Results 1 to 10 of 10

Thread: CNAME & SSL

  1. #1
    CNAME

  2. #2
    The solution that we have done for some sites is as follows:
    1. setup a wildcard dns entry so that anything.example.com is resolved to your server.
    2. use a wildcard ssl cert from rapidssl, obtainable from servertastic for about $200.
    Your clients can then use something like theirdomain.example.com as the link target, and your server will behave properly without popping ssl warnings.
    By using a wildcard dns entry, you have exactly zero maintenance to worry about.





    __________________█ server uptime monitor and alert service - basicstate.com█ MSNBC.COM - Site of the Week█ managed dns global failover and load balance - edgedirector.com

  3. #3
    Maybe I'm not understanding you correctly, but doesn't wild card ssl certificates still only function for one domain name? Which means it would only work for them.ourdomain.com, not theirdomain.com.
    We would like them to be able to secure their own domain, not a sub domain of ours already secured.
    I'm pretty sure there isn't a wildcard ssl certificate that works for all root level domains... but if there is I'd like to know about it.
    It seems that I will have to install a ssl certificate (unless there are other options) for additional root domains. I just don't want to have to do it myself through cpanel... I'd rather them do it themselves through our PHP-powered website.

  4. #4
    If you want them to do it themselves you might need to develop a plugin for cPanel so they can create it by interacting with that plugin through your PHP powered site. Not 100% sure if this is possible, so you might want to research it.





    __________________478east
    Custom Hosting Solutions
    Complex Content Delivery

  5. #5
    Join Date
    Jul 2008
    Location
    Calgary
    Posts
    45
    You would not be able to accomplish this through url forwarding/cname as cnames cannot be in the https format
    i.e: www.clientdomain.com cannot show up as https://www.clientdomain.com unless that site has a dedicated i.p. and an ssl cert issued to that specific domain. One way around this would be to setup a wild card cert with a white labelled name, like *.securesite.com so when a user of your client's site is taken from www.clientdomain.com to https://clientdomain.securesite.com it looks more official. Either you or your client would just change all links to secure pages to use that format. Conversely all links away from the secure pages would go back to http://www.clientdomain.com which is being forwarded to yourcompanywebsite.com/clientname/index.html. If your clients wanted an ssl for their actual domain, it is pretty easy for them to install from a cPanel account themselves or you could charge fee. You can also set up a shared SSL certificate in the format of https://sharedssldomain.com/~username
    but in that case, they would have to have an account on your server and not just be using urlforwarding or urlframing





    __________________Excitahost.com "We make it so simple you can get excited about hosting"Webhosting, Domain Name Registration, SSL CertificatesExciting Backup Solutions "One less thing to worry about"

  6. #6
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    Quote:



    Originally Posted by LukeSc


    So my question is: what options do I have available to me?


    The one suggested by plumsauce is most common and probably best. Otherwise they will need their own certificate in order to use their own domain name.
    Quote:


    Is there some kind of "wildcard" certificate that does any domain (not just one)?


    No - that would defeat the object of SSL certificates.
    Quote:


    Is there any way I can allow them to install their own certificate through our site for their domain?


    This really depends on the control panel. DirectAdmin allows users to set up their own certificates. I thought cPanel didn't, but it does now seem to have this in the SSL/TLS Manager section. However the user will also need a dedicated IP address which you'll need to assign, unless you automatically give one to each user on sign-up.
    Edit: One other consideration here - setting up a certificate requires some technical expertise. If your average user doesn't have it then asking them to do it themselves might actually give you more work (answering support requests) than just doing it for them...
    Quote:


    Any way to have PHP handle all the SSL stuff instead of apache?


    I may be wrong but I'm pretty sure the answer to that one is also... No.
    Good luck!





    __________________
    Chris <ClonePanel>
    "Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein






    Last edited by foobic : 12-13-2008 at 09:15 PM.

  7. #7
    Join Date
    Feb 2008
    Posts
    829
    afaik you can only have one SSL per hostname/IP. So what you need to do is have a dedicated IP for each SSL site, you'd probably want to charge extra for SSL.
    I've never worked with wildcard ones though. Even with self signed, you can't have more then one cert per IP, though I suppose that would not be an issue if you get a wild card one.





    __________________http://www.uovalor.com/ :: UO serverhttp://www.serverweave.com/ :: Server Control Panel - In Progress...

  8. #8
    Isn't the requirement for having a dedicated IP only a cPanel requirement? I thought through other control panels like plesk you could have multiple SSL certs per IP and the requirement is only unique root host names. I do believe you can have multiple certs per IP for more than one root host name on cPanel, you just have to do it manually.
    It does seem having cPanel for this site on the server is causing somewhat of a problem though. I might be better off managing all the stuff I need myself. EIther that, or creating a cPanel plugin.
    When I asked about PHP handling SSL... It is possible to direct HTTP traffic through port 443 if you set up the virtual host to do that... It just isn't SSL secured, and would be HTTP. So if you tried https on the browser, it wouldn't be getting the proper request... But I'm wondering if it's possible to do that, why not have PHP send/recieve the proper ssl requests. There are a number of openssl functions available to PHP. I know that with GZIP I've implemented a solution without using apache's gzip solution, so that it works on any web server... I'm wondering if something similar is possible?

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,849
    The limitation to one IP address doesn't come from cPanel, it's the nature of SSL. The server's identity needs to be established during the connection phase, before the server knows which domain the client is requesting. So having multiple domains on name-based virtual hosting with SSL simply can't work (at least not without certificate warnings about mismatched domains).http://en.wikipedia.org/wiki/Transport_Layer_Security
    It looks like developments in SSL/TLS will make IP address sharing possible in future but it's not something you're going to be able to do in PHP, or even by hacking Apache.
    One other thought FWIW: you could use the same IP address but a different port for each client...





    __________________
    Chris <ClonePanel>
    "Not everything that can be counted counts, and not everything that counts can be counted" - Albert Einstein

  10. #10
    I'm pretty sure that you can, if you set an A record on the domain rather than the CNAME. I believe apache sees domain2.com as domain1.com when domain2.com is CNAME'd to domain1.com. The SSL certificate is specified in the virtual host. If you use an A record instead, the virtual host for domain1.com will not match against domain2.com. So it may not be a limitation in cPanel, but rather how Apache works.
    If I were able to bypass Apache's SSL engine and allow PHP to handle SSL communications, I could load the appropriate SSL certificate through OpenSSL functions in PHP. Trouble is apache may filter out certain request headers. Would take some investigating to see if I could get that to work. Was wondering if anyone else had done anything similar.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •