Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL after parking domain

Discussion in 'Security' started by swbrains, Jun 21, 2018.

  1. swbrains

    swbrains Well-Known Member

    Joined:
    Sep 13, 2006
    Messages:
    132
    Likes Received:
    16
    Trophy Points:
    168
    Hi,

    I have a question about what to expect from AutoSSL in a certain case: An account uses only a subdomain such as someuser.example.com and already has a wildcard SSL cert for *.example.com on that account. Then I park a domain "newdomain.com" on that same site.

    Can I initiate an AutoSSL "check" on that account and expect AutoSSL to issue the cert for "newdomain.com" even though there's a valid wildcard/subdomain SSL cert already on the account, or do I need to uninstall the wildcard SSL cert from that account first? Are both certs allowed on that one account?

    What is the best way in this scenario to ensure that an SSL cert is issued by AutoSSL for the newly-parked domain?

    Thanks!
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,888
    Likes Received:
    90
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    No you cannot, AutoSSL generates SSL based on user and then looks for subdomain and addon inside it and then installs the SSL. If you initiate AutoSSL you will lose the wildcard SSL.

    Otherway round, could be that you save the current wildcard SSL, generate AutoSSL and then copy those SSL and then reinstall the wildcard SSL..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. swbrains

    swbrains Well-Known Member

    Joined:
    Sep 13, 2006
    Messages:
    132
    Likes Received:
    16
    Trophy Points:
    168
    In my case, I don't care about keeping the wildcard/subdomain SSL cert on the account. Once I park a regular domain on the account, I just need a SSL cert for the newly-parked domain to be active.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,777
    Likes Received:
    120
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I really think cPanel would be better off by revamping the way they do parked domains (domain aliases).

    I think domain aliases should be constructed like addon domains are - with their own VirtualHost. This allows the separation of certificates to be more uniform.

    Instead of a VirtualHost that has 75 ServerAliases listed - which means the certificate SAN has to include all 75 of these ServerAliases - have 75 separate VirtualHosts. This way, if the user adds another domain aliases, the entire 75 SAN certificate doesn't have to be reissued with the 76th ServerAlias. A separate single SAN certificate would be issued for this new domain alias.

    This is how addon domains work. In fact you can do with with an addon domain. And, to me, it just makes things a bit more cleaner.

    cPanel should change the way domain aliases are created. Create a random subdomain off of the main domain. Set the DocumentRoot to the same as the main domain. Then create a domain alias under that subdomain. Now you have a domain alias (parked domain) pointing to the same directory as the main domain, and it has it's own VirtualHost, so certificates for it can be managed independently.
     
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @swbrains,

    You should uninstall the wildcard SSL certificate first because an alias is included under the same virtual host as the parent domain name it's associated with (as noted in the previous post). We do have a feature request to support wildcard SSL certificates as part of the AutoSSL feature at:

    Let's Encrypt Wildcard Certificates

    In the meantime, AutoSSL will already issue free SSL certificates for each individual subdomain, addon domain, and alias that's added to the account.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. swbrains

    swbrains Well-Known Member

    Joined:
    Sep 13, 2006
    Messages:
    132
    Likes Received:
    16
    Trophy Points:
    168
  7. swbrains

    swbrains Well-Known Member

    Joined:
    Sep 13, 2006
    Messages:
    132
    Likes Received:
    16
    Trophy Points:
    168
    With regard to sparek-3's response, I think I need some clarification. Is the reissuing of a single certificate with all the parked domains referring only to multiple parked domains on *one* user account or for all parked domains on the entire server? I host many user accounts on my server and each appears to have their own distinct SSL certificate even though they each have a unique parked domain on their accounts. That is, when AutoSSL renews one of their certificates, the other accounts still have an older certificate for their domain so they seem to be distinct. Or maybe I'm confused about how the expiration dates work on the certificates and different exp dates doesn't indicate individual certs? Thanks for any clarification you can provide.
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @swbrains,

    It would refer to the aliases (parked domains) added underneath a single domain name on the cPanel account and not all aliases (parked domains) on the server.

    When adding a new alias (parked domain) on top of an existing domain name on a cPanel account, the AutoSSL feature will automatically detect the new alias during the next scheduled AutoSSL check. It then attempts to renew the existing certificate for the parent domain name associated with the alias so that it includes the new alias and it's corresponding subdomains (e.g. mail.newalias.tld).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. swbrains

    swbrains Well-Known Member

    Joined:
    Sep 13, 2006
    Messages:
    132
    Likes Received:
    16
    Trophy Points:
    168
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice