WHM / CPanel security certificate issue?

Portal Home > Knowledgebase > Articles Database > WHM / CPanel security certificate issue?

Posted by 3rdfloorview, 08-30-2009, 02:57 PM
Hi, Just wanted your feedback on something puzzling I've encountered. It is usual for reseller webhosts to have an "invalid security certificate" warning come up when logging into WHM or CPanel? I'm a webdesigner, and offers webhosting to my clients through a reseller account. Over the years I've worked with a number of different hosts. A few days ago, I signed up for a brand new reseller account, with a host who I found recommended here. (None of my clients' sites are there yet, just a couple of my own.) However, I've just run into a troubling feature. When logging into WHM or CPanel, I get an "invalid security certificate" warning. My host tells me that this is no big deal, it's "because the security certificate is self-signed, not by verisign." However, it's annoying having to click past the warning page every time, to see the big red warning in my browser's address bar. More importantly, I'm concerned that this will create a very poor impression to my clients when they're signing into their CPanels. I don't want them to have to click past the warning page every time, and I don't want to have to explain to every one of my clients that it's really OK, and hope that they believe me. I am all about instilling confidence in my clients, and giving them the least amount of worry possible. Is this situation typical? I've had reseller accounts before where this hasn't been an issue. But my host says they've been in business for a long while and I am the first one of their clients who's ever objected to the security certificate issue. Are there reseller hosts out there where this isn't an issue? Thanks! all best, Denise
Posted by FazeWire, 08-30-2009, 03:00 PM
If you have a valid certificate installed on the server, you can use that. In WHM, it's called Manage Service SSL Certificates. Then you can force SSL in Tweak Settings. Hope that helps?
Posted by 040Hosting, 08-30-2009, 03:14 PM
This will also be the case if the customer connects to cPanel / WHM on their own domain ; as cPanel/WHM currently only accepts 1 SSL for the cpanel/whm cpsrvd service, which is the one for the hostname of the server. And a customer does not always want to connect to the servers hostname. While it is nice if a host provides a SSL for their hostname (it might ease your customers) it has not much more added value as that; and if they then connect to cpanel by using their domain name; they will see the certificate error again
Posted by 3rdfloorview, 08-30-2009, 03:16 PM
Hi FazeWire, Thanks. I don't really understand. The support guy at the hosting company I signed up with says there is indeed a valid security certificate, and the warning is just "because the security certificate is self-signed, not by verisign." He says he could buy a security certificate to install just for that server, but impressed upon me that this is the first time anyone has ever complained about the security certificate warning. It seems to me that it's really asking a lot to have my design clients - most of whom have zero knowledge about webhosting and who are alarmed when they encounter such things - have to deal with that security certificat warning every time they log into CPanel. I'm just wondering if this situation is typical with most reseller webhosts? Am I very likely to run into this situation elsewhere? Thanks! all best, Denise
Posted by 3rdfloorview, 08-30-2009, 03:22 PM
Thanks for your reply. I'm not sure what you me by "host provides a SSL for their hostname" - is that something I need to do (am I the 'host' and 'hostname'?) or does the company I'm buying the reseller account from do this? If it's me, does this mean my clients could log into their own Cpanel accounts from an address associated with my domain name? If I get what you're saying, it's that there's never going to be a way for my clients to log onto CPanel with their own domain name such as http://www.clientssite.com/cpanel without getting a warning? That is so odd, as I've had reseller accounts before where this was indeed possible. I guess things change, though. I am just trying to create the most seamless and non-worrisome experience possible for my webdesign clients with regard to their hosting accounts. Thanks again. Denise
Posted by 040Hosting, 08-30-2009, 03:22 PM
It is a self signed certificate which still does the job of encrypting the data between the customer and the server (really all a SSL does); but due to abuse browsers now warn a LOT about self signed certificates; if you however read the warning well (i admit not something customers tend to do) it even tells you this. So yes; it is most likely secure. And yes, it can confuse customers. and yes, you may run into the same at other hosts. And as i said above, if you make a customer connect to their own domain to cpanel; you will still have the issue of this self signed certificate.
Posted by 040Hosting, 08-30-2009, 03:28 PM
From the Cpanel forum; from cPanel support staff: ( http://forums.cpanel.net/f4/dedicate...il-127949.html ) So it would be real odd if you where able to do this before. Unless you simply accepted this certificate (you will not be warned anymore after accepting; and older browsers did not put very large warnings on the screen). What i meant about the host is your webhost which can set an SSL for the servername i.e. server1.yourservercompany.tld
Posted by 3rdfloorview, 08-30-2009, 03:51 PM
One of the current hosting companies I buy reseller accounts from (I have two) allows this. Actually, when I first signed up, I ran into the same issue, but after I inquired, my host made some adjustment on the server which allowed it. I, or my clients, can sign into CPanel using the domain name and there is never a security certificate warning. I'm not sure what you mean by "make" them do it? I don't know of any other way to have them sign in to CPanel. Just http://www.clientsdomain.com/cpanel or http://www.clientsdomain.com:2082 - is there some other way to do it? best, Denise
Posted by 040Hosting, 08-30-2009, 04:09 PM
AFAIK If they use your domain name and not the servers domain name they must have adjusted cPanel code which likely means it is not supported anymore; the above remark is not mine but from a cPanel employee. There may ways to add the certificate also the the cpanel/whm service, but as far as cPanel says this is not supported. What IS possible is that the host redirects your automatically to the servers domain when a client goes to http://www.clientsdomain.tld/cpanel it may redirect the user to https://servername.webhostname.tld:2083 if its is port 2082 as in your example it will not be SSL but just plain http.
Posted by FastServ, 08-30-2009, 05:24 PM
Just disable the 'force ssl' option. Then they won't be redirected to the SSL port which generates the warning. By the way, all you have to do in firefox and IE is import the certificate by clicking a few buttons when the warning pops up, then it won't bother you anymore.
Posted by 3rdfloorview, 08-30-2009, 06:04 PM
Hi Randy, Thanks for your advice. I know about making an exception in IE & Firefox, but I don't particularly want to make all my design clients do that - or for them to get a warning in the first place. Most of them would be quite alrmed to see such a thing. How does one disable the 'force ssl' option - where would I do that? (I don't have access to the server, just to my reseller account WHM and my resold accounts under it.) all best, Denise
Posted by foobic, 08-30-2009, 10:23 PM
It's a server-wide setting - only your host can change it. And the reason they set it that way in the first place, ironically enough, would be for security. It's much safer to have clients logging in using SSL (even on a self-signed cert) than sending passwords in plain. IMO the best option is for the host to install a trusted cert on the server hostname and for all resellers to give their clients a login url on that same hostname. Some resellers don't like this because it reveals that they're reselling but really it doesn't make much difference - the hostname is already visible to the client in many other places.