Page tree
Skip to end of metadata
Go to start of metadata

Overview

This document outlines some common SSL-related issues and how you can troubleshoot and resolve them. For more information about SSL, read our Guide to SSL documentation.

Warning:

As of cPanel & WHM version 68, we only support Transport Layer Security (TLS) protocol version 1.2

  • We will only support applications that use TLSv1.2.
  • We strongly recommend that you enable TLSv1.2 on your server. 

Installation issues

The following sections describe some common certificate installation issues and how to fix them:

Certificate/key mismatch

If you receive the modulus mismatch or key file does not match the certificate error messages, the private key that you entered did not generate the certificate that you wished to install. The correct private key may exist in a different file.

WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key in the Private Key text box in WHM's Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

Dedicated IP addresses

Without Server Name Indication (SNI) enabled, SSL only allows one certificate per IP address. Because each cPanel account uses a single IP address, you can only assign one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it, or enable SNI on the server.

Warnings

The following sections describe some common post-installation warnings and how to fix them:

Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.

Ensure that the SSL certificate matches a domain that belongs to your web host before you proceed, and contact your hosting provider with any additional security concerns.

Domain mismatch warnings

If your visitors see a warning about a domain mismatch, your SSL certificate likely does not match your domain name.

Domain mismatches are unlikely to be a security issue when you log in to your cPanel account. You can contact your hosting provider for any additional security concerns.

Self-signed certificates

Most browsers do not trust self-signed certificates because the certificate only encrypts data and does not verify identity. Because of this, most browsers will display a warning about the self-signed certificate to your visitors.

If you do not want visitors to encounter this warning, purchase an SSL certificate from an SSL provider. However, when you purchase an SSL certificate, do not remove the installed self-signed certificate. Instead, purchase and install the additional certificate in WHM's Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

Other issues

The following sections describe other common SSL-related issues and how to fix them:

Visitors cannot access other sites on a shared certificate

If multiple sites share an IP address but only one has an installed SSL certificate, visitors to other domains on the server may experience problemsApache cannot serve unsecured websites through a secure protocol.

Warning:

If you enter https:// before a domain name, the browser uses the secure HTTPS protocol. If you enter http:// before a domain name, the browser uses the not secure HTTP protocol.

For example, your server could use the following setup:

IP addressDomainSSL status
1.2.3.4example.comInsecure
1.2.3.4domain.comSecure
9.8.7.6example2.comInsecure
9.8.7.6domain2.comInsecure

If this configuration resembles your shared IP address’ domain structure, expect the following behavior:

ProtocolIP address or domainApache will serve:
https://1.2.3.4domain.com
http://1.2.3.4The default page redirect or example.com.
https://9.8.7.6

An error message.

Note:

Because Apache cannot serve an unsecured website with a secure protocol and no secure sites exist on the shared I P addressApache serves an error message.

http://9.8.7.6domain2.com
https://example.com

domain.com

Note:

Because Apache cannot serve an unsecured site with a secure protocol, Apache defaults to the secure website on the shared IP address.

http://example.comexample.com
https://domain.comdomain.com
http://domain.comdomain.com
  1. Navigate to WHM's Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).
  2. Click Browse Certificates.
  3. In the Browse Account menu, select root.
  4. In the Certificate list, select the option for the server's hostname certificate.
  5. Click Use Certificate.
  6. In the IP Address (non-user domains only) menu, select the server's shared IP address.
  7. Click Install.
  8. Navigate to WHM's Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
  9. In the Installed SSL Hosts table, click Make Primary in the appropriate row for the server's hostname.
  1. Navigate to WHM's  Include Editor interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Include Editor):
  2. Select the Apache version from the menu. We recommend that you select All Versions.

  3. Enter the following text in the available text box:

    <VirtualHost IPADDRESS:443>
      ServerName HOSTNAME
      DocumentRoot /usr/local/apache/htdocs
      ServerAdmin EMAIL
      <IfModule mod_suphp.c>
        suPHP_UserGroup nobody nobody
      </IfModule>
    	SSLEngine on
    	SSLCertificateFile SSLCERTIFICATEFILE
    	SSLCertificateKeyFile YOUR-SSLCERTIFICATEKEYFILE
     </VirtualHost>
  4. Click Proceed

  5. Click Update.

Note:

This example uses the following values:

  • IPADDRESS represents your server's IP address.
  • HOSTNAME represents your server's hostname.
  • EMAIL represents your contact email address.
  • SSLCERTIFICATEFILE represents the full file path to your SSL certificate.
  • SSLCERTIFICATEKEYFILE represents the full file path to your SSL certificate's key.


System failures

If you have suffered a serious drive failure and you do not use Trustwave authentication, you may lose some or all of your SSL data.

If you are able to access the old drive, the system stores your authentication data in the /root/.trustwavereqs file.

Additional documentation