AutoSSL setup process redirects new website to another domain name on server?

[tvcnet]

Hi cPanel,

On our servers, when a new account is set up for SSL, the client's website redirects to another website set on server unexpectedly. This causes our clients a lot of confusion, especially when we are first setting up an account for auto SSL (and their webstie is showing another client's website sharing the same server).


Is there no way for us to set the account the server redirects too during the Auto SSL setup process?


I'm hoping there might be a way for us to set up an account on server that client may see during the verification, instead of what appears to be the first account in the vhosts file.


Your thoughts?

 

[24x7server]

Is there no way for us to set the account the server redirects too during the Auto SSL setup process?

The AutoSSL works in a way that it first validates it by creating a link and getting proper output from that link. If for any reason the account redirects, then there are chances of this validation failing. Can you check the AutoSSL logs to see if the validation for those domains were proper and that the SSL were issued and installed properly.

 

[tvcnet]

Thank you.

But your response has no relation to my question.

Please re-read the question.

 

[cPanelMichael]

Hi Jim,

Accessing a new domain name over SSL should not result in the website loading the SSL contents of another domain name. That should only occur if you were accessing the website via it's IP address, or if you've turned off the following option under the "Security" tab in "WHM >> Tweak Settings":

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains

Per it's description:

When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users’ browser. To avoid both of these concerns, we strongly recommend that you enable AutoSSL.

Have you turned this option off on this system?

Thank you.

 

[dclaw]

Hi,

There's 2 issues here.

1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.

 

[cPanelMichael]

1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate

It's normal to see that behavior when installing SSL certificates on shared IP addresses due to the way SNI works. We document methods to address this on our SSL FAQ document:

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.

AutoSSL can replace self-signed certificates automatically if you enable the following feature under the "Options" tab in "WHM >> Manage AutoSSL":

Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Per it's description:

This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or expire within 3 days.

Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.

As far as the automatic self-signed SSL certificate setup, is the system attempting to generate an AutoSSL certificate for the new domain name upon account creation, and does that initial attempt to do so fail? Or, do you have AutoSSL disabled for new accounts?

Thank you.

 

[Mark Bailey]

We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.

 

[cPanelMichael]

We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.

Hi Mark,

This should not happen unless the following feature is disabled under the Security tab in WHM >> Tweak Settings:

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

When that feature is disabled, it's possible a period of time will exist where no SSL certificate is installed for the domain name. Since it can sometimes take a few hours for the AutoSSL validation process to occur, that would leave the domain name with no certificate for a few hours and thus you'd notice the reported behavior.

Can you provide more details about how you are verifying the AutoSSL certificate was installed for the domain name?

Thank you.

 

[nlaruelle]

> This should not happen unless the following feature is disabled under the Security tab in WHM >> Tweak Settings : Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

I second that, it stil happens today in july 2021 when this tweak "Generate a self signed SSL") is "On" if :

1. The user was using the temporary URL https:// 123.45.67.89/~example/ as a staging to develop his website.
2. The user finally link his domain name by changing his Nameservers.
3. The Auto-SSL certificate is automatically generated for the new URL https:// example.com.
4. And then after the proper SSL Certificate is generated, the user try to access again to the previous temporary URL https:// 123.45.67.89/~example/ ; For instance, to check something / Search & Replace the main URL in his WordPress website database (…and so on)

=> then he his redirect to the first website with a SSL Certificate (the first account username by alphabetical order I guess ?)

At some hosting compagnies, someone building website for Kids can be redirect to a website with "Adult Contents", or an eCommerce shop selling some things for smoking, or Drugs, or any confidential website using robots=noindex,nofollow… I don't know.

You understand the confidentiality problem about this issue ? And it can be a drama for the hosting provider reputation.

An universal fix would be appreciate for this.

On the first page of Google, I count half a dozen people complain about that here in this forum since 2014. No need to paste the URLs here, just search "cpanel no ssl certificat redirect to" on Google.

 

[cPRex]

@nlaruelle - I'm not completely sure I am understanding the situation you've explained. If the user is vising the site with an IP, no SSL is going to be able to secure that as you'll always receive a security warning when using https on an IP address, since they are only linked to domain names.

This will happen even if the SSL is properly setup for the hostname, or is the SSL is self-signed.

 

[nlaruelle]

@nlaruelle If the user is vising the site with an IP, no SSL is going to be able to secure that as you'll always receive a security warning…

Thanks cPRex! And Yes! But the people are able to click "Advanced" > "Proceed to example.com (unsafe)." Which is pretty common when you are working/migrating on a website.

(see attachment below please)

Then, they all are redirected to another website that their own one, by using https:// 123.45.67.89/~example/ (confidentiality problem, see above)

For my part, we have less than 300 cPanel customers for now (small hosting provider), and this issue/question happen for us around 1 time for each quarter.
I am surprised, questions till happen about that.

It would be good if, in this case, this traffic would be redirect to anything else that a random customer in the same server.
It's a serious confidentially issue I guess. I will not send a feature request as my previous one is still under moderation for +1 month. And this concern is discussed since 2014 here.

Thanks again.

 

[cPRex]

Thanks for the clarification. You'll want to do the following to setup the default SSL vhost on the machine:

How to set the default HTTPS VirtualHost

Introduction If a domain without a matching HTTPS VirtualHost is requested, Apache serves the first entry in the configuration, as described here. This modification may also need to be performed fo...

support.cpanel.net

Once you do that it will no longer go to a seemingly random domain on the system.

 

[nlaruelle]

Thanks for the tips.

Unfortunately, we use a dozen of Failover IPs on each servers. So, it means that for each IP Failover, we have to create a fictive cPanel account with a primary domain like "no-ssl-certificate-127-0-0-1.com" to take control of the redirection. It's not a real solution, it's more like a patch :-/

 

[cPJustinD]

Hello. I can certainly understand your concern. We've published an article that covers why the unsecured domains show the contents of other domains when forced over HTTPS here:

Why does HTTPS show the website of a different domain?

Alternatively, you can redirect the domain to another location temporarily, and bypass the redirects for AutoSSL using the process outlined below:

How do I prevent AutoSSL from following redirects in Apache includes?

Once the SSL is installed, you could then remove the redirect and includes referenced above.

You can also submit a feature request for this if you would like by using the "Submit a Feature Request" in my signature below.

I hope that this helps If you have any other questions or concerns, please let us know!