cPanel & WHM Version 78 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 
This object is in archive! 

SSL certificate per domain on cpanel, webmail, dav, caldav, and whm services (SNI).

Nathan Lierbo shared this idea 6 years ago
Completed

Call for Comments


Currently, when a cPanel user acquires a SSL certificate, they can only install it for Apache. There is currently no way for a cPanel user to use their own certificate for other SSL-powered services like IMAP over SSL, webdisk etc.


The proposal is to allow cPanel users to install SSL certificates for their own domains for all services, including cpdavd (webdisk), cpsrvd (webmail, cPanel and WHM), IMAP, POP, SMTP etc. One can install a wildcard certificate to cover all services or install individual certificates for each service.


Original thread: http://forums.cpanel.net/f145/ssl-certificate-per-domain-all-services-case-55985-a-200492.html

Best Answer
photo

Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:

https://documentation.cpanel.net/display/ALD/60+Release+Notes

If you would like to vote for the support of proxy subdomains you can vote on that over here:

https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt

If you have any questions, feel free to follow your typical support path, or send me an email.

Comments (116)

photo
1

Yes,

Please make it so that if you install and SSL for a particular domain the services under that domain in cpanel will use the same SSL.

photo
8

I'd like (or be happy with) the "in-between" position of being able to install a set of certs for each reseller, so that the end user sees the reseller's hostname for secure email, for example, instead of mine. At the moment I have a reseller who gets users to use unencrypted email just to mask the fact that the server runs under my domain name.

photo
1

Just to add that there's a forum thread for this.


This also seems to have had a developer case number since December 2011.

photo
6

The capability to use multiple SSL certificates at least for Dovecot/Courier and Exim should be pushed on top of cPanel's agenda.


Customers having purchased and installed their SSL cert often expect to equally secure their email comms with it. A customer attempting to use his mail.domain.ext as server in any email client will cause the display of a certificate verification error message, which in many cases results in a support complaint.


In the current conjuncture, after all the revelations of comms snooping by various authorities, the last thing we need are customers being turned off believing we don't care about their privacy. The situation is already bad enough with some major european governments now systematically dismissing bids from US businesses due to security worries. IMHO, cPanel should not take the risk to convey a negative impression due to a missing feature.

photo
1

This would make a huge differnce for some customers. It would make them able to use their domain name instead of the server hostname.

photo
1

Agree!

Please include this great feature in the future updates.

photo
1

This can already be done at the host level. Meaning you can apply an SSL cert for your hostname and then apply it for the following services on the server: FTP Server, Exim (SMTP) Server, Dovecot Mail Server, and cPanel/WHM/Webmail Service. Also, tweak the login settings so that it redirects them to the hostname and everything is secure. While the client can just use their cert for the application they are hosting.


But I agree I would like this option as well.

photo
4

Having got truly fed up of the time this is taking to implement (I have been watching this request since its inception back in march 2011), I have started to modify my own scripts to do this.


Currently I am testing the attached script with dovecot, which is based on the original script attached to the forum post.


Pre-requisites:

Server with main shared IP, and server wide ssl certificate, eg

1.2.3.4 host.provider.com

Reseller account, with dedicated IP and SSL, for example

2.3.4.5 resellerdomain.com

This should be set as the resellers main shared ip.


Currently the attached script does the following:


Reads /etc/ssldomains and /etc/userdomains to build a list of reseller domain name, username and ip.


Reads userdata from /var/cpanel/userdata/username/domain.name_SSL and extracts the key, crt, and cabundle paths.


Merges the key, crt and cabundle into a .pem file under /etc/ssl/certs/domain.name.pem


Clones the dovecot config template from /var/cpanel/templates/dovecot2.2/main.default to /var/cpanel/templates/dovecot2.2/main.local (and saves any existing main.local as main.local.1)


Adds ip specific SSL certificates to the main.local template.


Invokes /usr/local/cpanel/scripts/builddovecotconf

and restarts dovecot.


I have *only* tested this script on 11.40 with dovecot.

I have left in (and in some cases commented out) the original courier components of the script.


Todo:

Make sure this still works for courier

Add support for Exim, and Cpanel/whm/webmail services


Hopefully this can get cpanel in gear to make this fairly simple request a standard part of cpanel, to happen automatically when a user installs an SSL certificate on their dedicated ip's domain.


My resellers love it, as now their clients can access email services securely using SSL on resellerdomainname.com, rather than having to accept security warnings, or connect directly to server.hostingprovider.com.

photo
1

Any update on this feature? It was started back in 2012 and I love to see this featured added in. The ability to control the SSL certificate per dedicated IP (domain) would be amazing!

photo
3

It would seem to be basic functionality to be able to easily connect a certificate to all features in a given domain/ip.

photo
2

Apache/OpenSSL via SNI can support multiple SSL domains on a given IP. Please include this functionality for all cPanel/WHM/Webmail services on a given host. My customers expect to see THEIR domain name when they have purchased an SSL for their secured services and to not be redirected to the host server domain name for cPanel/WHM/Webmail.

photo
3

I am a reseller of shared hosting, as it is not economically viable to pay for virtual server bandwidth and sell high speed shared hosting in Australia. My host refuses to add this feature as it would void their cPanel support contract.


There are two major issues: 1) it takes a long time to get each end user to correctly type a long complex host name; 2) every time my host moves my account to another server, I have to provide support for every end user to change their mail server address! The added time spent compensating for this missing feature makes me question the viability of this business. I want to make things easy for my clients and their users, but currently there is no viable way to do so.


Please add this feature asap, or failing that please vary the support contract to allow the installation of an App to provide this functionality and I will have the App written.


As tandyuk has demonstrated above, it's not that difficult. Developer Case 55985 was opened over 2 years ago, is there any chance we could get a progress update?

photo
2

Now that dovecot 2.x supports muliple SSL and that cPanel supports dovecot 2.2 as of 11.40 could we at least have some form of includes for dovecot configuration to do this manually while waiting for an easier method to become available ?


Resellers need to have either their domain or their customer's domaine and not our hostname's URL for their customers.


This would be for dovecot, exim, ftp, webmail and cPanel services.


It would make a real differnce for them to be able to have everything in their name so their customers would have to search harder to find who they are.


We need this for ourselves and for our reseller customers while it would make things easier for all customers as SSL certs with SNI can be quite cheap.

photo
1

If domain doesn't have an SSL cert then revert to hostname SSL and redirect the /cpanel /webmail etc

photo
2

Lack of this feature is a real pain for sites that have to be PCI Compliant. They fail with error "SSL Certificate with Wrong Hostname" for pop3 and imap, so special exemption has to be negotiated after each scan. Please implement it ASAP.

photo
1

Would also really like an update on this feature. Being able to use my own SSL certificate for pop3 & imap would save so much hassle. Please implement this feature ASAP.

photo
1

Because of the lack of this feature we just lived through 2 days of hell support for our client which has over 100 emails accounts. He initially wanted to use his mail.hisdomain.com, in the end we had to use our server name. What a disaster!


*Bump* to get this feature in a future release!

photo
2

Ive only been running as a host for 12 months, and already I find it absolutely shocking that this feature hasn't been implemented.


All my clients should be default be able to use mail.theirdomain.tld - but unless they do it unencrypted they have to use mail.mydomain.tld.


Its very confusing for my clients, and in all honesty - really naff!


I vote for this feature to be bumped up the priorities too.

photo
1

Having to explain the lack of this feature to clients is painful.


Please commit developer time to this ASAP.At least I now have a statement from Tristan J. Wallace that I will quote to clients, so we can at least side step some of the hostility. It still doesn't stop them asking to be moved to our Plesk servers and have them ask why we chose a cPanel solution in the first place.

photo
1

What statement from Tristan?

photo
1

YES!

This would be a great feature!

photo
1

The lack of communication from cPanel regarding this issue is appalling. Thankfully, I don't have to put up with the lack of this feature any longer... I'm biting the bullet and setting up my own server without any cPanel whatsoever. Goodbye cPanel, RIP.

photo
1

Will this ever be done ?

photo
1

This is a serious pain for PCI compliance scanning. It's long over-due to be able to use multiple SSL certificates for email, ftp, etc.

photo
1

You should add this feature... is really needed! Is there any workaround? ="(

photo
1

tandyuk wrote:

Having got truly fed up of the time this is taking to implement (I have been watching this request since its inception back in march 2011), I have started to modify my own scripts to do this.


Currently I am testing the attached script with dovecot, which is based on the original script attached to the forum post.


Pre-requisites:

Server with main shared IP, and server wide ssl certificate, eg

1.2.3.4 host.provider.com

Reseller account, with dedicated IP and SSL, for example

2.3.4.5 resellerdomain.com

This should be set as the resellers main shared ip.


Currently the attached script does the following:


Reads /etc/ssldomains and /etc/userdomains to build a list of reseller domain name, username and ip.


Reads userdata from /var/cpanel/userdata/username/domain.name_SSL and extracts the key, crt, and cabundle paths.


Merges the key, crt and cabundle into a .pem file under /etc/ssl/certs/domain.name.pem


Clones the dovecot config template from /var/cpanel/templates/dovecot2.2/main.default to /var/cpanel/templates/dovecot2.2/main.local (and saves any existing main.local as main.local.1)


Adds ip specific SSL certificates to the main.local template.


Invokes /usr/local/cpanel/scripts/builddovecotconf

and restarts dovecot.


I have *only* tested this script on 11.40 with dovecot.

I have left in (and in some cases commented out) the original courier components of the script.


Todo:

Make sure this still works for courier

Add support for Exim, and Cpanel/whm/webmail services


Hopefully this can get cpanel in gear to make this fairly simple request a standard part of cpanel, to happen automatically when a user installs an SSL certificate on their dedicated ip's domain.


My resellers love it, as now their clients can access email services securely using SSL on resellerdomainname.com, rather than having to accept security warnings, or connect directly to server.hostingprovider.com.

Thank you all for the explanation, it really helped me

photo
2

i do agree this feature request.


+1 from me...


cPanel Team Please at least work on implementing this request as quick as possible.

photo
1

I do Agree this Feature Request.

photo
2

I was looking into this to support this for one of my clients for PCI compliance and found out that exim and dovecot are capable of this (or at the very least SNI) so this should make it easier for cpanel to add this functionality.


This has been requested for a while now, it would be nice to see them finally release this functionality especially since they now support SNI in apache.

photo
1

I,m really needing this feature as my Business is too small to buy more IP's currently and i only have enough for one dedicated licence atm, if my business is going to grow with reseller's then they need to offer them to display there own name for SSL. Please Cpanel come up with a solution where we can add multiple SSL Certs to FTP, Exim, Dovecot, Cpanel, WHM, Webmail

photo
1

Why CPanel is so slow to add this feature... it's really needed, customers don't want to use another domain for secure SSL mail. Is someone has do it with a script, this should be easier for Cpanel devlopers!! ="(

photo
1

Finally in progress.. Thank you cPanel.

photo
1

Much needed. I hope it arrives soon.

photo
1

We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.


cpsrvd & webdisk are not in this update.

photo
1

Great to see an official statement, @ Matt Dees, and one that's so positive. Do we have an ETA at all?

photo
1

with the new changes in browsers that limits access on selfsigned ssl pages, it is getting very hard for the user to use webmail... we need this as soon as possible!

photo
1

We're looking for a way to add to migrate an old server onto a new one but keep the hostname working for customers who have email accounts setup with SSL and the previous hostname. It's just occured to me that this will solve my problem as I will be able to create an account with the old hostname and install a ssl cert for this account in dovecot

photo
1

Yes this feature is required. Customers expect emails to work on SSL.

photo
2

Please please please... this feature will save me, and I believe the rest of us too, a lot of problems.

photo
2

Is there any ETA for this change? Even a pessimistic best case? At the moment we have an urgent need and no idea of when we might see this implemented.

photo
1

Yes this feature is required!

photo
1

This would be excellent...


+1,989,271 from me...


You should now have enough +1s to implement this solution!

photo
2

I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).


Cam i install One single (Domain Name) SSL Certificate on that Server?


is it will effect other Domain names?


Can i install SSL Certificate for emails in a particular Domain Name?


can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?


Please explain the details.


Thanks....

photo
1

Could we get an ETA from one of the cPanel team?

photo
1

We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.


We have not yet worked on extending this to cpsrvd or webdav.

photo
2

So, any ETA for extending it cpsrvd?

photo
1

Travis, can you please explain what your reply means?


Specifically...if I am using cPanel 11.48 or newer can I have a sub-cPanel account that is using their own domain name to send and receive mail over SSL instead of being forced to use the server's name?


If so, can you please tell me where I can find instructions that explain how to configure this?


Thanks.

photo
1

@Lazio, you can do this via Mail SNI, we have documentation on how to accomplish this at https://documentation.cpanel.net/display/ALD/Manage+SSL+Hosts#ManageSSLHosts-SNIforMailServiceshttps://documentation.cpanel.net/display/ALD/Manage+SSL+Hosts#ManageSSLHosts-SNIforMailServices - This allows you to use mail.yourdomain.com to send and receive mail.


Do note that this is for mail clients that utilize SMTP/POP/IMAP, this will not work directly for webmail links (which are within cpsrvd)

photo
1

Thanks for your reply Terrance.

I just got it working. SNI was already enabled but when I tried to get this working in the past I kept getting errors in my mail client. I might have been entering the wrong prefix for the mail server (e.g., server.mydomain.com instead of mail.mydomain.com).

I also read that Outlook for Mac does not support SNI...which I was using up until a few weeks ago before switching to Apple Mail.

I ended up using the Auto Configuration Scripts...which automatically did all the email client setup for me.

One odd thing that I noticed...the auto config script did not use any prefix at all for the inbound and outbound server name when using SSL.

/FCVT8Z

photo
1

@Lazio It will not prefix but it will use your local Domains actual hostname rather then the servers hostname. The reason it doesn't prefix with mail. is because it does not know (or care) if you have a wildcard certificate or just a normal DV certificate. It specifies domain only for SSL connections for that purpose.

photo
1

How can this be configured? I updated cpanel and this reseller SSL for services was not automatically configured.

photo
1

I have a Server hosted with multiple Domain Names & hosted email Server (contains multiple Domain names).


Cam i install One single (Domain Name) SSL Certificate on that Server?


is it will effect other Domain names?


Can i install SSL Certificate for emails in a particular Domain Name?


can i use a particular SSL Certificate for different services like Https, POPs, SMTP etc...?


Please explain the details.


Thanks....

photo
1

Please provide documentation for this feature (or a pointer to it). I looked on my WHM, which is on the correct release, and didn't see how to do this.

photo
1

Travis Ellis wrote:

We have updated cPanel & WHM to use the installed SSL Certificate for IMAP,POP, and SMTP. This is in 11.48 which is currently at release.


We have not yet worked on extending this to cpsrvd or webdav.

Hi Travis,


I'm not 100% clear on what this means. Does this mean that it will use one SSL cert for all services (except Apache) on all domains/accounts? This does seem to be case for me right now, but I'm hoping that each account will be able to set its own cert for mail services. If you're saying that that is now possible, what are the steps necessary to do it?


Thanks!


Dale

photo
1

Just click on enable mail sni in the users ssl cert management page.

photo
1

Just checking to see if you guys have already started working on extending this to cpsrvd and webdav.


Thanks in advance!

photo
2

Hope to see support for cpsrvd (webmail, cPanel and WHM), IMAP, POP, SMTP


VERY SOON so our resellers can use this.

photo
1

It's unclear to me what Matt Dees response actually means. Does this mean that with cPanel version 11.48 that we can have a VPS server with multiple sub-cPanels and allow users to send and receive mail via SSL using their own domain name instead of forcing them to use the primary server's name?

photo
1

Any update on this feature?

photo
1

In 11.50.2 (build 2) it's still not working, just tested it with my hosting.

photo
3

It should be the domain used for ssl like with mail sni so it would be something like :


https://DOMAIN.TLD:2096


so when a user uses :


http://DOMAIN.TLD/webmail


They would be redirected to :


https://DOMAIN.TLD:2096


Which would use their certificate.


It would also be nice if it could also make use of their IP if they have a dedicated IP.

photo
1

years to develop this funcition ?

photo
2

Isn't the reseller functionality is broken because of this. How can I resell something if it can't properly run services on its secure certificate

photo
1

This will be great function for resellers!

photo
1

Here is a screen capture that shows where to enable the SNI feature if you want to use a sub-cpanel domain name for sending and receicving mail via SSL.


/kDy8fZ

photo
2

I'm hoping this will be enabled for cpsrvd soon! If I install a cert for a domain, URL like https://mydomain.com:2096 should work automatically...

photo
1

It should be available for all the domains .


default SSL certificate installed for server should be used by all domains cPanel services.

photo
1

This is long overdue. Without giving too much away, we have a client using Security Metrics (SM) as their PCI ASV and SM simply won't pass any cpanel domain because a request to https://customerdomain:2083 is served with the main hostname's SSL certificate - a mismatch that SM insist is creating a MiM vulnerability (which is irrelevant bullshit for several reasons - but I digress). It's simply not possible to redirect or do anything with such a request until SNI is supported for all cpsrvd services.


Incidentally, Security Metrics

photo
1

Yikes, what a strange move by Security Metrics. If this is going to be a new PCI requirement, then it would indeed be prudent for cPanel to accelerate the implementation of SNI for all services.


In the meantime, have you tried submitting a dispute to SM saying that all credit card information is only processed via HTTPS over port 443 to see if they’ll accept that for now?

photo
1

Ive just had a client fail a PCI-DSS scan (also Security Metrics) for taking credit card payemtns in their shop because their firewall allowed Dial-in SSL VPN on port 443, which had a self signed cert on it.


I think Security Metrics just make it up as they go along.

photo
1

It's a very irritating move by Security Metrics - I'll grant you that. Their argument is total BS. They are saying that the issue poses a threat - but... if a cPanel user can be convinced to submit their cPanel login details to a cPanel server on port 2083 after getting a certificate mismatch, then they are just as likely to enter credentials into any bogus website sporting their production domain name. It took several emails to even gain authorisation to speak to them on behalf of my customer - and even then the person I spoke to was very cagey about staffing levels, and the whereabouts of his/her supervisor. I won't be recommending our hosting customers to them as an ASV.

photo
1

Having the ability for cPanel/WHM/Webmail support multiple SSL certificates (even just one per IP the old fashioned way) would be a big help for when we're migrating people to new servers (such as right now from CentOS 5 to 6). We get a lot of complaints because they bookmarked their cPanel login which contains the redirected hostname in it which is no longer valid.

photo
2

Hey all - One of our developers is working on this as he can (it will likely be included in v60, but may take as long as v62), but it currently will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those three to be more clear when we start updating this one, which can be found here:


https://features.cpanel.net/topic/sni-support-for-mysql

https://features.cpanel.net/topic/sni-support-for-mariadb

https://features.cpanel.net/topic/sni-support-for-ftp

photo
1

Thanks Benny for the update! :)

photo
1

No problem!

photo
1

Why not just instruct people to ALWAYS go to theirdomain.com/cpanel or theirdomain.com/webmail ?


Sure, people don't listen, but just because they don't listen doesn't mean you move the world for them.


Or am I missing something? Why is it so difficult for users to remember /cpanel and /webmail and /whm ?


This request actually makes more sense for FTP, MySQL, MariaDB, and any other service that doesn't provide a redirect function. Apache and HTTP provides a redirect. So no matter what server you move the account to - theirdomain.com/cpanel will always redirect to the proper secure link.


That's my 2 cents on this.

photo
2

When port 2083 or 2096 aren't accessible it's important that users can access cPanel from standard ports using for example cpanel.theirdomain.tld, also resellers don't necessaraly want their cusomers domain to redirect to the server hostname containing the host's domain.

photo
1

100% agree with Monarobase


  1. Users find it difficult to to remember the port numbers.
  2. Whenever I move a domain from one server to another, it becomes quite a hassle to get the users to update their saved settings for the new server name.

It would be much better if they could just go to https://cpanel.theirdomain.tld

photo
1

I never really liked cPanel's rendition of proxy subdomains. It's a good idea, but perhaps not the best way to implement it.


What I did on our servers was to set up one proxy subdomain for each service, based on the server's hostname, i.e.:


cpanel.servername.tld

webmail.servername.tld

whm.servername.tld


Then I set up a certificate (wildcard in this case, but this was before Let's Encrypt and other free certificate authorities) for each of these subdomains.


Then I added an alias /proxy-cpanel, /proxy-webmail, /proxy-whm to redirect to the corresponding SSL proxy subdomain, i.e.:


http://example.tld/proxy-cpanel -> https://cpanel.servername.tld


This way I can insure secure connection access to cpanel, webmail, and whm through regular HTTPS ports and it's universal for everyone on the server.


This minimizes the need for extra certificates. The more certificates you have to install the more complicated all of this gets. I prefer to keep it simple.

photo
1

Looking forward to expanding sni to cover this.

photo
1

Just weighing in on this in case it helps. We have hit a brick wall with security metrics because of this issue and need the feature to be ready as soon as possible please. We are looking at the expense of just moving each of these clients into their own VPS environment, which completely defeats the point of having cpanel. I am surprised to see only a few comments here. Is everyone just living with the non compliance at this point and just paying the fees associated?

photo
2

+1 for hoping for this to include cpsrvd (& webdisk) as soon as possible. It's something that has been bugging me for a long time. It's great that my clients can now use their own domain for POP/IMAP/SMTP over SSL - have been really appreciating that - but, I still really wish I could give clients their own domain link to things like webmail (:2096) and cPanel (:2083) and have that SSL secured, without directing them to the server hostname or a page with nasty security warning on it.

photo
1

just came across this issue too moving my resellers back to my main server, would like to see an update on this progress? ui just need it for 1 other domain

photo
3

Hey all - One of our developers is working on expanding our SNI support to include cpsrvd (cPanel, webmail). It will likely be included in v60, but may take as long as v62, and it's being tracked currently another feature request. I do want to mention that the work currently being done will not include FTP, MariaDB, or MySQL. For that reason I've created new requests for those to be more clear when we start updating this one, which can be found here:

https://features.cpanel.net/topic/sni-support-for-mysql

https://features.cpanel.net/topic/sni-support-for-mariadb

https://features.cpanel.net/topic/sni-support-for-ftp

If you have any further questions, please do let me know!

photo
1

thanks! since i only need this for one other domain, would creating a SAN ssl certificate solve the issue for me?

photo
1

It depends strongly on what you're trying to solve specifically. I'm going to email you, since I'd like to keep this thread limited as much as possible to updates from us at this point.

photo
1

Hi everyone! The developer working on this has a functionality question:

If we use “x.y.tld” as our example domain, on any given cPanel & WHM server there are a multiple services that might use an SSL certificate. For example, if 3 different SNI-enabled services will host content, is there any reason for those 3 services not to use the same certificate for that domain?

Put another way: what would be the disadvantages of having a single SSL repository that Exim, Dovecot, cPanel, webmail, and other SNI-capable services (eventually even Apache) would use for loading keys/certs?

We haven't come up with any use-cases that would make this behavior undesirable. Do you guys have any?

photo
2

If you’re talking about accessing cPanel via x.y.tld:2083, then it would seem fine to use the same certificate, and the same with other services such as Exim, Dovecot, MariaDB, etc.


However, don’t forget about the proxy subdomains use-case (i.e. cpanel.x.y.tld, webmail.x.y.tld, whm.x.y.tld, etc. via port 443), where those additional certificates will need to be generated as well.

photo
1

Since wildcard certs cost a lot more than buying 2 or even 3 simple certs, I'd like to be able to use one cert for mail.domain.tld, another cert for webmail.domain.tld and another for (www.)domain.tld.


Also currently I have resellers using certs on mail.resellerone.tld and mail.resellertwo.tld for their clients' mail setups. I'd really want to be able to use webmail.resellerone.tld and webmail.resellertwo.tld as well.

photo
1

I can't see any disadvantages either. That's already how we configure the main cPanel cert but maybe other people might have some different use cases.

photo
1

The one that springs to mind is clients who assume mail uses 'mail.domain.com' rather than 'domain.com'.

Unless all these certs are wildcard of course.

photo
1

I agree. I believe that the default setup instructs users to configure mail.x.tld. Also ftp.x.tld.

photo
1

Not to mention 'pop.domain.com', 'imap.domain.com', and 'smtp.domain.com', which we auto-add for our users.


As such, it would be best if an interface could be presented in WHM that allows for additional canonical domains (and their auto-generated SSL certificates) to be associated with each SNI-capable service including Exim, Dovecot, cPanel, Webmail, etc.

photo
1

I believe these should be by default from cpanel, imap. smtp. ..

photo
1

Also I should point out a lot use mail.domain.com so that if they ever move to office365 for example, the migration is smoother - as long as mailbox names/passwords match, they dont need to update any settings in mail clients.

photo
1

---

photo
1

I haven't read through this all completely (a lot to read!) so forgive me if I'm commenting on something that's already been stated.


But what services are we talking about here? I'm just not sure how useful this is.


Are we talking about cPanel/WHM/Webmail? Why not just direct your clients to ALWAYS use http://example.tld/cpanel or http://example.tld/whm or http://example.tld/webmail and use the Tweak Settings feature to always redirect these links to the secure server link, i.e. http://example.tld/cpanel -> https://full.servername.tld:2083


I do see where this could possible be beneficial for mail. But Exim and Dovecot are already set up to handle SNI. I would just expand the AutoSSL feature to automatically add a mail.example.tld CN to the certificate and install this certificate for use in Exim and Dovecot. This way userse can use mail.example.tld or example.tld as their secure host name for mail.


What other services are really accessed via a secure link?


Is this feature really needed?

photo
1

Losing webmail is not important to my users but not being able to change their own passwords when they forget theirs (a very common problem) would be a major inconvenience.

photo
1

I agree with James, I have many clients who prefer "mail.domain.com" to "domain.com", same with FTP and other services.

photo
1

Also I should point out a lot use mail.domain.com so that if they ever move to office365 for example, the migration is smoother - as long as mailbox names/passwords match, they dont need to update any settings in mail clients.

photo
1

The more complicated you make it, the harder it is to use. I think you should go with the simple one. If you want mail.domain.com, then get a wildcard certificate. Period.

photo
1

Having to get clients to buy wildcards would be a killer for me. Wildcards are substantially more expansive than buying 2 or 3 basic certs and I need to be able to mandate SSL and include the certs for free within my packages.

photo
2

To clarify for everyone, we wouldn't be limiting the SSLs that could be installed/defined for an account. Currently if an SSL is installed for a domain x.domain.tld, it's configured for Apache, and then (assuming you enable MailSNI services for the domain) it's also installed (in a different location) for Dovecot and Exim.


In our example, our thought is that an SSL for x.domain.tld would installed in one place on the system, and then all SNI-enabled services (which would include cpsrvd, in addition to Apache and mail, once we get this feature added) would be configured to use that single SSL certificate for any connections to x.domain.tld.


The question stated in a different way: is there ever a time where you might want to use one SSL for x.domain.tld in Apache, and a different SSL for x.domain.tld in exim?

photo
2

Thanks for the clarification. Personally, I can't imagine a scenario where we would have a need to use two different certs. As long as the cert does the job for all those services it will be a huge step forward.

photo
2

Not that I can think of, no. It should be fine to use the same SSL for x.domain.tld for different SNI-enabled services.

But, it must not be assumed that if x.domain.tld is used for a non-Apache service, that it is also already in use (or needed) by Apache. That’s why an interface allowing the server administrator to specify custom canonical domains for each SNI-enabled service is important.

For example, if we could assign the following:

Dovecot:

mail.domain.com

imap.domain.com

pop.domain.com

Exim:

mail.domain.com

smtp.domain.com

Unless the cPanel user specifically adds these as actual subdomains in their cPanel, they shouldn’t be configured for Apache by default.

The above statement might sound obvious, but it’s safer to be clear, since currently Apache happens to be the "go-to service" that has its certs duplicated for Dovecot and Exim.

photo
2

@benny Can you please tell us when an update that addresses this issue will be released? At the very least, can you please tell us if this new feature is even in alpha testing yet?

photo
3

Unfortunately I can't yet tell you when it will be released. We are discussing internally, and hope to have SNI support added to cpsrvd for cPanel & WHM version 60, but we won't know for sure until later in the development cycle.

photo
1

I'm maybe not quite reading it right, but for a domain myclient.co.uk, would I be able to have a cert for webmail.myclient.co.uk used for webmail and another cert for mail.myclient.co.uk used for Exim/Dovecot? Or would I be forced to use one cert, and pick one hostname for all these services?

photo
1

Some users have an EV cert for Apache and wish to use another or free ssl for cpanel services.

It would be great if AutoSSL could be used for these services?


Customer have asked for their own SSL on:

mail.domain.tld, cpanel.domain.tld and webmail.domain.tld.

These are the most important subdomains to get up and running on a SSL.

photo
2

This is now officially in progress. We're hoping to see this land in version 60, still, but it's far too early to tell. I will update you here as soon as I know more!

photo
2

Great news thanks for keeping us informed

photo
1

This feature is now live in the EDGE tier, as of version 59.9999.86. (note: 59 is the development build version for 60). cpsrvd and cpdavd both now support SNI, and we'd love for you to take a look! cPanel, WHM, webmail, webdav and caldav all use domain-specific SSLs now.

photo
1

Many thanks for the update. Are proxy subdomains supported?

photo
1

Proxy subdomains are a tough nut to crack because this will require re-engineering the virtual hosts in httpd.conf. Currently all of the proxy subdomains are in one vhost, but since Apache ties SSL certificates to vhosts rather than domains (grr …), extending SNI coverage to proxy subdomains is much trickier than we’d like. It may be more feasible with some of the newer tricks in Apache … of course, the need to support old Apache versions (2.2.12 will be the minimum in 11.60) will be a handicap for anything that would rely on things that are new to 2.4.

photo
1

I would like to see it working with the customers cert or cert(s) on webmail, ftp, IMAP, SMTP, as that is one of the most asked questions we get right now after enabling autossl, and they get their cert.


As far as for /cpanel or /whm it would be nice to chose a cert, most likely the reseller or account owner.

photo
1

Version 60 is now available in CURRENT, and includes this feature. Like Felipe said, proxy subdomains are not included in this iteration, but will be considered in a future release. You can see the details of this feature's release in the release notes here:

https://documentation.cpanel.net/display/ALD/60+Release+Notes

If you would like to vote for the support of proxy subdomains you can vote on that over here:

https://features.cpanel.net/topic/allow-to-make-certificate-for-subdomains-like-cpanel-example-com-and-mail-example-using-lets-encrypt

If you have any questions, feel free to follow your typical support path, or send me an email.

Comments have been locked on this page!