Support for Wilcard SSL Certificates and more...

  • There are 2 places which can benefit from enhanced processing of wildcard SSL certs. (having just spent an hour on this due to a cert renewal ... its something I know could be improved...)


    During the install, Certificates are asked for twice. IF a wildcard cert is presented in the services dialogues, then the panel question could be preceded with a 'reuse services wildcard cert?" question and save the time re-entering something that is already known.


    In the Panel itself, give the ability to enter a wildcard cert for the domain, and when adding SSL for any sub-domains, allow the selection of the wildcard - or the existing functionality. Updating the single instance should (obviously) update all the subdomans that are using it. The time savings and convenience of setting up/maintaining single entries would be a considerable improvement.


    A tool to "spray" a new cert out to existing i-mscp installed servers would also be a huge benefit to those with multiple servers.


    While not many users are apt to purchase wildcard certs, I know people with multiple servers, and those with multiple subdomains, would find it very useful.


    (no rush for me though - I'm good for another year :) )

  • @Scott Brown


    During the install, Certificates are asked for twice. IF a wildcard cert is presented in the services dialogues, then the panel question could be preceded with a 'reuse services wildcard cert?" question and save the time re-entering something that is already known.

    I'll see if that can be implemented in version 1.5.3

    In the Panel itself, give the ability to enter a wildcard cert for the domain, and when adding SSL for any sub-domains, allow the selection of the wildcard - or the existing functionality. Updating the single instance should (obviously) update all the subdomans that are using it. The time savings and convenience of setting up/maintaining single entries would be a considerable improvement.

    You can normally already provide a wildcard SSL certificate. Regarding ability to share an SSL certificate, we need to review our database schema first. Also, I'm waiting for Let's Encrypt wildcard SSL certificate support.

    A tool to "spray" a new cert out to existing i-mscp installed servers would also be a huge benefit to those with multiple servers.

    Could you clarifiy a bit?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Quote

    You can normally already provide a wildcard SSL certificate. Regarding ability to share an SSL certificate, we need to review our database schema first. Also, I'm waiting for Let's Encrypt wildcard SSL certificate support.

    Yes - and I already do add the wildcard certs - multiple times. That's why I've made the suggestion :)


    Wow - I didn't realize Lets Encrypt did an about face on it. Last I read they were dead against it... (I did some work on the Windows SolidCP panel for LetsEncrypt support last year... I've been down that road). Interesting that they decided on DNS validation... they didn't like that idea as that wasn't validating the host the cert was being installed on. Times change I guess.


    regarding the db - yes, I didn't think this was going to be the easier part. I'm sure it wont be a simple drop in... maybe store the Wilds off in a separate table, and allow them to be copied into the existing dialogue through a button? I dunno.. just a very simplistic approach.


    Would need some way to manage the wildcard certs too. This is getting more complicated.


    Ok, while we're complicating things - how about having the panel watch the expiry of certs too, and warn/email customers when their cert is about to expire (configurable by the reseller) i mean, if we're getting complicated, why not go all the way :) lol...


    I'll stop dreaming now - this is your project/product, I'm just a happy user.


    Quote

    Could you clarifiy a bit?

    Just a simple tool to take a wildcard cert and install it across a set of servers in a single action - rather than having to log into each and perform the SSL reconfigure task on each individually.


    Obviously it would have to validate that it was indeed being given a cert with a CN=*.domain.tld (is it valid in the subj alt names? - I've only ever seen it in the CN...), and some way to know what other machines to install to (I'm thinking only services and panel only, and only if they already use a matching cert, unless an override flag is given with the request (example use case - to update individual certs on various machines to a single wildcard).


    Doesn't sound so simple after all. But useful/time saving for sure. Some of your large clients could save a lot of time with something like this.


    I remember back in the ispcp days there was a soap layer exposed - if that still exists that might be leveraged with the proper security (I can't remember if ispcp did a lot of security type validation on it's soap calls). Definitely wouldnt want some nefarious entity to be able to start overwriting your systems. I guess this sort of presumes the clients would be pre-registered with the master so that a proper security context could be created between them.


    yes, definitely not on the simple side.


    I'm not sure how "multi" the panel is of recent releases so I dont know how much/any of this is already in place, but this would aid in the central management of i-mscp farms.


    Let me know if if this help paint the picture better.

  • My idea is to create a new module for SSL certificates management. The module would provides an SSL certificates store wherea customers would add their SSL certificates. Once done, the customers would assign the SSL certificates to one or many of their sites through a select box. Doing this would simplify SSL certificates management. Note that this is only a summary of my idea. Things would be a bit more complex.


    Regarding notification for SSL certificates being expired, this shouldn't be too hard to implement. We should store the expiry date when the SSL certificates are added, and run a daily cron task that take care of notifications.

    I was one of main ispCP developer and I can ensure you that there was no SOAP layer available. However, what you're asking will be possible when the multi-server layer will be implemented, where we will have one or many servers managed through a single control panel instance.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I do like the idea for SSL management... that will definitely take the pain out of managing certs.


    And yes you're right - when I looked back, I was using NuSoap from my ispcp box to query a windows server running WSP :blush: I cant find what code I was using to pull stats from the other ipscp box. Might have just been a dump of a data set.... too long ago to keep straight.


    Looking forward to new SSL Management functionality in a future release :D