Security certificate warning

[TraceyS]

Hi,

So I'm super-brand-new to the reseller game (about five minutes old), and wondering if there's a better solution to the 'red screen of terror' security warning other than telling clients to ignore it.

Realise there's been some posts on this topic previously, but they're all pretty old.

Is there anything I can do/purchase at my end to get around it?

If so, how? In small, easy steps please.

And can someone please explain to me - again, small easy steps - why it happens? It's just that I've never seen it happen anywhere else other than HN, so there must be some way to avoid it.

Cheers!

[RobbieLePommie]

Still no, unfortunately.

Why it happens: Plesk (the control panel) won't let you set up more than one certificate for accessing the control panel. The solution is to have a single domain name (aka the control-access names you may remember) but these needs need certificates and certificates are tracable back to the company. So anyone with 5 seconds of checking would see the servers run by "HostNexus" and not "FoxFire" and this marks you out clearly as a reseller and not a major player.

As it stands, it takes about 1 minute of checking, and most people won't go that far.

So it helps keep your services as your services. And until Plesk can handle multiple certificates, not much can be done.

************

And nice to "see" you again. Been a while.

[TraceyS]

Thanks for the response, Robbie. Shame it happens though, as I'm only really taking on hosting for clients who aren't savvy. Hate to see their faces if they ever need to access the control panel!

Also: delayed reaction. Guess who forgot to subscribe to this thread?
Also: nice to be remembered. Nice to see you too!

[TraceyS]

I'd like to put together some documentation that I can supply to clients who request/require control panel access, and the first step would be to tell them to expect this screen.

Would someone be able to put something together (in layman's terms) that can explain what the warning is and why they don't need to worry about it... but also advise that this isn't necessarily the case for all websites they visit? Would hate to make someone complacent because I'd said to ignore this warning, but I'm not entirely sure of the most basic way to explain it.

Much appreciated!

[RobbieLePommie]

I'll give the low down - you might need to make it more layman if not enough as it's quite wordy.

When sending encrypted information to a bank, you want to know that you are sending information to the bank, and not so a third party site made to look like your bank. For this reason, the bank will register with an approved "signing authority" and the signing authority will give a certificate. This certificate can belong to only one domain on one server on on IP address. Before you send encypted infomation, your browser will ask for the certificate and then check that the certificate is "valid", is also known by an approved signing authority and also belongs to the web address, IP address and server as expected. If anything does not match, your browser goes into "over-the-top-ape-shit-mode" (TM) as if you are being attached by a head-on nuclear onslaught.

In order to send encrypted information you MUST have one of these certificates. The certificate does not need to be valid and information is still encrypted - the warning simply means that the IP address or the domain name does not match, or that the certificate "expired" (they last for only one year). This is where Plesk sits - you can only have one certificate per server address, and as there are many domain names used to access Plesk on hte one shared server, only one could have a certificate.

So when you get the warning, information is still encrypted and "secure".

If you are communicating with your bank, then you have every right to get worried. But for low-security items such as talking to your own server, take appropriate prudence and that's all that is needed.

[Dede]

Hi Rob, interesting discussion.
However, it only brings another question to mind.
Say I have 3 websites on the same server, and I would like to purchase a SSL certificate for one of them, so that some parts of the site (ie.: the login part), or the whole site is secure (https://), I would not get the red screen right?
You are only talking about accessing plesk correct?
I'm like TraceyS, and also need small easy steps.
Thanks.

[RobbieLePommie]

You would be fine - you just need to purchase additional IP addresses.

On each server are hundreds of "virtual hosts"; one of those virtual hosts is Plesk, one is your domain, the other is your other domain, the other is Tracey's domain, and so on. You can have one certificate per "virtual host" (so long as they have dedicated IP addresses).

There are things you can do with regular servers to have different virtual hosts using the same source files, so this way you can have what appears to be the same website on different addresses and thus using different certificates, but Plesk is not set up like that.

[Dede]

I think I understand Rob.
Is Cpanel different, or does it not have anything to do with that?

Just to paraphrase, and to see if I get it:
If I wanted to have a certificate on my site, I would need a different IP. Does that mean dedicated server? Or is there a way to have a dedicated IP on a shared hosting setup.
In your last paragraph; are you talking about a dynamic website setup where the login database along with the certificate are on a dedicated IP, while the rest of the site remains where it is located right now: on the shared host?

[RobbieLePommie]

I don't know if you can get individual certificates for cPanel istelf, but the requirements for the individual websites are still the same (i.e. you need one certificate per IP address per virtual host, although there are ways you can make the virtual hosts access the same files/run the same website).

No - you may not need a "different" IP, just that you can only get one secure site on an IP; you can have multiple sites on one IP on a shared server, but only one of them can be properly secured with a certificate; the others will be normal/unsecure (for want of a better word).

My last paragraph means you have TWO virtual hosts set up, e.g. IANA — Example domains and www.example.org; both on different IP addresses and both have different certificates. But they would both pull files from "/var/www/vhosts/example.com/" on the server and therefore be exactly the same site, just under a different URL.

[Dede]

Thanks Rob.
I believe I got it.