Auto SSL subject domain name primary domain

horizon2021

Active Member
Jan 31, 2021
41
3
8
USA
cPanel Access Level
Root Administrator
With the Let's Encrypt auto SSL plugin, is there a way to have it use the account's primary domain as the subject for the ssl cert always?

Sometimes I'm finding that an account's ssl cert has a www.subdomain.domain.com as the ssl cert Subject and the domain.com or *.domain.com is one of the alt names.

I'd like for the cert to have the primary account domain.com as the main Subject for the SSL certificate, and subdomains under Subject Alternate Names.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,030
1,739
363
cPanel Access Level
Root Administrator
Hey hey! Unfortunately no - this is one area we don't really get a vote on. Let's Encrypt says this is "cosmetic" and they don't guarantee which domain will be the primary. We include this in the yellow box on our page here:

 

Jhosman

Member
Jan 23, 2016
5
0
51
Bogotá, Colombia
cPanel Access Level
Root Administrator
Hey hey! Unfortunately no - this is one area we don't really get a vote on. Let's Encrypt says this is "cosmetic" and they don't guarantee which domain will be the primary. We include this in the yellow box on our page here:


I have the same problem with SSL vía cPanel AutoSSL
 

horizon2021

Active Member
Jan 31, 2021
41
3
8
USA
cPanel Access Level
Root Administrator
I guess the only way to work around this would be to have an option to request a cert for the primary account domain.com (only) and then a second cert for everything else.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,030
1,739
363
cPanel Access Level
Root Administrator
Sure, but then we run into this issue, which isn't something we plan to implement at this point:


That isn't going to happen until there are major structures to how cPanel account domain ownership works.
 

horizon2021

Active Member
Jan 31, 2021
41
3
8
USA
cPanel Access Level
Root Administrator
I guess for now, for any important accounts where it matters to me, the best workaround for me is to continue to buy an ssl cert for the primary domain and then let cpanel install free certs for any subdomains.

That way when visiting the main domain it will always show the cert for the main domain, and it will still save money over not having autossl.

Another thing to do would be to eliminate any subdomains now that would look bad if one day the main site presents that as the ssl cert subject for the main domain.
 

horizon2021

Active Member
Jan 31, 2021
41
3
8
USA
cPanel Access Level
Root Administrator
It doesn't cause a site to stop working - it just "looks slightly amiss" if someone views the ssl cert and it says an unexpected site.

It looks like a primary way that subdomains are "revealed" or presented as the main site's ssl cert in "unfortunate random happenings" now is that cpanel creates www.subdomain.domain.com and this gets its own cert, so eliminating these www.subdomain entries may help. (have to look into how to do that as cpanel appears to create them automatically).

The actual subdomain.domain.com is covered by *.domain.com but if you have internal-test.domain.com cpanel auto creates www.internal-test.domain.com which then gets its own cert now which might be presented for domain.com. I think it looks like "something is amiss" if I look at a site and under the ssl cert or site identity it presents the cert subject name as www.internal-test.domain.com for example.

Another example is a site that uses subdomains or add-on domains for a sub-set of the site that appeals to a different group than the primary audience. It's not a secret, but it looks odd to me. For example if you have a site about high end leather shoes, let's say highfashionshoes.com, and a subdomain is for christmas slippers that goes to one particular small subcategory presented only during the holidays, I think it looks slightly tacky if the ssl cert for the main site suddenly shows www.christmas-slippers.highfashionshoes.com or christmas-slippers.com as the main site's identity under the ssl cert. It just looks less than premium or slightly tacky/off if that happens.

Granted only nerdy people probably look at the cert. But I will say that there was one web services company that I hesitated to signup with because I did look and their main site showed the ssl cert of a blog site they also ran rather than their main site. Gave me a moment of pause.
 
Last edited: