Featured Video: Setup an SSL Site with Managed WordPress

There was once a time on the Internet where there were many valid reasons to avoid using an SSL all the time. For example, using an SSL sometimes meant your website isn’t indexed as thoroughly. Or maybe certain types of caching were broke.

It’s 2017 now though and those days are long since passed. Almost any reason to not use an SSL on your site has been changed or fixed. In this Knowledge Base article we feature a video provided by Chris Lema to show how quick you can setup an SSL on Managed WordPress. Continue reading “Featured Video: Setup an SSL Site with Managed WordPress”

Optimizing Your Website in Cloud Sites

optimizing-your-site-cloud-sties-header

To ensure that your site performs at its best, there are a few things you can do to optimize it when using Liquid Web Cloud Sites technology. This article will take you through the top five best practices to optimize your website.

Continue reading “Optimizing Your Website in Cloud Sites”

Will my site be marked unsafe in Chrome 56+?

Lately there’s been a lot of speculation about Googles up-coming changes to how sites without an SSL are going to be treated. As January draws towards a close we have seen an increase in customers with concerns of how this will affect their site. Both in terms of people being able to see it and how it might affect their search ranking.

This article aims to clear up some of the confusion and to demystify the changes. If you are unfamiliar with how SSL/TLS or HTTPS works please take a look at our article on the subject.

If you aren’t interested in how these changes came about feel free to skip down to: How These Changes Affect Your Site
Continue reading “Will my site be marked unsafe in Chrome 56+?”

How does an SSL work?

httpVShttps

Every single day 100s of terabytes of data is being transferred across the internet. In fact, based on Intel’s 2012 report, nearly 640K Gb of data is transferred every single minute. That’s more than 204 million Emails, 47,000 app downloads, 1.3 million YouTube videos watched and 6 million Facebook views.

We’re talking about a seriously massive amount of data here. So how do we know if that data is being transferred securely? Enter the SSL/TLS protocols.
Continue reading “How does an SSL work?”

Enabling Let’s Encrypt for AutoSSL on WHM based Servers

With the recent release of cPanel & WHM version 58 there has been the addition of an AutoSSL feature, this tool can be used to automatically provide Domain Validated SSLs for domains on your WHM & cPanel servers.

Initially this feature was released with support provided for only cPanel (powered by Comodo) based SSL certificates, with the plans to support more providers as things progressed. As of now, cPanel & WHM servers running version 58.0.17, and above, can now also use Let’s Encrypt as an SSL provider. More information on Let’s Encrypt can be found here. Continue reading “Enabling Let’s Encrypt for AutoSSL on WHM based Servers”

How To Verify That Your Server Meets PayPal SSL Requirements

As part of an industry-wide effort to adopt strict security standards, PayPal is upgrading the SSL certificates it uses to secure its sites and API endpoints. By June 17, 2016, SSL certificates will need to be signed using the SHA-256 algorithm and VeriSign’s 2048-bit G5 Root Certificate.

At that time, PayPal’s service will discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

You can easily determine whether your server supports this new standard by logging into your server via SSH and running a single command:

openssl s_client -connect api-3t.sandbox.paypal.com:443 -showcerts | egrep -wi "G5|return"

If your server complies with the requirements, you will see a result similar to the following:

i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. – For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority – G5
Verify return code: 0 (ok)

In that output, you will want to note the presence of two specific items:

  • A Certification Authority containing “G5”. Note that you may see several CA lines in your output; as long as G5 is included, your server is compliant.
  • A Verify return code of “0 (ok)”.

If both are present, your server is compliant and no further action needs to be taken.

If neither is present, then your server will need to have the G5 certificate bundle installed. All Managed customers may feel free to contact Heroic Support® to have it installed.

NOTE: CentOS 5 (and earlier) is not capable of supporting the new standard. If your server runs CentOS 5 (or earlier), it will need to be upgraded. A member of Heroic Support® will be able to assist.

 

How To Order or Renew an SSL Certificate in Manage

Pre-Flight Check

  • This article assumes that you wish to order an SSL certificate through your Manage customer dashboard, or renew a certificate which you previously ordered through Manage.
  • For new certificates (non-renewals), you will first need to obtain a Certificate Signing Request (CSR). If you prefer, you can easily generate a CSR through cPanel or Plesk.

Ordering an SSL Certificate in Manage

Log into your Manage dashboard at https://manage.liquidweb.com and click on the Create button at the top left, then select SSL Certificate from the list of options. Continue reading “How To Order or Renew an SSL Certificate in Manage”

How To Generate and Renew Let’s Encrypt SSL Certificates in Plesk 12.5

Let’s Encrypt is a free, automated, and open certificate authority from the Internet Security Research Group (ISRG). It enables anyone to install a free trusted SSL certificate on their website and benefit from the enhanced security an encrypted connection provides. Unlike a self-signed SSL certificate, which also is free and secure (but not verified), a Let’s Encrypt certificate is recognized as fully verified and will display the padlock icon in the address bar of modern browsers.

Beginning with version 12.5, Plesk provides access to both a plugin which interfaces with the Let’s Encrypt CLI client and an extension for use within Plesk. Please note that Plesk’s support for Let’s Encrypt applies to some Linux distributions as well as Windows, and while these instructions may also apply to a Linux server running CentOS 6 or higher, additional configuration beyond the scope of this article may be necessary. Continue reading “How To Generate and Renew Let’s Encrypt SSL Certificates in Plesk 12.5”

How to Generate a CSR and Install an SSL in Plesk

Pre-Flight Check

  • This article is specifically intended for generating a Certificate Signing Request and installing a standard SSL certificate on a Windows server running Plesk.
  • We’ll walk through ordering the SSL via Liquid Web’s Manage interface, but you can use the CSR you generate in Plesk to purchase an SSL from the vendor of your choice.
  • If your Windows server is running Plesk 12.5 or higher, you can check out our tutorial on Using Let’s Encrypt SSL Certificates with Plesk 12.5.

Step #1: Generate a Certificate Signing Request in Plesk

  1. Log into Plesk.
  2. Select Domains from the main menu and click on the domain name to access its settings page.
  3. Click on SSL Certificates to bring up the SSL certificate page:

    WinPleskSSL1

  4. Now click the blue Add SSL Certificate button:

    WinPleskSSL2

  5. Fill out the request form and then press the Request button:

    WinPleskSSL3

    While the fields are self-explanatory, pay special attention to these three required fields:

    • Certificate name: This is how the certificate will be displayed in Plesk. To make it easier to identify later, you’ll likely want to use the domain name.
    • Domain name: If you want your SSL certificate to cover the domain with and without the “www”, you must enter the “www” version here.
      • A certificate for www.yourdomainname.com will cover both yourdomainname.com and www.yourdomainname.com.
      • A certificate for yourdomainname.com will only apply to yourdomainname.com.
    • Email: Plesk will email the CSR and details to this address, although we will walk through retrieving the CSR directly from Plesk in the next step.
  6. Upon submitting the form, you’ll be redirected to the domain’s SSL Certificates page. Click on the certificate name (“Sample” in this example) to return to the certificates page, where you’ll be able to copy the CSR:

    WinPleskSSL4

  7. On the SSL Certificates page for the domain, scroll down to the section labeled CSR, and copy all the text contained in that field:

    WinPleskSSL5

    Important: Leave this window up, as you will return to it once you have ordered and obtained the certificate. You will paste the certificate into the Upload the certificate as text field just above the CSR section on this same page.

Step #2: Order the SSL Certificate in Manage

  1. In a new browser window or tab, log into your Liquid Web Manage dashboard.
  2. Click on the Create button near the top left of the page and select SSL Certificate:

    WinPleskSSL6

  3. On the Order an SSL Certificate page, paste the CSR you copied from Plesk into the Certificate Signing Request (CSR) field.

    WinPleskSSL7

    The CSR Details section will populate with the information you entered in Plesk.

    • Review the CSR details. If you need to correct any errors, go back to Step One and re-generate the CSR.
    • Select the length of time for which you’d like the certificate to be valid.
    • Select a Verification Method. Typically you will want to leave this set to “Automatic”.
    • Click the Purchase SSL Certificate button to order the certificate and have it charged to your card on file.

Step #3: Verify and Obtain your SSL Certificate

  1. Your SSL certificate is accessible from your Manage dashboard.
    • Click on Overview in the left menu of your Manage dashboard.
    • Click on SSL Certificates under the Services section.
    • Click the [ + ] button next to the domain name to expand the window.
    • Click the Dashboard button to access the SSL dashboard.
  2. If automatic verification was successful, you will see a green button next to Verified in the Status column. If automatic verification failed, follow the instructions for verifying the SSL via DNS record, HTML meta tag, or email at Installing an SSL Certificate.
  3. Once the certificate status is displayed as Verified, click the link labeled X509 Certificate to pop up a window containing the certificate. You will need to copy the contents of the certificate in that popup before returning to your Plesk browser window or tab.
    Important: Leave this window up, as you may need to return to it to copy and paste the Intermediate Bundle from this screen into the CA Certificate field in Plesk.

    WinPleskSSL8

Step #4: Install the SSL Certificate in Plesk

  1. Now return to the Plesk browser window or tab you left open in Step #1, and paste the certificate into the Upload the certificate as text field just above the CSR.

    If the CA certificate does not fill in automatically, you will need to copy the Intermediate Bundle from the Manage browser window or tab you left open in Step #3 into the CA certificate field.

    WinPleskSSL9

  2. Now click the Upload Certificate button to add the certificate.

Step #5: Configure the Domain to Use SSL

Now that the SSL certificate is uploaded, all that remains is to enable SSL support for the domain.

  1. In the Plesk menu, click on Websites & Domains.
  2. Click on the domain name.
  3. Click on Hosting Settings.
  4. Scroll down to the Security section, select the certificate to use and check the box next to SSL support.

    WinPleskSSL9

 

Is Your cPanel Server Protected Against CVE-2016-0800 (DROWN)?

Overview

A new flaw has been found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could theoretically exploit this vulnerability to bypass RSA encryption, even when connecting via a newer protocol version, if the server also supports the older SSLv2 standard.

Impact

As a result of several similar but unrelated vulnerabilities, including POODLE, most server administrators already have removed support for SSLv2 and other weak ciphers. For instance, cPanel removed SSLv2 support on core services by default beginning with version 11.44 in 2014.

Servers running older, End-of-Life operating systems may still support SSLv2.

Test: Does Your Server Support SSLv2?

To test whether your web server supports SSLv2, you can run this command from a terminal on a Linux or Mac OS X, substituting your domain name for the example below:

openssl s_client -connect www.yourdomainname.com:443 -ssl2

If the server is not vulnerable, the output of that command should include “ssl handshake failed” as seen in the example below. Note that your output will be different, but as long as you see ssl handshake failed somewhere in the output, you’re protected:

[root@host]# openssl s_client -connect www.yourdomainname.com:443 -ssl2
CONNECTED(00000003)
95090:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s2_pkt.c:427:

You can test SSLv2 support on other services by substituting the secure http port (443 in the command above), with the appropriate port for the service you’re testing (note that these are the default ports; if you’ve changed the port a service runs on, you’ll want to use that value):

  • WHM: 2087
  • cPanel: 2083
  • Secure SMTP (Exim): 465
  • Secure IMAP: 993
  • Secure POP3: 995
  • Secure Webmail: 2096
  • Secure WebDisk: 2078

If you’re using a different operating system or are otherwise unable to check the server directly, you also may visit a test site such as drownattack.com and enter your site’s URL into the test field.

If your server fails any of the tests listed above and you’re not able to update cPanel to the latest version, feel free to contact Heroic Support® for assistance.