Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

AutoSSL Disable for Mail Servers Problem

Discussion in 'Security' started by Michael Babbitt, Jan 18, 2018.

Tags:
  1. Michael Babbitt

    Joined:
    Apr 13, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Westlake Village, CA
    cPanel Access Level:
    Root Administrator
    We opted out of AutoSSL when it was introduced to our cPanel update. This was months ago. Then on Wednesday, Jan 17 I got an SSL mismatch error when trying to check email early in the AM. I logged into WHM (after being greeted by another SSL security mismatch alert from my browser) and found that my wildcard certificates were removed and replaced by cPanel's own self-signed certificates. Mind you, this occured on not one but both of our servers so it's not isolated.

    After verifying that the AutoSSL settings were "Disabled", I reinstalled the wildcard certificates for Exim and Dovcot. That fixed the issue until this morning when I was rudely presented with the same problem all over again.

    Then tonight, cPanel again replaced my wildcard SSL with it's own for Dovcot, Exim, and FTP services. Forcebly turning "off" AutoSSL for all accounts does not fix the problem. I'm out of options and I can't keep doing this every day. I'm livid.

    Sincerely,

    MB
     
    #1 Michael Babbitt, Jan 18, 2018
    Last edited: Jan 19, 2018
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    We offer the following option under the "Domains" tab in "WHM >> Tweak Settings":

    Replace SSL certificates that do not match the local hostname

    Per it's description:

    When you enable this option, the checkallsslcerts script will replace any SSL certificates that do not match the hostname of the server with a cPanel-signed certificate. This includes wildcard certificates.

    You can disable this option to ensure your wildcard certificates are not automatically replaced. Out of curiosity, is there a particular reason you prefer to not use the AutoSSL feature that we could possibly assist you with?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Michael Babbitt

    Joined:
    Apr 13, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Westlake Village, CA
    cPanel Access Level:
    Root Administrator
    Except that option isn't enabled. This is specifically happening to our Exim, Dovcot, and FTP services, as I mentioned previously. Here's what's happening (I found this out because we had to escellate this issue to cPanel support):

    If the certificate is 20 days from expiring, cPanel will replace that certificate with one of its own. Nevermind that some of us are well aware that we have 20 days and will take care of it when we're ready. That's why the hand holding from cPanel is unwelcome. When an admin is perfectly comfortable with having total control over this, it's not cool for cPanel to essentially say "no, you obviously don't know what you're doing so we're here to save you from yourself". I would think as an EMERGENCY feature, AutoSSL could be engaged but I still believe that if an Admin PURPOSELY disables this service, they did so for a reason. Make sense?

    We don't need AutoSSL. We have our cert renewal process perfectly under control, thank you. AutoSSL is for mom and pop shops with little server admin experience. Please consider giving Admins back control over their certs.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Michael,

    Thank you for the update. Would you mind sharing the ticket number so I can take a closer look at the specific root cause of the issue you reported?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice