The Planet Forums > HOW TO: Chained SSL on cPanel11

Full Version: HOW TO: Chained SSL on cPanel11

The Planet Forums > Control Panels > cPanel/WHM

Aerosmith

Jun 26 2007, 10:11 PM

OK folks I did a little hunting and got down a procedure that some of you may want to do. This lets you put an SSL cert on the main IP of your site (box hostname) and chain it. It allows all your users to log in to thier cpanels, etc without getting that annoying (and scary to some users) windows Security Alert warning that you get with the self signed certificate...

1) Get yourself a certificate
In WHM click Main - SSL/TLS - Generate a SSL Certificate & Signing Request
Go buy your Certificate (GeoTrust RapidSSL is fine and affordable)
In WHM click Main - SSL/TLS - Install a SSL Certificate and Setup the Domain
(save a copy of the key, certifcate, and cabundle for use in the following step)

2) Now SSH into your server and edit the following
a) back up and edit cpanel data
cd /var/cpanel/ssl/cpanel

cp mycpanel.pem ./mycpanel.pem.old
cp cpanel.pem ./cpanel.pem.old
cp mycpanel.cabundle ./mycpanel.cabundle.old

pico -w mycpanel.pem (delete contents and replace with your key, cert, and cabundle)
pico -w cpanel.pem (delete contents and replace with your key, cert, and cabundle)
pico -w mycpanel.cabundle (delete contents and replace with cabundle)

service cpanel restart

b) back up and edit the pop/imap files
cd /usr/lib/courier-imap/etc

cp pop3d-ssl ./pop3d-ssl.old
cp imapd-ssl ./imapd-ssl.old

pico -w pop3d-ssl
Change:
TLS_CERTFILE=/usr/lib/courier-imap/share/pop3d.pem

To:
TLS_CERTFILE=/usr/local/cpanel/etc/cpanel.pem
TLS_TRUSTCERTS=/usr/local/cpanel/etc/mycpanel.cabundle

pico -w imapd-ssl
Change:
TLS_CERTFILE=/usr/lib/courier-imap/share/pop3d.pem

To:
TLS_CERTFILE=/usr/local/cpanel/etc/cpanel.pem
TLS_TRUSTCERTS=/usr/local/cpanel/etc/mycpanel.cabundle

service courier-imap restart

c) back up and edit the ftp files
cd /var/cpanel/ssl/ftp

cp pure-ftpd.pem ./pure-ftpd.pem.old

pico -w pure-ftpd.pem (delete contents and replace with your key, cert, and cabundle)

service pure-ftpd restart

d) back up and edit the exim files
cd /etc

cp exim.crt ./exim.crt.old
cp exim.key ./exim.key.old

pico -w exim.crt (delete contents and replace with your cert, and cabundle)
pico -w exim.key (delete contents and replace with your key)

service exim restart

3) Configure WHM
In WHM click Main - Server Configuration - Tweak Settings
Scroll to the Redirection group and set the following

Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc = YES (checked)
When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to = Hostname
When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to = SSL Certificate Name

Click Save

DONE!

DB

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.