Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED AutoSSL only for subdomain?

Discussion in 'Security' started by Malachi, Feb 12, 2018.

Tags:
  1. Malachi

    Malachi Registered

    Joined:
    Feb 12, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ohio
    cPanel Access Level:
    Root Administrator
    Not sure if this is possible, and if it is how.. but here's the deal:
    I have a domain (www) that has a regular SSL certificate (not a free one). That ssl certificate is just for the www and non-www part of the domain. So far so good.

    However.... I have a subdomain (let's call it "blog") that therefore has no certificate. I want to use the Autossl feature for this. The blog has been set up as a subdomain of the domain, so it does not have it's own "account" within WHM.
    Is it possible to use the Let's Encrypt/Comodo free certificate for this through the Autossl feature? And if so, how?
     
  2. Malachi

    Malachi Registered

    Joined:
    Feb 12, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ohio
    cPanel Access Level:
    Root Administrator
    I found the answer in another thread: Paid SSL on Domain, Free AutoSSL on Subdomains?

    Thanks for your response... the link I just gave has the answer. Note however, that the "security" block can be found in the individual account... in case you have a reseller account with a bunch of accounts in it.
    Second note: Besides this.. if you have a regular SSL certificate installed, simply turn on the AutoSSL for that domain anyway, but make sure you have the checkbox unchecked that says "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates." (This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or expire within 3 days.)
    Therefore, any installed certificates will stay where they are and AutoSSL will not replace those. AutoSSL will take care of subdomains that need a certificate though...
     
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    I'm glad to see you found the solution. Thank you for sharing the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. samgreco

    samgreco Member

    Joined:
    Sep 7, 2008
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    51
    Strange. Just did this and AutoSSL does not seem to want to overwrite the cert. I get "
    The installed certificate does not cover this domain. The certificate will not renew via AutoSSL because it was not issued via AutoSSL"

    And of course, this is one of the domains that we actually use the webservers email. And the mail and webmail. are 2 of the subdomains that AutoSSL won't renew.

    Any thoughts?
     
    John Napoletano likes this.
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @samgreco,

    Can you provide some more information about the specific scenario you are facing so we can attempt to reproduce it on a test environment? Please include information about how the additional domain names are configured (e.g. subdomains, aliases), and verify which domain names you are excluding.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. wintech2003

    wintech2003 Active Member PartnerNOC

    Joined:
    Sep 15, 2010
    Messages:
    28
    Likes Received:
    2
    Trophy Points:
    53
    Location:
    Greece
    cPanel Access Level:
    DataCenter Provider
    I checked out both threads but unfortunately they didn't help in my case (which I believe is the same as yours here though)

    Here's my SSL/TLS Status page:
    [​IMG]

    As you see I have an OV certificate for domain.com / www.domain.com and what I would like is to have AutoSSL generate an SSL for mail.domain.com
    There are no checkboxes next to the domains, in order to include/exclude domains from AutoSSL, and when I run AutoSSL this is the log output in WHM:

    Code:
     11:40:48 AM AutoSSL’s configured provider is “cPanel (powered by Comodo)”.
     This AutoSSL provider does not poll for certificate availability immediately after a certificate request submission. Instead, it submits certificate requests then periodically polls the cPanel Store for each requested certificate and installs it after a successful retrieval. The system will record all requests, retrievals, and installations for the current AutoSSL run in this log.
     Checking websites for “xxxxxxxx” …
     11:40:48 AM Analyzing “xxxxxxxx.com” …
     11:40:48 AM TLS Status: Incomplete
     Certificate expiry: 9/14/19, 12:00 AM UTC (360.64 days from now)
     Issuer: commonName=COMODO RSA Organization Validation Secure Server CA, organizationName=COMODO CA Limited, localityName=Salford, stateOrProvinceName=Greater Manchester, countryName=GB
     Impediment: CERTIFICATE_IS_EXTERNALLY_SIGNED: The certificate is neither self-signed nor from AutoSSL.
     11:40:48 AM The system has completed the AutoSSL check for “xxxxxxxx”.
    Any ideas?
     
    John Napoletano likes this.
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. John Napoletano

    John Napoletano Member

    Joined:
    Mar 17, 2016
    Messages:
    16
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Twitter:
    I created that thread! And I can't update it due to it's age.

    This doesn't seem to work on the auto created aliases, the ones created at account setup. For created sub domains maybe it works. Can you confirm this?

    WHM Home > SLS/TLS > Manage SSL Hosts

    GoDaddy.com Inc (paid)
    domain.tld
    www.domain.tld

    cPanel Inc (free)
    cpanel.domain.tld (A)
    mail.domain.tld (CNAME)

    I don't think you can do that above.

    Failing that...

    1) Should mail clients target POP simply with 'domain.tld' without the mail sub?

    2) Should users login to the cpanel accounts using https domain.tld:2083 or domain.tld/cpanel instead of cpanel.domain.tld?

    Both ideas seem to work fine. Maybe it's not a problem after all, just a misunderstanding of the way the default url structure is to be used.

    Anyone with insight please comment on this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,005
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi John,

    There's a separate workaround noted on the following thread:

    Install SSL, but not for mail subdomain

    Can you confirm if that helps for the default aliases (e.g. mail)?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice