Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL mail subdomain

Discussion in 'Security' started by JeffPaetkau, Nov 10, 2016.

Tags:
  1. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    Sometime back I setup AutoSSL for all the domains on several of our servers. However, I just reviewed the log files and on one (not the others) of the servers I am getting messages like this for each of the domains:

    Code:
     7:55:09 PM The website “example.com”, owned by “example”, has a valid SSL certificate, but additional SSL coverage may be possible for the domain “mail.example.com”. The system will attempt to replace this certificate with one that includes this additional domain.
    7:55:09 PM WARN The domain “mail.example.com” failed domain control validation: “mail.example.com” does not resolve to any IPv4 addresses on the internet. at bin/autossl_check.pl line 512.
    I have been unable to find much on this error or how to tell EasyApache not to attempt to add the mail.example.com domain name to the certificate. This server does not handle mail for any of the domains it hosts.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify if you have made any modifications to the mail subdomain on that account? For instance, do you have a custom DNS entry for the "mail" entry in that domain name's DNS zone that points to a remote IP address, or is the subdomain added as a separate parked/addon domain name?

    Thank you.
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    847
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I have this happening on some accounts too. I have modified the zone files on these accounts so that mail.account.com points to their own private mail servers. This is usually when they have an exchange server in-house. In some cases there are other sub-domains that point to off-server IP addresses for internal use. It would be nice if there was some way to tell AutoSSL to not bother with specific sub-domains on an account-by-account basis. The only option I can see now is to just ignore these errors.
     
  4. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    No this server only handles web hosting. We have separate dedicated DNS and email servers. DNS is completely disabled and all DNS zones are cleared. Every domain on the server gets this error/warning but none of them have the mail.* subdomain as a parked or add-on domain.

    Also, I have two servers and only one of them is exhibiting this issue. The one that has the issue did not when I first set it up. I expect it was some change with the last upgrade that is causing it.
     
  5. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    It seems the issue is that cPanel is automatically creating mail.* subdomains in the apache configuration as a ServerAlias. However there is nowhere in the interface to modify or remove this subdomain. If I manually edit the /var/cpanel/userdata/domain file the issue resolves.

    I can modify the userdata files to remove the mail subdomain from existing records. However, is there a setting somewhere in WHM where I can prevent it creating the record for new domains?

    Jeff
     
  6. chrisatomix

    chrisatomix Registered

    Joined:
    Nov 15, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Adelaide, Australia
    cPanel Access Level:
    Root Administrator
    This has been causing all kinds of grief for us, our htaccess files have been getting mangled because of the AutoSSL rewrite rules being added, which was caused by the mail.* subdomains. I found this discussion while trying to troubleshoot.

    It looks like this feature is called "Proxy Subdomains", if you visit "Tweak Settings" in the WHM admin you can disable "Proxy subdomain creation". Of course this only affects new accounts.

    To disable existing accounts you need to SSH into the server and run:
    /scripts/proxydomains remove --user=cpaneluser
    (Where cpaneluser is the cPanel username of the account in question).
    It will spit out an output to show that the subdomains are removed. This will also remove webdisk.*, cpcalendars.*, cpcontacts.*, webmail.* as well as mail.*

    I'm in the process of doing this manually for around 200 accounts.

    **EDIT: Nope, I was wrong. This deletes everything except mail.*. I'll have to remove them manually. There goes my day.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case CPANEL-9738 is open to ensure the AutoSSL feature accounts for customer-created “mail.” subdomains. This is seen in instances where the user deletes the default "mail" entry in the DNS zone, and then adds "mail" as a traditional subdomain through cPanel. I'll update this thread once the case is published.

    Regarding the other instances where the "mail" entries have been modified or removed, could anyone experiencing those issues open a bug report using the Submit A Bug Report URL? This will allow us to review the system, verify the custom configuration in-place, and then open an internal case to determine how to best address the issue. Please post the ticket number that's assigned to you on this thread once the report is opened.

    We also have a feature request open to exclude certain subdomains from the AutoSSL feature at:

    AutoSSL: Prevent specific domains from being issued free SSL certificates

    I encourage anyone interested in this feature to vote and add feedback.

    Thank you.
     
  8. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    So my other servers are experiencing the AutoSSL mail subdomain errors now as well. Checking the logs the errors started right after the system updated from v58 to v60. This is for sure a regression in v60 and not a difference in settings between servers.

    I see that the other servers also have mail subdomains in their userdata files. I don't know if those where there before and it is AutoSSL that has updated it's behaviour or if cPanel added the subdomains when it upgraded triggering pre-existing AutoSSL behaviour.

    The description for 'Proxy subdomain creation' does not seem to include the mail subdomain but I haven't tested yet.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    This is new behavior that's by design in cPanel version 60 and documented at:

    60 Release Notes - Documentation - cPanel Documentation

    I encourage you to submit a support ticket or bug report via the URL in my last response so we can track down any conditions where it's resulting in unforeseen issues.

    Thank you.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  11. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've recently been going through a nightmare issue along these lines, and I have AutoSSL *disabled*

    Just recently after my servers (Release Tier updates, CloudLinux 6.7) updated to 11.60 , I reset / renewed the SSL certificates that I purchased for my hostnames and WHM Services, and found myself plagued with the following issues:

    - Suddenly for no reason, cPanel started automatically creating actual Addon Domains and Aliases in my user's cPanel accounts. Yes, as in visible Addon Domains / Aliases displaying in their cPanel for each Addon / Alias that the user had. So if a user has Addon Domain "example.com" then suddenly the Addon Domain "mail.example.com" appears in their cPanel > Addon Domains area. In many cases this maxed-out the user's allowed number of Addon Domains and Aliases allowed on their particular hosting package. cPanel Support (ticket 8024525) says that I'm the only case / only servers they've ever seen this happen on.

    - For all the years I've been using cPanel on my servers (over a decade) we have always instructed users to configure their email client's POP/SMTP servers in the "mail.example.com" format and that has worked fine up until now. Previous to cPanel 11.60 if users got an "Invalid Certificate" or any kind of certificate warning in their mail client software, they could just click "Details / Show Certificate" and then choose the "Always Trust" option, click save, and get on with their lives. But now since 11.60 many users are unable to get rid of the certificate warning popup in their mail clients, and users with modern mobile devices such as Google Pixel phones can't even add their POP email accounts to their devices! It tells them that "The security certificate for this email address isn't safe enough"! (Strangely though, it DOES let them create accounts without issue if they use "example.com" format instead of "mail.example.com" format as their POP/SMTP servers).

    So even though I have AutoSSL disabled and even though I'm not using self-signed certs on my hostnames and WHM Services, this new Mail SNI situation has been wreaking havoc on my life.

    I'm currently involved in a long ticket with cPanel support over this - ticket # 8024525 - and I'm trying to understand / comply with what cPanel Support techs are telling me in there. The two techs that have been working my ticket have been EXTREMELY HELPFUL and they're doing a great job and trying to get me through this problem, but as can often happen in written tickets without voice communication I believe there's still a little miscommunication / misunderstanding going on in the ticket.

    And while I certainly don't blame cPanel technicians for my unfamiliarity with Mail SNI and 11.60's "new behaviors" , I'm very frustrated that right on the heels of the deluge of support calls over the Thanksgiving / Black Friday / Cyber Monday hump, I've had to deal with this lovely surprise landing in my lap.

    I've been at the point with this where I was considering spending the $65 on a cPanel Phone Support instance, but between the fact that finances are extremely tight and the fact that one of the cPanel techs assisting me in my ticket #8024525 stated that "Phone support can be quite helpful if there's a lot of information that needs to be exchanged between us, however with this particular situation, I don't believe it will expedite the resolution". But yet, I'm feeling like a few key talking points in the ticket aren't getting across / are getting misunderstood.

    Again - I'm not complaining about the cPanel Support techs assisting me - they've been great and I appreciate the help their providing very much, but I feel like the issues are a bit convoluted in the ticket and I'm still feeling very unsure of what best to do next.

    One of the techs has suggested that I should make use of the AutoSSL and Enable the AutoSSL feature, stating that it will provide "free 90 day certificates for any domain on the server" and that it will "resolve email client issues to a state better than before, no need to bypass certificate warnings" , which almost sounds nice but then what happens after 90 days? Am I stepping into an arena in which my cPanel users are then encouraged to purchase SSL certificates from some other authority or from one of cPanel's vendors? That would not be good, since I've gone to great lengths to provide SSL Certificate installation instructions to my customers along with a link to my preferred SSL vendor affiliate link so that I can reliably help them purchase and install SSL certificates on their e-commerce sites that they host with me.

    Sorry to present here "whining" about the situation but this has all caused a lot of confusion and sidetracked me from getting other important work done. I missed Thanksgiving dinner with my family as I spent the day fielding support calls from users who could not get rid of the Certificate Warning in their mail clients. Which leads me to an aside - why does it seem like new cPanel stuff like this that requires extra hand-holding for users and hosts alike always has to roll-out at Holiday time? Don't we all have enough stress already?
    </rant>
     
  12. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,773
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Subdomains are not being created at least not here on my end. New Aliases are being created though, for each domain. I see them as well and they've maxed out Aliases limits on several of my smaller Packages.
     
  13. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks for posting. Now cPanel can see that I'm not the only one.

    But yeah, in my case it created an Addon "mail.example.com" Domain for every Addon Domain, and an Alias "mail.example.com" for every Alias parked domain, all of which were visible right in the cPanel taking up the user's Addon Domain and Alias slots.

    Fortunately the cPanel techs who have been assisting on my ticket have been AWESOME. One of the techs ran some scripts that removed all of the bogus "mail." Addon Domains, and the other tech is really helping me out big time in regard to AutoSSL now.

    I'm stumped on one last issue in all of it in my case - I'm not sure if this has to do with how I installed my purchased SSL certs for my hostnames and my WHM Services or what, but still users get "Certificate not valid" and "The security certificate for this email address isn't safe" in email clients when trying to use the "mail.example.com" format for POP/SMTP servers.

    Based on what the tech who is helping in my ticket right now says, enabling AutoSSL on all accounts should have resolved the mail certificate warning, so all I can think of is maybe when I installed the purchased Comodo Positive SSL's for my hostnames and WHM Services, and there was a "Mail SNI" option in one of the steps, I should have either left it checked or unchecked that option. I'm thinking it must be something I overlooked, but the thing is - I installed my hostname and WHM Services SSL's the same exact way I've been doing it on all servers for many years. But with 11.60 the whole thing just kinda blew up on me.

    I'll post back here if I think I've got anything of value to add. Right now all I can say is I'm thankful for the cPanel Support techs big time! Don't know how I'd dig out of this one without them!
     
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,773
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I reviewed your entire ticket and couldn't agree more. Those guys are the best. :)

    Please keep us updated on how it goes.
     
  15. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    394
    Likes Received:
    17
    Trophy Points:
    168
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    OK...

    Based on the last response I received on the ticket, I think what I'm hearing is this:

    1. Deleting my pre-existing purchased certs that I installed for my server hostnames and WHM Services and letting AutoSSL or cPanel replace them will NOT help users with the "mail.example.com" cert warning issue. There is no point in uninstalling the purchased certs from the server hostnames and WHM Services because it will not help anything at all.

    2. cPanel 11.60 has broken the "mail.example.com" POP/SMTP format ability for cPanel USER mail clients who have their own pre-existing purchased SSL certs installed on their domain, so after decades of users being trained to use "mail.example.com" format in their mail clients, we have to tell them it doesn't work anymore for those who prefer to purchase a better cert for their domains. So if a user wants to keep their expensive SSL cert installed on their domain, they have to stop using "mail.example.com" format in their mail client POP/SMTP server settings and start using just the "example.com" in their mail client POP/SMTP server settings.

    I could be wrong - as I mentioned in an earlier post there does some to be some miscommunication repeating itself in the ticket - but that's what I got from the last response from cPanel, and I won't know for sure until tomorrow because it was the end of that technician's shift.

    But if that's the case, even though it's not a big deal to people like us who can simply accept the fact that the normal way to do things is now apparently "broken" and all we need to do is change the way we've always done things, when it comes to end-users this will just be one more strike against us hosts and yet another excuse for certain types of very frustrated customers to approach us with the "See? It's not our fault that we're always sending tickets, it's because you guys keep changing things and expect us normal people to know how to do all this server setting stuff in our phones" and then huff off angry on us. And honestly, when I look at it from an end-user perspective, who could blame them? Since practically the beginning of time we've been telling them use "mail.example.com" for your Incoming/Outgoing server config in your mail client, and now we're going to tell them "but if you installed an expensive SSL cert on your domain then you shouldn't do that anymore because it doesn't work with new cPanel".

    I really hope I've misunderstood the tech's response because, to put it plainly, that sucks.
     
    Infopro likes this.
  16. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    It sounds like you have a different issue that is caused by the same core issue which is the fact that cPanel is suddenly creating these mail subdomains.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    This relates to a bug where "mail.domain.tld" subdomains were added automatically during the update to cPanel version 60 and converted into parked, addon, and subdomains. Internal case CPANEL-9337 implements a change that will detect which domains were incorrectly upgraded, and then reset the userdata and cpuser data files for the affected users. Once this case is implemented, it should address the additional two issues reported in your last post. Also, feel free to open a new support ticket, or reply to the existing one, and we can manually patch your server before the fix is published.

    The cPanel-signed AutoSSL certificates automatically renew (the price is still free) before the certificate expires, so as long as the domain name still exists and resolves to the server, it should not require any manual intervention. You can find more information about the automatic renewal dates at:

    Manage AutoSSL - Documentation - cPanel Documentation

    Thank you.
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  19. JeffPaetkau

    JeffPaetkau Member

    Joined:
    May 5, 2014
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This appears to have fixed some (perhaps 20%) of the domains. The majority are still attempting to request a cert for the non-existent mail subdomain.
     
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The request will still occur, and the logs will note that domain validation fails for the mail subdomain, however AutoSSL should still proceed to issue the certificate without the mail subdomain. Are you experiencing different behavior, and if so, what's the specific error message you are receiving?

    Thank you.
     
Loading...

Share This Page