I have a *nix VPS using WHM/Cpanel. I have a self signed certificare but Firefox, Chrome and IE dont accept it and anytime I go to a secure page it shows the warning. On my own PC I have stored a permanent exception but now a client is moaning.

Is the only option to buy a 3rd party cert?

"Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a message whether to trust the certificate signing authority (yourself) permanently (store it in the browser), temporarily for that session, or to reject it. The message "web site certified by an unknown authority... accept?" may be a business liability for general public usage, although it's simple enough for the client to accept the certificate permanently."

3rd Party is the only way to go if you want to eliminate that annoying popup.

Will it still do it with no cert?

I have a similar problem at work, but in our case the certificate is not getting down from the web app server, that I don't have control over. I've called the provider who mailed me the certificate. Now I install it manually for every user and the problem is solved. Lots of work though, but less than arguing and convincing whoever to fix it.

I'm pretty sure if you remove the whole certificate you won't have the message any more. Just like with my solution, you won't have the security either though.

If it's just a straight site with no E-Commerce requirements, you don't need a certificate. If they're trading, it's an absolute necessity. You won't get the message because your browser is not detecting a request for a secure communication i.e. because you have an SSL certificate installed it will always ask.

yes but with no cert as opposed to self signed cert still give warnings?

No certificate = no warning because you're not requesting an encrypted communication.

I guess the idea is that you don't conduct encrypted communications with a crook of some sort. You'd think just encrypting it would be enough, until you realise you have no idea what's on the other end! :yikes:

Actually, the idea is to ensure that sensitive data is not transmitted between the server and the client in a format (unencrypted) that can easily be packet-sniffed, thus exposing your clients to identity theft. You really only need SSL for situations where something is sold - people expect encrypted communications in such instances. If your client is just running a run-of-the-mill site without selling anything, or capturing sensitive client data, he has no need for SSL.

scary, its normally because it was generated with Easy RSA and the hostname of the box is different to the FQDN of the webhost they are accessing it on. So lets assume your TLD is www.poopie.com but you run multiple vhosts with their own domains on, the cert would need to be generated for each of the domains on the vhost. So the cert is signed for poopie.com but their cpanel is hosted on cpanel.mywebsitehaspicsofmycat.com .... see the problem?

Or you could tell them to stop being crybabies and install the certs.

What are you using the VPS for? Is it just HTTP traffic and what does the site do?

I sell webhosting packages

Arbie, feel like explaining this in more detail?

I sell webhosting packages

Arbie, feel like explaining this in more detail?

See:
http://en.wikipedia.org/wiki/Transport_Layer_Security

Web browsers (sort of) have certain root certificates installed, from Verisign etc. So, the browser will complain about any certificate which is not signed by one of those root certs. You can install the self signed cert on the PC's like Gero did, which if done as a CA Cert, will then mean the PC consider that cert signed as well. That is obviously not an option on the general internet. For normal websites the only option is to use properly signed certificates from a recognized CA, that has the domain name of your website hosting the certificate in the certificate.

I think, what RB is saying is that you either need to remove your domain certificate, as all the sub-domains will be subject to the same conditions, or get each of your clients to install an SSL certificate (self-generated, or 3rd party). If, on the other hand, your SSL wasn't self-generated your hosted domains would not fall under the same constraints, as it would be a 3rd party approval that would factor in your domain only, not the hosted domains. To remove these constraints from your hosted domains you would need a 3rd party SSL, thus alleviating any browser irritations from your client's clients. Mmm, this is confusing.

I could be wrong. How close am I, RB?

Im completely confukulated now.

Im completely confukulated now.

Is your client selling stuff, or not? If the answer is yes, get him to pay for a 3rd party SSL (which is a yearly fee - and ridiculously cheap to boot) & your problems will be solved. If not, pay for a 3rd party SSL for yourself & he won't be subjected to your cheapskate ways. :p Once again, I am not 100% sure - I hope RB clarifies this, soon.

What Im confused about is whether the server needs a 3rd party cert or each domain. The basic structure is something like this.

server IP addy 123.45.67.89 and hostname is host.server.com
numerous domains sharing the same IP
customer hosts hisdomain.co.za and logs into his Cpanel like so: http://hisdomain.co.za/cpanel and gets cert warning.

Tell him to permanently accept the exclusion - problem solved.

Sounds like you're using name-based virtual hosting. You can't use name-based virtual hosting and SSL. Well - you can, but only with ONE domain name, due to the way SSL handshaking works, IIRC.
If you want to have more than one SSL cert on a machine, you'll have to have multiple IPs, and each SSL vhost would have to be on a different IP.

For example, for this machine, the way I do it, is to have 'secure.domain.com' and each vhost that requires an SSL site has an aliased sub-dir, so one site would be 'secure.domain.com/site1', 'secure.domain.com/site2', etc.

Oh - and a self-signed cert is just as "secure" as a "bought" SSL cert. The only difference between the two is that the "bought" cert already has its root CA cert in the browser certificate store (which costs mucho dollaz to get there), therefore no warnings are generated.

Instead of self-signing, I just use certs from http://www.cacert.org/. You can import their root CA cert into your browser, and voila. No more warnings.

Self certification is a horrible thing that often needs to be renewed once a year anyway - it's OK for internal stuff, like an exchange server or internal web site because the 'root' of the certificate would be trusted (inside your domain or network), but even then can cause issues in a company (Speaking from experience).

When you're out in the wide world, a random visitor to the website will not automatically trust a certificate that comes from 'mycoolwebsite.co.za' - it must have originated from commonly trusted 3rd party (CA or Certificate Authority), like Verisign.
Essentially the certificate says that Verisign (or another CA) has made sure that you are who you say you are..

The short answer is that IF you need certificates for the website because there is some sort of data that must be encrypted, then it is necessary to purchase one for each domain that must be certified.

As Flatty says, if you don't have any sensitive info to protect in transit then drop the encryption..


Oh, and what TG said.. ;)

And there ye have it - much needed clarification for all :D

Meh do it on the non-SSL port, its only for cpanel access and im sure no one is lurking around trying to get their login details?

hexplain please

The Certs cost about R17k for 24 months. They work per domain. a bit more if you going to sub-domain. It's usually cheaper to run your sites without a cert and use 3rd party for payments etc. I really wouldn't worry about the control/maintenance panel. Just the financials.

I think you can get them a lot cheaper than that, Sintaxerr.

hexplain please

Its a paranoia function as such.
Its like webmail that is run on https, there is no point unless you are so worried about someone getting access to your mail.
All that SSL does is to encrypt the information you send i.e username/pass etc and it also verifies that the site you are entering your details into is the correct site.
You dont have people sitting sniffing on your connections or spoofing the login just hoping to pick up someones details. So let them go in via the non secured portal to access their cpanel if they have to.
Why do they need to get into the cpanel so often anyway?

I dont know but to get to the Cpanel they just type http://www.theirdomain.co.za/cpanel so Im not sure why its using SSL there.
Other places it happens is when they are in their CPanel and click onto their stats likse AWStats etc which then opens up using https

Well because cpanel actually runs on a port, so its eg flowpooptrix.com:2082 which gets remapped in the DNS server to point to cpanel.flowpooptrix.com.
So you either have to update that DNS or tell them to install the certs. But why are they going into the panel that often anyway?

Well because cpanel actually runs on a port, so its eg flowpooptrix.com:2082 which gets remapped in the DNS server to point to cpanel.flowpooptrix.com.
So you either have to update that DNS or tell them to install the certs. But why are they going into the panel that often anyway?

Because it's there?

I go into my CPanel a lot when I'm importing prices, product details, etc, into MySQL databases. There's lots of reasons you could be in your CPanel.