AutoSSL setup process redirects new website to another domain name on server?

[tvcnet]

Hi cPanel,

On our servers, when a new account is set up for SSL, the client's website redirects to another website set on server unexpectedly. This causes our clients a lot of confusion, especially when we are first setting up an account for auto SSL (and their webstie is showing another client's website sharing the same server).


Is there no way for us to set the account the server redirects too during the Auto SSL setup process?


I'm hoping there might be a way for us to set up an account on server that client may see during the verification, instead of what appears to be the first account in the vhosts file.


Your thoughts?

 

[24x7server]

Is there no way for us to set the account the server redirects too during the Auto SSL setup process?

The AutoSSL works in a way that it first validates it by creating a link and getting proper output from that link. If for any reason the account redirects, then there are chances of this validation failing. Can you check the AutoSSL logs to see if the validation for those domains were proper and that the SSL were issued and installed properly.

 

[tvcnet]

Thank you.

But your response has no relation to my question.

Please re-read the question.

 

[cPanelMichael]

Hi Jim,

Accessing a new domain name over SSL should not result in the website loading the SSL contents of another domain name. That should only occur if you were accessing the website via it's IP address, or if you've turned off the following option under the "Security" tab in "WHM >> Tweak Settings":

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains

Per it's description:

When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users’ browser. To avoid both of these concerns, we strongly recommend that you enable AutoSSL.

Have you turned this option off on this system?

Thank you.

 

[dclaw]

Hi,

There's 2 issues here.

1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.

 

[cPanelMichael]

1. When there is no SSL installed on a domain, accessing a domain configured on the server at port 443 will present the SSL certificate of another SSL configured domain. This is how it has always been. Is there a solution?

For example:

domain.com has an ssl certificate

domain2.com has no ssl certificate

visiting https://domain2.com will show an SSL warning because it is loading domain.com's ssl certificate

It's normal to see that behavior when installing SSL certificates on shared IP addresses due to the way SNI works. We document methods to address this on our SSL FAQ document:

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

2. This is happening even when 'Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains' is enabled, as for some reason this doesn't always generated a certificate. Additionally, having a self-signed certificate installed always breaks automatic AutoSSL runs, as it will not replace self-signed certificates.

AutoSSL can replace self-signed certificates automatically if you enable the following feature under the "Options" tab in "WHM >> Manage AutoSSL":

Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates.

Per it's description:

This option will allow AutoSSL to replace certificates that the AutoSSL system did not issue. When you enable this option, AutoSSL will install certificates that replace users’ CA-issued certificates if they are invalid or expire within 3 days.

Unless you fully understand this option, do not select it, because the system could unexpectedly replace an expiring or invalid EV or OV certificate with a DV certificate.

As far as the automatic self-signed SSL certificate setup, is the system attempting to generate an AutoSSL certificate for the new domain name upon account creation, and does that initial attempt to do so fail? Or, do you have AutoSSL disabled for new accounts?

Thank you.

 

[Mark Bailey]

We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.

 

[cPanelMichael]

We have the same problem. We just issued a new AutoSSL certificate for a site. AutoSSL reported the certificate being set up properly. But when anyone goes to the https version of that site, they are redirected to another domain (which happens to begin with A and is probably the first domain on the server alphabetically. Very confusing and frustrating for end users and the client.

Hi Mark,

This should not happen unless the following feature is disabled under the Security tab in WHM >> Tweak Settings:

Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains.

When that feature is disabled, it's possible a period of time will exist where no SSL certificate is installed for the domain name. Since it can sometimes take a few hours for the AutoSSL validation process to occur, that would leave the domain name with no certificate for a few hours and thus you'd notice the reported behavior.

Can you provide more details about how you are verifying the AutoSSL certificate was installed for the domain name?

Thank you.