Auto SSL creates certificates with wrong CN and SANs

[Aidan Brookes]

Hi,

We have a cPanel account with the main domain example.com. This domain has a wildcard certificate to cover *.example.com.

Now I wish to add example2.com and example3.com etc via the cPanel API. They need to be on the same account so that all domains point to the same document root. They will all need their own SSL certificates and I'm trying to use AutoSSL with Let's Encrypt for this.

Using the cPanel API I added example2.com as an addon domain to this account. This created them as a subdomain of example.com e.g. example2com.example.com.

The addon domain is created correctly and points to the correct document root. However, the AutoSSL causes a problem because it assigns the wildcard certificate. This means that when you visit example2.com the SSL certificate is for *.example.com. Of course, this means it is invalid and shows warning errors in browsers.

To get around this I have attempted to add the addon domains in a container subdomain (as subdomains of a subdomain don't get covered by the wildcard) e.g. example2com.container.example.com. This prevented the wildcard problem, however, the certificates that AutoSSL created are almost always broken with incorrect CN and random SANs from other domains in the container subdomain.

Does anyone have any ideas for workarounds for either of these problems?

Regards,
Aidan Brookes

 

[cPanelLauren]

Hi @Aidan Brookes

Rather than create these as addon domains which will pose a problem with the Wildcard and all domains residing on the same VirtualHost is it not possible to create these separately but redirect them?

For the issue with the incorrect CN/SAN's can you describe that further? Possibly provide an example (just replace your domain names with example, domain, test etc.)

Thanks!

 

[Aidan Brookes]

Hi,

"and all domains residing on the same VirtualHost" confuses me as reading the documentation on "How Your Server Handles Domains and Virtual Hosts" says that addon domains create their own virtual host?

When you said "create separately and redirect them" did you mean create a separate account for each domain and have the URL redirect to the one with the document root we want to use? As each domain needs to load a different website that is dynamically created from the same document root.

Is it possible to modify the vhost file to add domains so they all use the same document root but each domain has it's own SSL certificate from AutoSSL? If so it would have to be done automatically such as on a cron.

example.co.uk is the main domain for the account.

In this account, I added 2 addon domains as a subdomain of a subdomain of example.co.uk to prevent both getting the wildcard certificate of example.co.uk.

example1.co.uk was added as an addon domain (example1couk.example1couk.example.co.uk)
example2.co.uk was added as an addon domain (example2couk.example2couk.example.co.uk)

Here is example2.co.uk's SSL certificate that has incorrect CN and SANs:

Common name: whm.example1.co.uk
SANs: example2couk.example2couk.example.co.uk, example1.co.uk, example1couk.example1couk.example.co.uk, webdisk.example1.co.uk, whm.example1.co.uk, www.example2couk.example2couk.example.co.uk, www.example1couk.example1couk.example.co.uk
Valid from September 6, 2018 to December 5, 2018
Serial Number: **************************
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let's Encrypt Authority X3

Any idea's why example1.co.uk is showing in example2.co.uk SSL certificate when they should be on separate virtual hosts?

(This is what I see when I use https://www.sslshopper.com/ssl-checker.htm and search example2.co.uk)

 

[cPanelLauren]

Hi @Aidan Brookes

You're correct, it's Aliases not Addon domains that share the VirtualHost because addon's are subdomains of the primary domain, I misspoke.

While I can replicate this behavior with the Let's Encrypt provider (which is a 3rd party provider) I cannot do so with Comodo. Can you confirm that with the cPanel provider this issue does not occur?

Thanks!

 

[Aidan Brookes]

Hi,

I spoke to my provider and we changed AutoSSL to use Comodo and not Let's Encrypt. I then removed all domains as addon domains and re-added them. Comodo then installed working SSL certificates with correct CN and SANs for all domains.

Switching to Comodo has fixed my problem. Thanks for your help!

 

[cPanelLauren]

Hi @Aidan Brookes

Awesome! I'm really happy to hear that! Thank you for following up here and letting us know.