ssl

Troubleshoot SSL-related Issues


Last modified: January 27, 2020

Overview

This document outlines some common SSL-related issues and how you can troubleshoot and resolve them. For more information about SSL, read our Guide to SSL documentation.

Warning:

We support Transport Layer Security (TLS) protocol version 1.2 and TLS version 1.3.

  • We strongly recommend that you enable TLSv1.2 on your server. Some clients don’t support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
  • We only support TLSv1.3 on systems that run cPanel & WHM version 86 or higher.

Installation issues

The following sections describe some common certificate installation issues and how to fix them:

Certificate and key mismatch

If you receive the modulus mismatch or key file does not match the certificate error messages, the private key that you entered did not generate the certificate that you wished to install. The correct private key may exist in a different file.

WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key in the Private Key text box in WHM’s Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

Dedicated IP addresses

Without Server Name Indication (SNI) enabled, SSL only allows one certificate per IP address. Because each cPanel account uses a single IP address, you can only assign one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it, or enable SNI on the server.

Warnings

The following sections describe some common post-installation warnings and how to fix them:

Certificate mismatch warnings

Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.

Ensure that the SSL certificate matches a domain that belongs to your web host before you proceed, and contact your hosting provider with any additional security concerns.

Domain mismatch warnings

If your visitors see a warning about a domain mismatch, your SSL certificate likely does not match your domain name.

Domain mismatches are unlikely to be a security issue when you log in to your cPanel account. You can contact your hosting provider for any additional security concerns.

Self-signed certificates

Most browsers do not trust self-signed certificates because the certificate only encrypts data and does not verify identity. Because of this, most browsers will display a warning about the self-signed certificate to your visitors.

If you do not want visitors to encounter this warning, purchase an SSL certificate from an SSL provider. However, when you purchase an SSL certificate, do not remove the installed self-signed certificate. Instead, purchase and install the additional certificate in WHM’s Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).

Other issues

The following sections describe other common SSL-related issues and how to fix them:

Visitors cannot access other sites on a shared certificate

If multiple sites share an IP address but only one has an installed SSL certificate, visitors to other domains on the server may experience problems. Apache cannot serve unsecured websites through a secure protocol.

Warning:
If you enter https:// before a domain name, the browser uses the secure HTTPS protocol. If you enter http:// before a domain name, the browser uses the not secure HTTP protocol.

For example, your server could use the following setup:

IP address Domain SSL status
1.2.3.4 example.com Insecure
1.2.3.4 domain.com Secure
9.8.7.6 example2.com Insecure
9.8.7.6 domain2.com Insecure

If this configuration resembles your shared IP address’ domain structure, expect the following behavior:

Protocol IP address or domain Apache will serve:
https:// 1.2.3.4 domain.com
http:// 1.2.3.4 The default page redirect or example.com.
https:// 9.8.7.6 An error message.
Note:
Because Apache cannot serve an unsecured website with a secure protocol and no secure sites exist on the shared IP address, Apache serves an error message.
http:// 9.8.7.6 domain2.com
https:// example.com domain.com
Note:
Because Apache cannot serve an unsecured site with a secure protocol, Apache defaults to the secure website on the shared IP address.
http:// example.com example.com
https:// domain.com domain.com
http:// domain.com domain.com

To allow visitors to visit an unsecured domain regardless of which type of protocol they enter, perform the following steps:

Basic users

  1. Navigate to WHM’s Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).
  2. Click Browse Certificates.
  3. In the Browse Account menu, select root.
  4. In the Certificate list, select the option for the server’s hostname certificate.
  5. Click Use Certificate.
  6. In the IP Address (non-user domains only) menu, select the server’s shared IP address.
  7. Click Install.
  8. Navigate to WHM’s Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
  9. In the Installed SSL Hosts table, click Make Primary in the appropriate row for the server’s hostname.

Advanced users

  1. Navigate to WHM’s Include Editor interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Include Editor).
  2. Select the Pre Virtual Host Include option.
  3. Select the Apache version from the menu. We recommend that you select All Versions.
  4. Enter the following text in the available text box:
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    
    <VirtualHost IPADDRESS:443>
      ServerName HOSTNAME
      DocumentRoot /usr/local/apache/htdocs
      ServerAdmin EMAIL
      <IfModule mod_suphp.c>
        suPHP_UserGroup nobody nobody
      </IfModule>
        SSLEngine on
        SSLCertificateFile SSLCERTIFICATEFILE
        SSLCertificateKeyFile YOUR-SSLCERTIFICATEKEYFILE
      </VirtualHost>
    Note:

    This example uses the following values:

    • IPADDRESS represents your server’s IP address.
    • HOSTNAME represents your server’s hostname.
    • EMAIL represents your contact email address.
    • SSLCERTIFICATEFILE represents the full file path to your SSL certificate.
    • SSLCERTIFICATEKEYFILE represents the full file path to your SSL certificate’s key.
  5. Click Proceed.
  6. Click Update.

System failures

If you have suffered a serious drive failure and you do not use Trustwave authentication, you may lose some or all of your SSL data.

If you are able to access the old drive, the system stores your authentication data in the /root/.trustwavereqs file.

Additional Documentation