AutoSSL Disable for Mail Servers Problem

[Michael Babbitt]

We opted out of AutoSSL when it was introduced to our cPanel update. This was months ago. Then on Wednesday, Jan 17 I got an SSL mismatch error when trying to check email early in the AM. I logged into WHM (after being greeted by another SSL security mismatch alert from my browser) and found that my wildcard certificates were removed and replaced by cPanel's own self-signed certificates. Mind you, this occured on not one but both of our servers so it's not isolated.

After verifying that the AutoSSL settings were "Disabled", I reinstalled the wildcard certificates for Exim and Dovcot. That fixed the issue until this morning when I was rudely presented with the same problem all over again.

Then tonight, cPanel again replaced my wildcard SSL with it's own for Dovcot, Exim, and FTP services. Forcebly turning "off" AutoSSL for all accounts does not fix the problem. I'm out of options and I can't keep doing this every day. I'm livid.

Sincerely,

MB

 

[cPanelMichael]

Hello Michael,

We offer the following option under the "Domains" tab in "WHM >> Tweak Settings":

Replace SSL certificates that do not match the local hostname

Per it's description:

When you enable this option, the checkallsslcerts script will replace any SSL certificates that do not match the hostname of the server with a cPanel-signed certificate. This includes wildcard certificates.

You can disable this option to ensure your wildcard certificates are not automatically replaced. Out of curiosity, is there a particular reason you prefer to not use the AutoSSL feature that we could possibly assist you with?

Thank you.

 

[Michael Babbitt]

Except that option isn't enabled. This is specifically happening to our Exim, Dovcot, and FTP services, as I mentioned previously. Here's what's happening (I found this out because we had to escellate this issue to cPanel support):

If the certificate is 20 days from expiring, cPanel will replace that certificate with one of its own. Nevermind that some of us are well aware that we have 20 days and will take care of it when we're ready. That's why the hand holding from cPanel is unwelcome. When an admin is perfectly comfortable with having total control over this, it's not cool for cPanel to essentially say "no, you obviously don't know what you're doing so we're here to save you from yourself". I would think as an EMERGENCY feature, AutoSSL could be engaged but I still believe that if an Admin PURPOSELY disables this service, they did so for a reason. Make sense?

We don't need AutoSSL. We have our cert renewal process perfectly under control, thank you. AutoSSL is for mom and pop shops with little server admin experience. Please consider giving Admins back control over their certs.

 

[cPanelMichael]

Hello Michael,

Thank you for the update. Would you mind sharing the ticket number so I can take a closer look at the specific root cause of the issue you reported?

Thank you.