AutoSSL setup process redirects new website to another domain name on server?

tvcnet

Well-Known Member
PartnerNOC
Aug 15, 2003
125
3
168
San Diego
cPanel Access Level
DataCenter Provider
Hi cPanel,

On our servers, when a new account is set up for SSL, the client's website redirects to another website set on server unexpectedly. This causes our clients a lot of confusion, especially when we are first setting up an account for auto SSL (and their webstie is showing another client's website sharing the same server).


Is there no way for us to set the account the server redirects too during the Auto SSL setup process?


I'm hoping there might be a way for us to set up an account on server that client may see during the verification, instead of what appears to be the first account in the vhosts file.


Your thoughts?
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Is there no way for us to set the account the server redirects too during the Auto SSL setup process?
The AutoSSL works in a way that it first validates it by creating a link and getting proper output from that link. If for any reason the account redirects, then there are chances of this validation failing. Can you check the AutoSSL logs to see if the validation for those domains were proper and that the SSL were issued and installed properly.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hi Jim,

Accessing a new domain name over SSL should not result in the website loading the SSL contents of another domain name. That should only occur if you were accessing the website via it's IP address, or if you've turned off the following option under the "Security" tab in "WHM >> Tweak Settings":

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains

Per it's description:

When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users’ browser. To avoid both of these concerns, we strongly recommend that you enable AutoSSL.

Have you turned this option off on this system?

Thank you.
 

dclaw

Member
PartnerNOC
Aug 24, 2007
13
0
51
Escondido, CA
Hi,

There's 2 issues here.

1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate
It's normal to see that behavior when installing SSL certificates on shared IP addresses due to the way SNI works. We document methods to address this on our SSL FAQ document:

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.
AutoSSL can replace self-signed certificates automatically if you enable the following feature under the "Options" tab in "WHM >> Manage AutoSSL":

Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Per it's description:

This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or expire within 3 days.

Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.

As far as the automatic self-signed SSL certificate setup, is the system attempting to generate an AutoSSL certificate for the new domain name upon account creation, and does that initial attempt to do so fail? Or, do you have AutoSSL disabled for new accounts?

Thank you.
 

Mark Bailey

Registered
Jun 8, 2018
1
1
1
Charlotte, NC
cPanel Access Level
Root Administrator
We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.
 
  • Like
Reactions: nlaruelle

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.
Hi Mark,

This should not happen unless the following feature is disabled under the Security tab in WHM >> Tweak Settings:

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

When that feature is disabled, it's possible a period of time will exist where no SSL certificate is installed for the domain name. Since it can sometimes take a few hours for the AutoSSL validation process to occur, that would leave the domain name with no certificate for a few hours and thus you'd notice the reported behavior.

Can you provide more details about how you are verifying the AutoSSL certificate was installed for the domain name?

Thank you.
 
  • Like
Reactions: nlaruelle

nlaruelle

Member
Sep 4, 2017
16
9
3
Belgium
cPanel Access Level
Website Owner
> This should not happen unless the following feature is disabled under the Security tab in WHM >> Tweak Settings : Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

I second that, it stil happens today in july 2021 when this tweak "Generate a self signed SSL") is "On" if :

1. The user was using the temporary URL https:// 123.45.67.89/~example/ as a staging to develop his website.
2. The user finally link his domain name by changing his Nameservers.
3. The Auto-SSL certificate is automatically generated for the new URL https:// example.com.
4. And then after the proper SSL Certificate is generated, the user try to access again to the previous temporary URL https:// 123.45.67.89/~example/ ; For instance, to check something / Search & Replace the main URL in his WordPress website database (…and so on)

=> then he his redirect to the first website with a SSL Certificate (the first account username by alphabetical order I guess ?)

At some hosting compagnies, someone building website for Kids can be redirect to a website with "Adult Contents", or an eCommerce shop selling some things for smoking, or Drugs, or any confidential website using robots=noindex,nofollow… I don't know.

You understand the confidentiality problem about this issue ? And it can be a drama for the hosting provider reputation.

An universal fix would be appreciate for this.

On the first page of Google, I count half a dozen people complain about that here in this forum since 2014. No need to paste the URLs here, just search "cpanel no ssl certificat redirect to" on Google.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,000
313
cPanel Access Level
Root Administrator
@nlaruelle - I'm not completely sure I am understanding the situation you've explained. If the user is vising the site with an IP, no SSL is going to be able to secure that as you'll always receive a security warning when using https on an IP address, since they are only linked to domain names.

This will happen even if the SSL is properly setup for the hostname, or is the SSL is self-signed.
 

nlaruelle

Member
Sep 4, 2017
16
9
3
Belgium
cPanel Access Level
Website Owner
@nlaruelle If the user is vising the site with an IP, no SSL is going to be able to secure that as you'll always receive a security warning…
Thanks cPRex! And Yes! But the people are able to click "Advanced" > "Proceed to example.com (unsafe)." Which is pretty common when you are working/migrating on a website.

(see attachment below please)

Then, they all are redirected to another website that their own one, by using https:// 123.45.67.89/~example/ (confidentiality problem, see above)

For my part, we have less than 300 cPanel customers for now (small hosting provider), and this issue/question happen for us around 1 time for each quarter.
I am surprised, questions till happen about that.

It would be good if, in this case, this traffic would be redirect to anything else that a random customer in the same server.
It's a serious confidentially issue I guess. I will not send a feature request as my previous one is still under moderation for +1 month. And this concern is discussed since 2014 here.

Thanks again.
 

Attachments

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,418
1,000
313
cPanel Access Level
Root Administrator
Thanks for the clarification. You'll want to do the following to setup the default SSL vhost on the machine:


Once you do that it will no longer go to a seemingly random domain on the system.
 
  • Like
Reactions: nlaruelle

nlaruelle

Member
Sep 4, 2017
16
9
3
Belgium
cPanel Access Level
Website Owner
Thanks for the tips.

Unfortunately, we use a dozen of Failover IPs on each servers. So, it means that for each IP Failover, we have to create a fictive cPanel account with a primary domain like "no-ssl-certificate-127-0-0-1.com" to take control of the redirection. It's not a real solution, it's more like a patch :-/
 

cPJustinD

Administrator
Staff member
Jan 12, 2021
286
51
103
Houston
cPanel Access Level
Root Administrator
Hello. I can certainly understand your concern. We've published an article that covers why the unsecured domains show the contents of other domains when forced over HTTPS here:

Why does HTTPS show the website of a different domain?

Alternatively, you can redirect the domain to another location temporarily, and bypass the redirects for AutoSSL using the process outlined below:

How do I prevent AutoSSL from following redirects in Apache includes?

Once the SSL is installed, you could then remove the redirect and includes referenced above.

You can also submit a feature request for this if you would like by using the "Submit a Feature Request" in my signature below.

I hope that this helps If you have any other questions or concerns, please let us know!
 
  • Like
Reactions: cPRex