AutoSSL in V. 58

[jhawkins003]

We have just begun testing v.58 and I would like to verify with the community a quick detail regarding AutoSSL functionality. After activating the Cpanel AutoSSL provider, the system appears to have fetched free certificates for the handful of domains hosted on that machine. So... is this basically a "Cpanel version" of the free certificate service LetsEncrypt has?

I knew Cpanel offered free certificates for the hostname, but the capability to generate free certs for all account domains is new to me - so I just want to make sure I understand what I am seeing.

UPDATE: This post should be in security - I have no clue why its in CloudLinux... mods please feel free to move as appropriate!

 

[cPanelMichael]

Hello,

cPanel (powered by Comodo) is the AutoSSL provider that's shipped with cPanel 58. The free offering is limited to DV certificates (This link from Comodo explains how a DV certificate works). The "AutoSSL" feature allows you to let users automatically purchase and install SSL certificates from your chosen provider. The following document offers some more information on how this works:

Market Provider Manager - Documentation - cPanel Documentation

Support for "Let's Encrypt" is planned for the future as part of a separate plugin. The cPanel 58 release notes go into detail about this feature:

58 Release Notes - Documentation - cPanel Documentation

The following blog posts offer some more details about the new SSL offerings:

The cPanel Market Provider, and free hostname SSLs | cPanel Blog

Let us know if you have any questions.

Thanks!

 

[trs]

So I ran AutoSSL for all users and it installed certs for all domains and subdomains (AWESOME!)

Now the question is, how is it different from lets encrypt?

 

[cPanelMichael]

So I ran AutoSSL for all users and it installed certs for all domains and subdomains (AWESOME!)

Now the question is, how is it different from lets encrypt?

Hello,

The ability to issue free DV certificates from Comodo was a project started before support for "Let's Encrypt" was planned. You can monitor the progress on the planned "Let's Encrypt" plugin at:

Provide Support for Let's Encrypt Automated Certificate Management/SSL

The free cPanel (powered by Comodo) and the free "Let's Encrypt" certificates both utilize domain validation (DV).

Thank you.

 

[trs]

Is AutoSSL available for subdomains?

 

[cPanelMichael]

Is AutoSSL available for subdomains?

Yes, with the exception of proxy subdomains or wildcard domains. The following document includes additional information about this feature you may find helpful:

Manage AutoSSL - Documentation - cPanel Documentation

Thanks!

 

[sparek-3]

Doesn't this effectively cannibalize Comodo's PositiveSSL offering (and Geotrust's RapidSSL offering)?

With everyone wanting to go to HTTPS it makes sense to have DV certificates for free. They never really proved anything anyway. Of course, self-signed certificates could almost serve this purpose, until the browser braintrust decided to start putting up that ugly "this certificate isn't signed" message.

 

[cPanelMichael]

Doesn't this effectively cannibalize Comodo's PositiveSSL offering (and Geotrust's RapidSSL offering)?

With everyone wanting to go to HTTPS it makes sense to have DV certificates for free. They never really proved anything anyway. Of course, self-signed certificates could almost serve this purpose, until the browser braintrust decided to start putting up that ugly "this certificate isn't signed" message.

It's difficult to predict how the widespread availability of free DV certificates could affect those specific product offerings. For anyone interested, the comments section of the following feature request includes additional discussion from cPanel users about how free DV certificates might affect the SSL certificate industry as a whole :

Provide Support for Let's Encrypt Automated Certificate Management/SSL

Thank you.

 

[jhawkins003]

So a quick question for anyone watching this thread who may have upgraded to v.58. How has your experience been with AutoSSL?

We have experienced a mountain of issues with AutoSSL across both servers we have upgraded. cPanel is being very helpful in our support tickets, but I'm curious to see what other people have experienced so far. Is AutoSSL running smooth as silk for you?

 

[Infopro]

How has your experience been with AutoSSL?

Quite well on this end. I did have a couple domains now dead that were still in the system I had to clean up. For example one was an Parked domain (Alias) that no longer exists. Each night the system checks, finds it and spits out this message in the "All Users" log in Logs area:

3:51:07 AM Checking websites for “cPusernme” …
3:51:07 AM The website, example.com, owned by “cPusernme” has a valid SSL certificate, but additional SSL coverage may be possible for the domains “example.info” and “www.example.info”. Attempting replacement …
3:51:07 AM WARN The domain “example.info” has failed domain control validation (“example.info” does not resolve to any IPv4 addresses on the internet.). at bin/autossl_check.pl line 361.
3:51:07 AM WARN The domain “www.example.info” has failed domain control validation (“www.example.info” does not resolve to any IPv4 addresses on the internet.). at bin/autossl_check.pl line 361.
3:51:07 AM The system has completed the AutoSSL check for “cPusernme”.

I have 2 sub domain issues and one Addon domain issue:

3:51:08 AM Checking websites for “cPusernme” …
3:51:09 AM The website, site.example.net, owned by “cPusernme” has a valid SSL certificate, but additional SSL coverage may be possible for the domains “www.site.example.net”. Attempting replacement …
3:51:09 AM WARN The domain “www.site.example.net” has failed domain control validation (“www.site.example.net” does not resolve to any IPv4 addresses on the internet.). at bin/autossl_check.pl line 361.
3:51:09 AM The website, blog.example.net, owned by “cPusernme” has a valid SSL certificate, but additional SSL coverage may be possible for the domains “www.blog.example.net”. Attempting replacement …
3:51:09 AM WARN The domain “www.blog.example.net” has failed domain control validation (“www.blog.example.net” does not resolve to any IPv4 addresses on the internet.). at bin/autossl_check.pl line 361.
3:51:09 AM The website, cms.example.net, owned by “cPusernme” has a valid SSL certificate, but additional SSL coverage may be possible for the domains “www.cms.example.net”. Attempting replacement …
3:51:09 AM WARN The domain “www.cms.example.net” has failed domain control validation (“www.cms.example.net” does not resolve to any IPv4 addresses on the internet.). at bin/autossl_check.pl line 361.
3:51:09 AM The system has completed the AutoSSL check for “cPusernme”.

And 2 sub domains that longer exists, but the redirect for them did.

Overall I found the process to be quite easy. I only did a few at a time, as the magic doesn't happen right away of course, it takes a few minutes to retrieve and setup the cert(s) for each. I also manually added rules to several of the site's htaccess' to force www as well.

Images on a sites homepage linked to from somewhere else, will get you a "Connection is not secure" message.

I recommend this new feature.

If https makes google happy and your users can't afford their own SSL proper, this is a pretty darn good stand in.

 

[jhawkins003]

Quite well on this end.

Great to hear, and thanks for sharing details! I do agree this is an amazing feature, and we believe most of the issues we are seeing are specific to our install. This happily confirms.

We had an Apache template that originally messed with AutoSSL, and ever since the feature has yet to really work properly. Some certificates never pull down - others pull but never install, the logs chronically get stuck in 'in processing' and don't reflect the actual status of the installs, and we have one server that throws an AutoSSL CRON alert every 5 minutes because the scripts are attempting to act on a queued account that no longer exists.

Just a few growing pains, but as I said - cPanel support is fantastic, so we'll certainly be up and running soon.

 

[Infopro]

Those guys in cPanel Technical Support can fix anything.


GL!