Results 1 to 12 of 12
  1. #1

    Question WHM / CPanel security certificate issue?

    Hi,

    Just wanted your feedback on something puzzling I've encountered.

    It is usual for reseller webhosts to have an "invalid security certificate" warning come up when logging into WHM or CPanel?

    I'm a webdesigner, and offers webhosting to my clients through a reseller account. Over the years I've worked with a number of different hosts.

    A few days ago, I signed up for a brand new reseller account, with a host who I found recommended here. (None of my clients' sites are there yet, just a couple of my own.)

    However, I've just run into a troubling feature. When logging into WHM or CPanel, I get an "invalid security certificate" warning. My host tells me that this is no big deal, it's "because the security certificate is self-signed, not by verisign."

    However, it's annoying having to click past the warning page every time, to see the big red warning in my browser's address bar.

    More importantly, I'm concerned that this will create a very poor impression to my clients when they're signing into their CPanels.

    I don't want them to have to click past the warning page every time, and I don't want to have to explain to every one of my clients that it's really OK, and hope that they believe me. I am all about instilling confidence in my clients, and giving them the least amount of worry possible.

    Is this situation typical? I've had reseller accounts before where this hasn't been an issue. But my host says they've been in business for a long while and I am the first one of their clients who's ever objected to the security certificate issue.

    Are there reseller hosts out there where this isn't an issue?

    Thanks!
    all best,
    Denise

  2. #2
    Join Date
    Mar 2007
    Location
    Washington State
    Posts
    1,083
    If you have a valid certificate installed on the server, you can use that. In WHM, it's called Manage Service SSL Certificates. Then you can force SSL in Tweak Settings.

    Hope that helps?
    FazeWire Web Services.
    || We have provided great prices and better support since 2006. Located in Seattle, WA!
    || -----------------
    || Shared Hosting - VPS - Dedicated Servers - Colocation - Software Licenses

  3. #3
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    This will also be the case if the customer connects to cPanel / WHM on their own domain ; as cPanel/WHM currently only accepts 1 SSL for the cpanel/whm cpsrvd service, which is the one for the hostname of the server.

    And a customer does not always want to connect to the servers hostname.

    While it is nice if a host provides a SSL for their hostname (it might ease your customers) it has not much more added value as that; and if they then connect to cpanel by using their domain name; they will see the certificate error again

  4. #4
    Hi FazeWire,

    Thanks. I don't really understand. The support guy at the hosting company I signed up with says there is indeed a valid security certificate, and the warning is just "because the security certificate is self-signed, not by verisign."

    He says he could buy a security certificate to install just for that server, but impressed upon me that this is the first time anyone has ever complained about the security certificate warning.

    It seems to me that it's really asking a lot to have my design clients - most of whom have zero knowledge about webhosting and who are alarmed when they encounter such things - have to deal with that security certificat warning every time they log into CPanel.

    I'm just wondering if this situation is typical with most reseller webhosts? Am I very likely to run into this situation elsewhere?

    Thanks!
    all best,
    Denise

  5. #5
    Quote Originally Posted by 040Hosting View Post
    This will also be the case if the customer connects to cPanel / WHM on their own domain ; as cPanel/WHM currently only accepts 1 SSL for the cpanel/whm cpsrvd service, which is the one for the hostname of the server.

    And a customer does not always want to connect to the servers hostname.

    While it is nice if a host provides a SSL for their hostname (it might ease your customers) it has not much more added value as that; and if they then connect to cpanel by using their domain name; they will see the certificate error again
    Thanks for your reply.

    I'm not sure what you me by "host provides a SSL for their hostname" - is that something I need to do (am I the 'host' and 'hostname'?) or does the company I'm buying the reseller account from do this?

    If it's me, does this mean my clients could log into their own Cpanel accounts from an address associated with my domain name?

    If I get what you're saying, it's that there's never going to be a way for my clients to log onto CPanel with their own domain name such as http://www.clientssite.com/cpanel without getting a warning? That is so odd, as I've had reseller accounts before where this was indeed possible. I guess things change, though.

    I am just trying to create the most seamless and non-worrisome experience possible for my webdesign clients with regard to their hosting accounts.

    Thanks again.
    Denise

  6. #6
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by 3rdfloorview View Post
    Hi FazeWire,

    Thanks. I don't really understand. The support guy at the hosting company I signed up with says there is indeed a valid security certificate, and the warning is just "because the security certificate is self-signed, not by verisign."
    It is a self signed certificate which still does the job of encrypting the data between the customer and the server (really all a SSL does); but due to abuse browsers now warn a LOT about self signed certificates; if you however read the warning well (i admit not something customers tend to do) it even tells you this.

    So yes; it is most likely secure.
    And yes, it can confuse customers.
    and yes, you may run into the same at other hosts.

    And as i said above, if you make a customer connect to their own domain to cpanel; you will still have the issue of this self signed certificate.
    cPanel Servers in Europe: Strasbourg (FR), Haarlem & Amsterdam (NL) & Kent (UK), USA (Los Angeles, St.Louis), Asia (Singapore) | Follow us at Twitter: @040hosting
    Shared | Reseller | (managed) Dedicated Hosting | Domain Registrar | SSL Registrar | Cloudlinux Partner| 040Hosting (Registered company #17093425 KVK Eindhoven, The Netherlands)

  7. #7
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by 3rdfloorview View Post

    If I get what you're saying, it's that there's never going to be a way for my clients to log onto CPanel with their own domain name such as http://www.clientssite.com/cpanel without getting a warning? That is so odd, as I've had reseller accounts before where this was indeed possible. I guess things change, though.
    From the Cpanel forum; from cPanel support staff:
    ( http://forums.cpanel.net/f4/dedicate...il-127949.html )

    Webmail, cPanel and WHM are served by cpsrvd, not Apache. As a result, any SSL certificates you set for Apache do not also automatically work for cpsrvd as it's a completely different server service. Only one SSL certificate can be set for cpsrvd at this time.
    So it would be real odd if you where able to do this before. Unless you simply accepted this certificate (you will not be warned anymore after accepting; and older browsers did not put very large warnings on the screen).

    What i meant about the host is your webhost which can set an SSL for the servername i.e. server1.yourservercompany.tld
    cPanel Servers in Europe: Strasbourg (FR), Haarlem & Amsterdam (NL) & Kent (UK), USA (Los Angeles, St.Louis), Asia (Singapore) | Follow us at Twitter: @040hosting
    Shared | Reseller | (managed) Dedicated Hosting | Domain Registrar | SSL Registrar | Cloudlinux Partner| 040Hosting (Registered company #17093425 KVK Eindhoven, The Netherlands)

  8. #8
    Quote Originally Posted by 040Hosting View Post
    So it would be real odd if you where able to do this before. Unless you simply accepted this certificate (you will not be warned anymore after accepting; and older browsers did not put very large warnings on the screen).
    One of the current hosting companies I buy reseller accounts from (I have two) allows this. Actually, when I first signed up, I ran into the same issue, but after I inquired, my host made some adjustment on the server which allowed it. I, or my clients, can sign into CPanel using the domain name and there is never a security certificate warning.

    Quote Originally Posted by 040Hosting View Post
    And as i said above, if you make a customer connect to their own domain to cpanel; you will still have the issue of this self signed certificate.
    I'm not sure what you mean by "make" them do it? I don't know of any other way to have them sign in to CPanel. Just http://www.clientsdomain.com/cpanel or http://www.clientsdomain.com:2082 - is there some other way to do it?

    best,
    Denise

  9. #9
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by 3rdfloorview View Post
    One of the current hosting companies I buy reseller accounts from (I have two) allows this. Actually, when I first signed up, I ran into the same issue, but after I inquired, my host made some adjustment on the server which allowed it. I, or my clients, can sign into CPanel using the domain name and there is never a security certificate warning.
    AFAIK If they use your domain name and not the servers domain name they must have adjusted cPanel code which likely means it is not supported anymore; the above remark is not mine but from a cPanel employee. There may ways to add the certificate also the the cpanel/whm service, but as far as cPanel says this is not supported.

    What IS possible is that the host redirects your automatically to the servers domain when a client goes to http://www.clientsdomain.tld/cpanel it may redirect the user to https://servername.webhostname.tld:2083

    if its is port 2082 as in your example it will not be SSL but just plain http.
    cPanel Servers in Europe: Strasbourg (FR), Haarlem & Amsterdam (NL) & Kent (UK), USA (Los Angeles, St.Louis), Asia (Singapore) | Follow us at Twitter: @040hosting
    Shared | Reseller | (managed) Dedicated Hosting | Domain Registrar | SSL Registrar | Cloudlinux Partner| 040Hosting (Registered company #17093425 KVK Eindhoven, The Netherlands)

  10. #10
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    Just disable the 'force ssl' option. Then they won't be redirected to the SSL port which generates the warning. By the way, all you have to do in firefox and IE is import the certificate by clicking a few buttons when the warning pops up, then it won't bother you anymore.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  11. #11
    Hi Randy,

    Thanks for your advice. I know about making an exception in IE & Firefox, but I don't particularly want to make all my design clients do that - or for them to get a warning in the first place. Most of them would be quite alrmed to see such a thing.

    How does one disable the 'force ssl' option - where would I do that? (I don't have access to the server, just to my reseller account WHM and my resold accounts under it.)

    all best,
    Denise

  12. #12
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    It's a server-wide setting - only your host can change it. And the reason they set it that way in the first place, ironically enough, would be for security. It's much safer to have clients logging in using SSL (even on a self-signed cert) than sending passwords in plain.

    IMO the best option is for the host to install a trusted cert on the server hostname and for all resellers to give their clients a login url on that same hostname. Some resellers don't like this because it reveals that they're reselling but really it doesn't make much difference - the hostname is already visible to the client in many other places.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

Similar Threads

  1. Serious security issue with default postgresql install on cPanel?
    By dspillettt in forum Hosting Software and Control Panels
    Replies: 8
    Last Post: 05-08-2013, 10:43 PM
  2. phpmyadmin security issue, how to upgrade under cpanel?
    By aww in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-09-2007, 01:17 AM
  3. Major security issue with Cpanel. Watch for updates.
    By ServerSupportGuys in forum Hosting Security and Technology
    Replies: 63
    Last Post: 02-01-2007, 04:14 PM
  4. Cpanel - giving users SSH Access - security issue??
    By CyberHostPro in forum Running a Web Hosting Business
    Replies: 15
    Last Post: 06-29-2006, 09:15 PM
  5. Is that cpanel security issue?
    By msdq in forum Hosting Security and Technology
    Replies: 4
    Last Post: 11-04-2004, 02:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •