SSL FAQ and Troubleshooting

What is SSL/TLS?

SSL allows you to perform several functions to help secure your server.

SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information that a visitor’s web browser transmits to a web server. Use these protocols to protect against electronic eavesdropping. You should protect all of the sensitive data (for example, credit card numbers, and login information) that you transmit over the Internet with SSL/TLS.

Both of these protocols initiate a “handshake,” during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys that the two computers use to encrypt and decrypt messages that they send during the secure session.

You can set up SSL/TLS for your server in WHM’s SSL/TLS interface (Home >> SSL/TLS). The SSL/TLS interface allows you to configure how SSL/TLS certificates will run on your server.

What is an SSL certificate?

An SSL certificate is an electronic document that uses the .crt file extension. This document binds a public key to an identity that consists of an email address, a company, and a location. This electronic document is a key piece in an authentication process.

SSL certificates provide public information about the security of a domain, server, or service. There are two parts to a secure certificate. Both parts are important to protect sensitive data.

  • Encryption – encodes data so that no one who intercepts the transmission can understand it.
  • Identification verification – ensures that you connect to the correct server.

What is a Certificate Authority (CA) bundle?

A Certificate Authority (CA) bundle is a file that contains the following details about the SSL certificate:

  • Who issued it.
  • Any certificates of the authority that issued it.
  • The “chain of trust” for the issuer.

    Note:

    A certificate authority can vouch for other certificate authorities, which results in a “chain of trust.” In order for a certificate authority to be able to sell certificates, another certificate authority must vouch for them.

  • Certificate revocation lists (CRLs)

 

Web browsers have a built-in list of trusted certificate authorities, and they use the list to determine whether to trust an authority.

What are limitations of SSL/TLS?

SSL certificates review domain names literally. For example, www.example.com and example.com are two different domains in relation to SSL.

What is SNI support?

SNI (Server Name Indication) support allows you to host multiple SSL certificates for different domains on the same IP address. At the start of the “handshake” process, SNI indicates the hostname to which the client will connect. Users who are on shared servers that support SNI can install their own certificates without a dedicated IP address.

In order to experience the full benefit of SNI, your server must run an operating system that supports this functionality, such as CentOS 6.

What is a multi-domain or UC/SAN SSL certificate?

Multi-domain certificates are SSL certificates that allow you to secure multiple, potentially unrelated domains with a single certificate. This includes UCC/SAN certificates and wildcard certificates. Unified Communications/Subject Alternate Name (UC/SAN) Certificates are SSL certificates that allow you to specify a list of hostnames that the same certificate protects.

Note:

You must reissue these certificates each time that you add a new hostname.

What is a wildcard SSL certificate?

A wildcard certificate allows you to install the same certificate on any number of subdomains if they share an IP address. You can apply a wildcard certificate to services in WHM’s Manage Service SSL Certificates interface (Home >> Service Configuration >> Manage Service SSL Certificates).

  • For example, if you have a wildcard certificate for *.example.com, you can use it to securely connect to mail.example.com and www.example.com, but not to example.com.
  • The root user may install a wildcard certificate on a collection of subdomains that are associated with a single root domain on multiple IP addresses. If multiple IP addresses are used, a user on the server must not own the root domain.

What is the difference between a wildcard and a webserver certificate?

Webserver certificates only allow you to secure a single domain. Wildcard certificates allow you to secure a domain and an unlimited number of subdomains. For example, if you wish to secure store.example.com and blog.example.com, you can use a single wildcard certificate to do so. However, each subdomain will require its own dedicated IP address.

What is a shared SSL certificate? How do I install one?

A Shared SSL Certificate is an SSL certificate that is installed on the server’s hostname. If the server administrator enables mod_userdir, all of the users on that server can use a Shared SSL Certificate to access their sites securely via their user directories. For example, https://hostname.example.com/~username

After you install the certificate, set the certificate as shared in the Manage SSL Hosts interface (Home >> SSL/TLS >> Manage SSL Hosts).

For more information, read our Apache mod_userdir Tweak documentation.

Self-signed SSL certificates

What is a self-signed SSL certificate?

A self-signed SSL certificate is an SSL certificate that does not verify the identity of the server. You can create your own self-signed SSL certificate in WHM’s Generate an SSL Certificate and Signing Request interface (Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).

Note:

  • A self-signed certificate will have a label of “self-signed,” which is the equivalent of someone who claims that they are who they say they are.
  • If you choose to use a self-signed SSL certificate, you can secure a connection to the site, but you will not be able to verify the identity of the site. As a result, browsers will warn users about the authenticity of the server that they want to reach.

What is the difference between a self-signed certificate and a purchased SSL certificate?

Based on the needs of your website, you may decide to either create a self-signed certificate or purchase an SSL certificate. Because a purchased SSL certificate verifies the identity of the server, it is more secure.

  • If your site only handles minimally sensitive data, it may be appropriate to create your own self-signed certificate.
  • If your site handles extremely sensitive data (such as credit card information), you should purchase an SSL certificate to create a more trustworthy connection for your customers.

What do I do with the initial self-signed certificate?

Trustwave will contact the purchaser after the order goes through. The certificate is not automatically generated as soon as you purchase it. They will send the Trustwave-signed certificate to the email address that you entered in the order process.

For more information, read our Purchase and Install an SSL Certificate documentation.

How to troubleshoot SSL installation

The following sections describe some common certificate installation issues and how to fix them:

My certificate will not install—I receive a message about a certificate/key mismatch.

If you receive the modulus mismatch or  key file does not match the certificate error messages, then the private key that you entered did not generate the certificate that you wish to install. The correct private key may be in a different file.

WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key that you generated in the Private Key text box in WHM’s Install an SSL Certificate on the Domain interface (Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

My certificate will not install—I receive a message about a dedicated IP.

SSL only works with one certificate per IP address. Each cPanel account is on a single IP address, which means that you can only have one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it. When you complete this process, you can install a certificate as you would for any other cPanel account.

My certificate installed, but my visitors receive warnings about a self-signed certificate.

The following behaviors are acceptable for self-signed certificates:

  • Typically, browsers will not trust self-signed certificates, even though, in terms of security, they are acceptable.
  • Because browsers do not trust these certificates, they will your visitors a warning message.
  • If you do not want visitors to encounter this warning, purchase an SSL certificate from an SSL provider.
    • If you choose to do this, you do not have to remove the installed self-signed certificate. Instead, purchase and install the additional certificate in WHM’s Install an SSL Certificate on the Domain interface (Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to purchase the certificate and install it in addition to the existing certificate.

My certificate installed, but my visitors see a warning about a domain mismatch.

It is likely that you have a self-signed certificate or a signed certificate that does not match the domain name.

  • This warning notifies visitors that the name on the certificate does not match the name of the domain that they tried to reach.
  • This should not be a security issue when you log in to a site’s cPanel interface.
  • Before they proceed, visitors can check to make sure that the SSL certificate pertains to the domain of the correct host.
  • Visitors who are concerned about security should contact the host to make sure it is safe to proceed.

To identify your hosting provider, enter your domain name at WhoIsHostingThis.com

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

If you have multiple sites that share an IP address but only one domain with an installed SSL certificate, you may have this problem. Apache cannot serve unsecured websites through a secure protocol.

For example, you may have the following setup:

IP address
Domain
SSL status
1.2.3.4 example.com Insecure
1.2.3.4 domain.com Secure
9.8.7.6 example2.com Insecure
9.8.7.6 domain2.com Insecure

If this setup is similar to your shared IP address’ domain structure, expect the following behavior:

Warning:

If you enter https:// before a domain name, the browser will use the HTTPS protocol, which is secure. If you enter http:// before a domain name, the browser will use HTTP, which is not secure.

Protocol
IP address or domain
Apache will serve:
https:// 1.2.3.4 domain.com
http:// 1.2.3.4 default page redirect or example.com
https:// 9.8.7.6

error message

Note:

Because Apache cannot serve an unsecured website with a secure protocol and there are no secure sites on the shared IP addressApache will serve an error message.

http:// 9.8.7.6 domain2.com
https:// example.com

domain.com

Note:

Because Apache cannot serve an unsecured site with a secure protocol, Apache will default to the secure website on the shared IP address.

http:// example.com example.com
https:// domain.com domain.com
http:// domain.com domain.com
  1. Select the Pre Virtual Host Include option.
  2. Select the Apache version from the menu. We recommend that you select All Versions.
  3. Enter the following text in the available text box:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    <VirtualHost IPADDRESS:443>
        ServerName HOSTNAME
        DocumentRoot /usr/local/apache/htdocs
        ServerAdmin EMAIL
        <IfModule mod_suphp.c>
            suPHP_UserGroup nobody nobody
        </IfModule>
        SSLEngine on
        SSLCertificateFile SSLCERTIFICATEFILE
        SSLCertificateKeyFile YOUR-SSLCERTIFICATEKEYFILE
     </VirtualHost>
  4. Click Proceed
  5. Click Update.

Note:

In this example:

  • IPADDRESS represents your server’s IP address.
  • HOSTNAME represents your server’s hostname.
  • EMAIL represents your contact email address.
  • SSLCERTIFICATEFILE represents the full file path to your SSL certificate.
  • SSLCERTIFICATEKEYFILE represents the full file path to your SSL certicate’s key.

After you save the Include file in httpd.conf, visitors will gain access to unsecured sites even if they use a secure protocol.

Notes:

When I log in with https, I get a certificate mismatch warning. Is it okay to ignore this and log in?

Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.

Check to make sure that the SSL certificate is from a domain that belongs to your web host before you proceed. If you are concerned about security, contact your web hosting provider to confirm that you can safely proceed.

What do I do if my system fails and I do not have my Trustwave authentication data in WHM?

If you have suffered a serious drive failure, you may lose this data.

If you can access the old drive, your authentication data will be in the /root/.trustwavereqs file.

 

WhatsApp Truehost Kenya