The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL for aliases

Discussion in 'Security' started by blade304, Jul 3, 2017.

Tags:
  1. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    Hello,

    I recently discovered the cPanel-signed certificates (through Comodo) generated with the AutoSSL (great work guys!). Works well for an account's main domain. However, it would be great to have it also for aliases.

    1. Added an alias domain, but then https://alias.dom is not trusted because the certificate is for main.dom. Is it possible to configure it somehow with alias domains?

    2. Added alias2.dom as an addon domain with the Document Root being same as for main.dom. Certificate for https://alias2.dom is invalid. But then I found out that when I created the addon domain, a self-signed certificate was created as well, and it was perhaps it causing the issue. I deleted the self-signed one (in cPanel) and now it works well (although it was tricky, I had to clear cache in Chrome). So, question no. 2: how to disable the creation of self-signed certificates? Quick research... Seems it isn't possible now (?) and will be since WHM 66, which should be out any day. Am I correct here? Any update on the WHM 66 as Release?

    3. I actually sell domain names and I would ideally need to have hundreds or thousands of certificates, one for each domain I guess. Would there be any issues with that? Is there a limit of the cPanel-signed certificates I can create in a cPanel account?

    Thanks!
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,399
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    AutoSSL analyses the domain verifies the Addon domain, subdomains in it and then issues it for a certificate, and when the certificate is ready, AutoSSL installs it.. However, if for any reason, the AutoSSl fails to verify in the initial stage, then the certificate issue process stops.. You have to review the AutoSSL logs in the WHM >> AutoSSL section to see whether the verification for the cPanel user is going well or not..
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @blade304,

    Certificates for aliases (parked domains) issued through the AutoSSL feature should be trusted by your web browser. What's the specific message you see in your web browser when accessing the aliased domain name via SSL?

    The self-signed certificate is only installed when no valid AutoSSL certificate is available. Rather than disabling the self-signed certificate generation, you should check the "Logs" tab in "WHM >> Manage AutoSSL" to see why the domain name is not issued an AutoSSL certificate.

    You can find the domain and rate limits on the following document:

    Manage AutoSSL - Documentation - cPanel Documentation

    Let us know if you have any additional questions.

    Thanks!
     
  4. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    Thanks for the reply.

    1. Standard warning message. As I said, the certificate at https://alias.dom is not trusted because it is issued to main.dom and alias.dom is nowhere to be found in the certificate. Only FQDNs included in the certificate are main.dom and its subdomains (www, cpanel, webdisk...). All I did is I added alias.dom as an alias. It doesn't work this way, am I required to do something more for aliases?

    2. But alias2.dom (addon domain) was issued an AutoSSL certificate. I said "a self-signed certificate was created as well". And that was the certificate the browser get at https://alias2.dom. But I figured it out (thanks @24x7server for the explanation) it was due to the AutoSSL certificate not being ready yet.

    Anyway, is there a way to disable self-signed certificates? Would that be a good idea or not?

    3. So, if in one cPanel account I had 10000 domains as addon domains, I would have 10000 virtual hosts and 10000 certificates, and there wouldn't be any issues with that. Please confirm.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    You'd need to review the "Logs" tab in "WHM >> Manage AutoSSL" to see why AutoSSL failed to validate the aliased domain name.

    Disabling the automatic generation of self-signed certificates is not recommended. There's a thread on this topic at:

    Problem with automatically generated self-signed SSL certificates

    That's correct.

    Thank you.
     
  6. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael. Adding hundreds of addon domains by hand would be painful. Can I somehow add addon domains from a list (so that the certificates are created as well)?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    There's no specific feature in cPanel to add multiple addon domain names from a list, but you could develop a custom script that makes use of the following cPanel API 2 function:

    cPanel API 2 Functions - AddonDomain::addaddondomain - Software Development Kit - cPanel Documentation

    Thank you.
     
  8. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    Hi @cPanelMichael,

    I indeed wrote the script and added 500+ addon domains so far. Seemed like there was an issue with:

    Code:
    PM WARN The domain “addon.dom” failed domain control validation: The system queried for a temporary file at “[URL]http://addon.dom/554678EB12C041[...].txt”[/URL], but the web server responded with the following error: 404 (Not Found). A DNS or web server misconfiguration may exist.
    
    Indeed, my code may have had the server respond with the 404, but cPanel fixed it on its own after a while.

    So, now I have 500+ certificates in this one cPanel account. Everything works well, except 6 domains are stuck in "AutoSSL Pending Queue". Logs say "The system will attempt to renew SSL certificates for the following websites:" (and then list the 6 domains), but nothing happens. It's been a few hours, and I know that sometimes it may take longer, but something feels not right, considering the fact of the other 500+ being approved quickly. I don't see a way to restart the process for these 6 domains. I tried to search the forum for this stuck issue and I'm not the only one having it, so maybe it would be a good idea to write some fix for that. This issue may be especially problematic during certificate renewals, as it may cause the websites to not being displayed due to the bad certificate warning.
     
    #8 blade304, Jul 6, 2017
    Last edited by a moderator: Jul 6, 2017
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you review the "Logs" tab in "WHM >> Manage AutoSSL" and let us know if you notice any specific error messages for the affected domain names?

    Thank you.
     
  10. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    Michael,

    I already gave you everything the logs say in my previous message. No errors.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket if the pending certificates do not issue within the next several hours so we can take a closer look to see why the validation is failing.

    Thank you.
     
  12. blade304

    blade304 Member

    Joined:
    Jul 3, 2017
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    PL
    cPanel Access Level:
    Root Administrator
    So, together with Michael we came to conclusion the issue is there due to Comodo's bug of treating domains like samurai.cloud as containing a branded name. "icloud", believe it or not. No official confirmation from Comodo yet, but that's nearly 100% sure. Anyway, Comodo is very slow in handling my ticket, and when I created an account at their helpdesk, they emailed me my password. With their slogan that they "create trust".

    I'm thinking about switching to Let's Encrypt. If I install and set LE as default at WHM, will it replace the Comodo certificates instantly on its own? If not, how can I trigger such process?
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It would for new certificates, but existing certificates would not be replaced until they expire. You'd have to manually remove them via "WHM >> Manage SSL Hosts".

    Thank you.
     
Loading...

Share This Page