Client Area Security Warning

[Media Corp.]

Hello,

 

We have a new install of v3.4.0 and it is almost ready to go. While testing the system, I found the following and wonder how to fix it.

 

Details:

 

Logged in as existing Client (test client).

Clicked on "My Hosting Packages" in the Client Area.

Clicked on button "VIEW DETAILS"

Clicked on button "LOGIN TO cPANEL"

 

This is where I get a SECURITY CERTIFICATE warning.

 

I believe this is because our website (the one WHMCS is installed on) is on a shared server (we do have a dedicated IP and an active SSL Certificate), however the warning is coming from the shared server. This must be because the client is moving away from our secure server and logging into their cPanel which is on the shared server.

 

How do I fix this?

 

Thanks in advance,

Derek

[ghpk]

you can't fix it until your shared server has a valid SSL certificate installed.

[Media Corp.]

you can't fix it until your shared server has a valid SSL certificate installed.

 

I was afraid that was the answer.

 

We are a Hostgator reseller and I *thought they had a shared SSL installed on the shared server we are on.

 

Should I talk to Hostgator about this?

 

Thanks ghpk!

[webresellers]

Even with a sharred ssl cert, you will still get these messages since your domain and their domain wont match the certificate. The real/best solution is to get your own SSL cert.

[Media Corp.]

Even with a sharred ssl cert, you will still get these messages since your domain and their domain wont match the certificate. The real/best solution is to get your own SSL cert.

 

We do have our own SSL cert and dedicated IP, which WHMCS is installed on. Our clients are on a Hostgator shared server (the one we are also on).

 

We are not able to get an SSL cert for Hostgator's server are we?

 

Thanks for the help.

[webresellers]

correct, you will need a VPS or Dedicated server to work around this.

or in your WHMCS server setup, remove the check for SECURE CONNECTION at the bottom. (if its checked, and I am guessing it is....)

[Media Corp.]

correct, you will need a VPS or Dedicated server to work around this.

or in your WHMCS server setup, remove the check for SECURE CONNECTION at the bottom. (if its checked, and I am guessing it is....)

 

Thanks for the help. That will have to be the way we do it.

 

If I remove the SECURE CONNECTION as you've suggested, does this mean all orders etc via our order form will be non-secure connections? What about credit card processing etc...?

 

I'm new to WHMCS! Thanks again.

[webresellers]

That check box is only securing the connection to the server for the control panel access, nothing else. Has nothing to do with ordering or being on/in your whmcs secured.

[Media Corp.]

Perfect!

 

Thanks so much for the help. I really appreciate it!

 

-Derek

[trine]

First of all most hosts will install your own cert if you have a static IP. Secondly, you can even use shared ssl hosting without a domain warning as long as the domain matches the ssl cert. You needn't have a ded or vps for a ssl cert, just a host willing to do it. SSL is important. Without it, all of your info at signup, payment and provisioning is pretty clear plain text if it gets intercepted.

 

Just my 2 cents

[webresellers]

Hostgator and most providers are only offering a sharred SSL with the hostname of the server you are on, thus, when you connect to cpanel using the IP address (as WHMCS uses by default) then you WILL get a SSL cert error becuase you are accessing the IP address for the ssl connection, and the ssl cert has the hostname of the server associtated with it.

ie, in whmcs you enter 127.0.0.1 as the server ip, but the providers ssl cert reads: server.provider.com, thus they dont match, and you get the ssl warning.

You might be able to enter your domain name in the whmcs server field that asks for the server IP. (not sure if this will work, since I haven't tested, but in theory it should work)

[Media Corp.]

Hostgator and most providers are only offering a sharred SSL with the hostname of the server you are on, thus, when you connect to cpanel using the IP address (as WHMCS uses by default) then you WILL get a SSL cert error becuase you are accessing the IP address for the ssl connection, and the ssl cert has the hostname of the server associtated with it.

 

This is exactly what we're experiencing. When a client tries to login to their cPanel via their Client Area on our corporate website, the warning (correctly) informs our client that the security certificate of our website (the client area) and the security certificate of the server where their shared hosting is, don't match. This makes sense.

 

I don't think there is any other way to make this work (aside from VPS or Dedicated). They only way, as webresellers suggested, is to disable the Secure Connection for the server configuration in WHMCS.

 

We agree, Trine, that SSL is important. We have a dedicated IP and an SSL installed and WHMCS is running within the cert. The only issue we're experiencing is when a client tries to connect to their cPanel from within our Client Area.

 

With 'Secure Connection' for cPanel DISABLED within our WHMCS system, does this mean client signups/orders/payments are NON-Secure? When I test the system as a client I am still seeing the HTTPS and the locked icon.

 

Your suggestions are very helpful. Thanks again.

[Jordan]

With 'Secure Connection' for cPanel DISABLED within our WHMCS system, does this mean client signups/orders/payments are NON-Secure? When I test the system as a client I am still seeing the HTTPS and the locked icon.

 

I don't get why most of you are saying that by disabling secure connection for CPANEL, means that you're working with a non-secure version of WHMCS.

 

WRONG.WRONG.

 

If you have https setup in your WHMCS configuration. Then you have SSL through the proper pages.

 

If you look at your server configurations under "manage server" you'll see the checkmark for "Tick to use SSL Mode for Connections." So, if you have it checked, then you're connecting via https (secure) WHEN A USER LOGS INTO CPANEL/WHM VIA clientarea.php?action=productdetails, and if you do NOT have it checked, you're connecting via http (insecure) WHEN A USER LOGS INTO CPANEL/WHM VIA clientarea.php?action=productdetails.

 

So here's an example:

Secure connection on: https://192.168.1.1/cpanel

Secure connection off: http://192.168.1.1/cpanel

[Media Corp.]

I don't get why most of you are saying that by disabling secure connection for CPANEL, means that you're working with a non-secure version of WHMCS.

 

Hi Jordan...I believe Trine was the only one who suggested that signup/payment etc would be insecure. webresellers informed me otherwise (as you've confirmed). I just wanted to double-check with the 'pros' and you're answers have confirmed what I thought.

 

WHMCS is fully secured.

Connection to cPanel from client area is not (in my case).

 

Thanks again everyone. I'd be lost without you all as a resource.

 

-Derek

[Jordan]

Shh let me over exaggerate! ;o]

 

@ webresellers - perhaps we can request this feature from matt, to use the hostname of a server, and not it's IP address? And it would be the same style as the cPanel SSL tickbox.

[Media Corp.]

LOL

 

Sounds good to me!

[ddh]

Yes, an option to select the IP or hostname for cPanel logins would be great.

 

We need the login to cPanel using the server hostname and not the IP address, as the SSL is installed against the host name and when accessing via the IP, it generates the security warning message.

[JasonO]

Is it not possible to change this in the templates?