Auto SSL subject domain name primary domain

[horizon2021]

With the Let's Encrypt auto SSL plugin, is there a way to have it use the account's primary domain as the subject for the ssl cert always?

Sometimes I'm finding that an account's ssl cert has a www.subdomain.domain.com as the ssl cert Subject and the domain.com or *.domain.com is one of the alt names.

I'd like for the cert to have the primary account domain.com as the main Subject for the SSL certificate, and subdomains under Subject Alternate Names.

 

[cPRex]

Hey hey! Unfortunately no - this is one area we don't really get a vote on. Let's Encrypt says this is "cosmetic" and they don't guarantee which domain will be the primary. We include this in the yellow box on our page here:

The Let's Encrypt Plugin | cPanel & WHM Documentation

This plugin allows the AutoSSL feature to issue certificates from the Let's Encrypt™ provider.

docs.cpanel.net

 

[Jhosman]

Hey hey! Unfortunately no - this is one area we don't really get a vote on. Let's Encrypt says this is "cosmetic" and they don't guarantee which domain will be the primary. We include this in the yellow box on our page here:

The Let's Encrypt Plugin | cPanel & WHM Documentation

This plugin allows the AutoSSL feature to issue certificates from the Let's Encrypt™ provider.

docs.cpanel.net

I have the same problem with SSL vía cPanel AutoSSL

 

[cPRex]

@Jhosman - Sectigo also doesn't guarantee any type of order to the domains on a certificate.

 

[horizon2021]

I guess the only way to work around this would be to have an option to request a cert for the primary account domain.com (only) and then a second cert for everything else.

 

[cPRex]

Sure, but then we run into this issue, which isn't something we plan to implement at this point:

True Multi Domain Support (Multiple Certificates & IPs per Acct)

The goal of the paradigm of True Multi-Domain Support is to eliminate the concept of a "main domain" along with the concept of "addon domains." Instead, th

features.cpanel.net

That isn't going to happen until there are major structures to how cPanel account domain ownership works.

 

[horizon2021]

I guess for now, for any important accounts where it matters to me, the best workaround for me is to continue to buy an ssl cert for the primary domain and then let cpanel install free certs for any subdomains.

That way when visiting the main domain it will always show the cert for the main domain, and it will still save money over not having autossl.

Another thing to do would be to eliminate any subdomains now that would look bad if one day the main site presents that as the ssl cert subject for the main domain.

 

[cPRex]

Just for my own curiosity, can you let me know where you are seeing this cause an issue? As long as the domain you're visiting is in the SAN list, end-users in the browser shouldn't have a different experience.

 

[horizon2021]

It doesn't cause a site to stop working - it just "looks slightly amiss" if someone views the ssl cert and it says an unexpected site.

It looks like a primary way that subdomains are "revealed" or presented as the main site's ssl cert in "unfortunate random happenings" now is that cpanel creates www.subdomain.domain.com and this gets its own cert, so eliminating these www.subdomain entries may help. (have to look into how to do that as cpanel appears to create them automatically).

The actual subdomain.domain.com is covered by *.domain.com but if you have internal-test.domain.com cpanel auto creates www.internal-test.domain.com which then gets its own cert now which might be presented for domain.com. I think it looks like "something is amiss" if I look at a site and under the ssl cert or site identity it presents the cert subject name as www.internal-test.domain.com for example.

Another example is a site that uses subdomains or add-on domains for a sub-set of the site that appeals to a different group than the primary audience. It's not a secret, but it looks odd to me. For example if you have a site about high end leather shoes, let's say highfashionshoes.com, and a subdomain is for christmas slippers that goes to one particular small subcategory presented only during the holidays, I think it looks slightly tacky if the ssl cert for the main site suddenly shows www.christmas-slippers.highfashionshoes.com or christmas-slippers.com as the main site's identity under the ssl cert. It just looks less than premium or slightly tacky/off if that happens.

Granted only nerdy people probably look at the cert. But I will say that there was one web services company that I hesitated to signup with because I did look and their main site showed the ssl cert of a blog site they also ran rather than their main site. Gave me a moment of pause.