This document gives a step-by-step instruction on how to secure
your CP apache server with a regular (not wildcard) SSL certificate.
You can secure your control panel with a wildcard certificate
if you install it on the same domain name. For example, if your cp
domain name is cp.example.com, you can secure it by installing wildcard
certificate to example.com.
We recommend that you configure your system to be accessible both by
http and https, because SiteStudio doesn't fully support https protocol.
To secure your CP with regular SSL:
- Create or choose a directory to store SSL-related files. E.g.:
#mkdir cert
Make this directory available only for root:
#chmod 700 cert
Go to this directory:
#cd cert
- Generate an SSL private key with the OpenSSL utility:
#openssl genrsa -des3 -out server.key 1024
When prompted for a pem phrase, enter any combination of 4 characters, e.g. 1234.
A unique private key will be generated into the server.key file.
For more, read modssl documentation.
- Copy this file to a secure location. You will need it later.
- Make the newly generated file readable only by root:
#chmod 600 server.key
- To view the content of the private key file, use the command:
#openssl rsa -noout -text -in server.key
- Remove pass phrase from the private key:
#openssl rsa -in server.key -out server.key.unsecure
- Now you don't need the private key with the pass phrase any more.
Overwrite it with the private key without the pass phrase:
#cp server.key.unsecure server.key
- Generate an SSL certificate signing request based on the private key:
#openssl req -new -key server.key -out server.csr
You will have to answer many questions related to your company.
Your answers are required to be included in the certificate.
Note: Common name is the URL at which you want your control panel
to be available, e.g. cp.yourdomain.com (not yourdomain.com).
- Check the content of the certificate request file:
#openssl req -noout -text -in server.csr
If you find a mistake in the data you have submitted, you can re-generate
the request anew.
- Make sure to back up your SSL files:
# mkdir backup
# chmod 700 backup
# cp ./*.* backup/
- Send the generated CSR file to a trusted Certificate Authority
for signing. They will send you back the certificate. Save it as
server.crt.
- To view the content of the certificate, run:
# openssl x509 -noout -text -in server.crt
- Save the private key and the certificate:
# cp -f ./server.key /hsphere/local/home/cpanel/apache/etc/ssl.key/
# cp -f ./server.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
- Important: Make sure to back up the ssl.key and ssl.crt files to
a safe location. You may need them in the future.
- If your certificate was signed by a non-trusted certificate authority,
run the following command:
# cp -f ./ca-bundle.crt /hsphere/local/home/cpanel/apache/etc/ssl.crt/
- If your certificate was signed by a non-trusted certificate authority,
open the file httpd.conf:
# vi /hsphere/local/home/cpanel/apache/etc/httpd.conf
and find the following lines:
<VirtualHost _default_:8443>
DocumentRoot "/hsphere/local/home/cpanel/shiva/shiva-templates"
ServerName cp.domain.com
ServerAdmin root@domain.com
ErrorLog /hsphere/local/home/cpanel/apache/logs/error_log
TransferLog /hsphere/local/home/cpanel/apache/logs/access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/server.crt
SSLCertificateKeyFile /hsphere/local/home/cpanel/apache/etc/ssl.key/server.key
At the end of this block add the following line:
SSLCACertificateFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca-bundle.crt
Note: If you are installing Comodo certificate, skip adding the above line.
Instead, download the bundle file from
this page,
save this bundle file as
/hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt and add the following line to
httpd.conf (as at the previous step):
SSLCertificateChainFile /hsphere/local/home/cpanel/apache/etc/ssl.crt/ca.crt
- Open the file hsphere.properties:
# vi /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties
and change lines:
CP_PORT = 8080
CP_PROTOCOL=https://
to:
CP_PORT = 8443
CP_PROTOCOL=https://
- Restart H-Sphere.
- Check the log file:
# vi /hsphere/local/home/cpanel/apache/logs/ssl_engine_log
Disabling HTTP access.
We don't recommend disabling HTTP access, because it is required by SiteStudio.
Still, if you have chosen to disable http, do the following:
- Open the file ~cpanel/apache/etc/httpd.conf
- If you would like to exclude http access and use only secure connections,
comment out the line "Listen 8080" in the block IfDefine SSL.
- Restart H-Sphere.
Switching Between IP and Domain Name
You can't have your control panel available both by domain name and IP address.
You can have only one. To switch between IP and domain name control panel access:
- Open the /hsphere/local/home/cpanel/shiva/psoft_config/hsphere.properties file.
- Set the value of CP_HOST to your new CP URL/IP. Make sure not to change the value of the
PATH_SITE_STUDIO property.
- Save and exit the file.
- Restart H-Sphere.
|