SSL Cert for Dedicated Server - Config Options

[Vibe]

Hello!

I have been searching the forum for quite some time to find a "conceptual" answer to my particular situation regarding an SSL Certificate for my dedicted server. I originally posted in the How-to section, but I believe I should have posted here - I apologize for any inconvenience.

I am the sole Reseller on my dedicated server so I have full control. I would like to set up a shared SSL cert for all domains that I will be hosting, as well as for SSL connections to my own domain and DirectAdmin logins.

I have read read the EXCELLENT tutorial by jlasman regarding Shared SSL certs (see here) *and* the tutorial for using DA templates to point both HTTPS & HTTP connections to each hosted websites public_html directory (see here) which is much easier for osCommerce installations.

My server is configured as follows:

server.mydomain.com - IP #1 (issued by data center)
secure.mydomain.com - IP #1 (created by ADMIN in DA at the USER level)
www.mydomain.com - IP #2 (created by RESELLER in DA at the USER level)
"userdomain.com" domains to be hosted - IP #3 (shared IP)

***Questions***

(1.) By pointing both HTTPS & HTTP connections to the public_html directory of each website being hosted, *and* by following jlasman's shared SSL tutorial, will SSL connections for each domain on the server point to the respective public_html directory for all sites being hosted (e.g. secure.mydomain.com/userdomain.com will take you to userdomain.com's public_html directory)?

(2.) As per jlasman's tutorial would the login for DirectAdmin be secure.mydomain.com:2222?

Thank you tremendously for any assistance!

 

[nobaloney]

I make no guarantees that I'm understanding you correctly and I only guarantee cert installs I do, to work properly.

That said...

https://secure.example.com/userdomain.com

will always point to the pages in the secure.example.com userdomain.com directory; in other words:

/home/secure/domains/secure.example.com/public_html/userdomain.com/

You'll have to create an ftp login to that directory in order for the user to be able to upload content.

The login will work at:

https://secure.example.com:2222/

Jeff

 

[Vibe]

Ahhhh...Thank you so much Jeff! It's somewhat humerous in that my original post took me about 30 minutes to write. With each sentence I too questioned whether I knew what I was asking - but you have made it quite clear, thank you!

What I was hoping to do was to have "www.mydomain.com" (http) and "secure.mydomain.com" (https) both reside in the same public_html directory for the user of "mydomain.com."

Then, I thought if I configured everything correctly, secure.mydomain.com would be the domain for shared SSL for each client domain being hosted (e.g. "secure.mydomain.com/clientdomain.com").

I was also hoping that it would be possible to have ALL files for "secure.mydomain.com/clientdomain.com" AND "clientdomain.com reside in each respective clients public_html directory (e.g. point "secure.mydomain.com/clientdomain.com to the client's public_html folder). This would make it easier to update the site if the client were to handle things on their own.

I had the opportunity to develop an osCommerce site for a client that was hosting with Bizland. The way Bizland configures their shared SSL cert is that ALL client files reside in their own public_html directory (as mentioned above). To establish the https connection you simply use a link similar to "secure.bizland.com/clientX. This was great because it eliminated the need to duplicate image directories.

For example, if my client were to administer their osCommerce shop over an https connection with 2 separate directories (public_html & private_html), IE would give a popup about elements of the page not being "secure." To prevent this I would basically have to copy the entire shop catalog over to both directories, which is fine for me. But trying to explain that to a client that is lacking in FTP skills is definitely a "no go."

Is it same to assume that it is not possible with DA to have both "www.mydomain.com" & "secure.mydomain.com" reside in the same public_html directory?

Thank you for taking the time to clarify eveything for me - it is greatly appreciated!

Michael

 

[Vibe]

I just thought of something that may solve my problem - I hope .

If I have mydomain.com set up with a dedicated IP, and then add a CNAME record in the DNS admin, both will point to the same IP. Is it possible to have an SSL cert issued for the CNAME record vs. the domain name setup for the user account?

(ok, maybe I am "stretching" the limits here .

Michael

 

[nobaloney]

First things first:

If I have mydomain.com set up with a dedicated IP, and then add a CNAME record in the DNS admin, both will point to the same IP. Is it possible to have an SSL cert issued for the CNAME record vs. the domain name setup for the user account?

Yes, no, maybe .
The limitation is specific: you can ony have one secure cert per IP#. And it makes no difference at all whether you use an A record or a CNAME record to get there.

Now let's move on:

Ahhhh...Thank you so much Jeff! It's somewhat humerous in that my original post took me about 30 minutes to write. With each sentence I too questioned whether I knew what I was asking - but you have made it quite clear, thank you!

You're welcome; to understand why I try so hard you have to realize that we're in the cert business ... see my post [Product Announcement] Shared Server Cert here.

What I was hoping to do was to have "www.mydomain.com" (http) and "secure.mydomain.com" (https) both reside in the same public_html directory for the user of "mydomain.com."

You can do that. You creat only one of the sites, presumably secure.example.com, since you'll want to be able to use the DA system to create the CSR for it. Then you create a site alias and check the "create as alias" box.

Then, I thought if I configured everything correctly, secure.mydomain.com would be the domain for shared SSL for each client domain being hosted (e.g. "secure.mydomain.com/clientdomain.com").

So far so good.

I was also hoping that it would be possible to have ALL files for "secure.mydomain.com/clientdomain.com" AND "clientdomain.com reside in each respective clients public_html directory (e.g. point "secure.mydomain.com/clientdomain.com to the client's public_html folder). This would make it easier to update the site if the client were to handle things on their own.

I'm not taking time to figure out the details but you could probably do it with links. Instead of creating a clientdomain.com directory you'd create a link named clientdomain.com linking to /home/clientusername/domains/clientdomain.com/public_html.

The problem would be in file and directory ownership, and that would have to be tested.

I had the opportunity to develop an osCommerce site for a client that was hosting with Bizland. The way Bizland configures their shared SSL cert is that ALL client files reside in their own public_html directory (as mentioned above). To establish the https connection you simply use a link similar to "secure.bizland.com/clientX. This was great because it eliminated the need to duplicate image directories.

It sounds as if you could do the same thing, but again, you could have trouble with CGIs running with the proper ownership. I'm not sure.

Jeff

 

[Vibe]

Thank you Jeff for taking the time to write such an thorough explanation! I apologize for such a late reply - my wife and I went on vacation and didn't have access to the Internet (yes, very rough indeed).

It totally slipped my mind to make the site alias after configuring the secure.exampledomain.com! I think this might work. I was approaching it strictly from the http point of view vs. creating an alias here.

I just upgraded my server with a new installation of DirectAdmin so I am going to try some of the ideas that you mention. I will see what success I have overall and if it is a go I will post the results.

I didn't even realize that you were in the Cert business! I am going to speak with my partner about our Cert for the new server (for DA logins). Is the pricing from your post that you mentioned current?

Thank you again for all of the excellent information and guidance!

Michael

 

[nobaloney]

Thank you Jeff for taking the time to write such an thorough explanation!

You're very welcome.

I apologize for such a late reply - my wife and I went on vacation and didn't have access to the Internet (yes, very rough indeed).

Actually that's pretty cool. I wish I could take time for a vacation without the Internet . The closest I come is an office in a corner of my godkids' house in Idaho, so I can at least visit them.

It totally slipped my mind to make the site alias after configuring the secure.exampledomain.com! I think this might work. I was approaching it strictly from the http point of view vs. creating an alias here.

I haven't reread your post or my reply, but don't forget the name mismatch problem for anyone who accesses a cert through any other name but the cert's "common name" (domain name written into the cert).

I didn't even realize that you were in the Cert business! I am going to speak with my partner about our Cert for the new server (for DA logins). Is the pricing from your post that you mentioned current?

Only until the end of the month. Because of time differences let's say through August 30th.

Thank you again for all of the excellent information and guidance!

You're very welcome.

Jeff