO NOT USE BOTH NAMESERVERS FOR LE
$ORIGIN acme.schaffner.org.
$TTL 60 ; 1 minute
Now the fun part. You must add a cname for every domain that you want to have a wildcard certificate. Add the following to those domains dns entries ((**NOTE: This also works for domains not hosted on your server, ex godaddy))
_acme-challenge 600 IN CNAME _acme-challenge.acme.schaffner.org.
_acme-challenge.* 600 IN CNAME _acme-challenge.acme.schaffner.org.
Now you are setup to generate wildcard certificates. IN this example I added the above cnames to domain.com
NSUPDATE_SERVER=localhost NSUPDATE_KEY=/etc/named/acme.key ./.acme.sh/acme.sh --issue --test -d *.domain.com --challenge-alias acme.schaffner.org --dns dns_nsupdate --debug 2
Please not the challenge-alias. This basically forwards the request for EVERY domain to acme.schaffner.org, and hence why domain.com has to have the CNAME. I do this so that I only have the one dynamically updated zone.