AutoSSL- Subdomains Getting Split Across Multiple Certificates

[livingmiracles]

Hello,

I have a WordPress multisite with about 50 subdomains in total (including the "www" versions). Due to circumstances with my CDN service, I need to have all of these subdomains (and the parent domain) issued as one combined SSL certificate so that I can upload it to the CDN's system.

According to what I've read, the limit for domains on a single SSL is 100. However, in my case (using AutoSSL with Let's Encrypt), they seem to be getting split into groups of 24, resulting in a total of 3 certificates for me. I can see the 3 certificates in WHM's "SSL Storage Manager."

In other words, even though all of the requests for the domains/subdomains are occurring at once, they are getting split up into 3 certificates, whereas I need to have them all combined into one.

I've tested this a couple times by deleting all existing "SSL hosts" (WHM > Manage SSL Hosts) and re-doing the request, by the result is the same every time.

Any advice would be greatly appreciated.

Thank you,
JP

 

[cPanelMichael]

Hello,

Subdomains utilize their own virtual host as documented at:

How Your Server Handles Domains and Virtual Hosts - cPanel Knowledge Base - cPanel Documentation

Are the subdomains added as their own separate subdomains, or as domain aliases? Also, do you experience the same issue when using cPanel (Comodo) as your AutoSSL certificate provider?

Thank you.

 

[livingmiracles]

Hi Michael,

Thank you for the reply and the link to the article!

The subdomains are added as their own separate subdomains in the parent site's cPanel account > Subdomains area.

I just tried using cPanel (Comodo) as the AutoSSL certificate provider and that actually resulted in separate certificates for every subdomain. Each individual certificate only shows the "www" and "non-www" version of a single subdomain. So instead of 3 certificates, I now have 26.

Ideally, I'd like to combine them into just a single certificate. Are you saying that it may be possible to do this by using domain aliases instead of subdomains?

Thank you,
JP

 

[cPanelMichael]

I just tried using cPanel (Comodo) as the AutoSSL certificate provider and that actually resulted in separate certificates for every subdomain. Each individual certificate only shows the "www" and "non-www" version of a single subdomain. So instead of 3 certificates, I now have 26.

Yes, this is in-fact the intended behavior.

Ideally, I'd like to combine them into just a single certificate. Are you saying that it may be possible to do this by using domain aliases instead of subdomains?

Using aliases would achieve what you are seeking as far as I understand, but keep in mind aliases are designed to only open the same content of the domain name they are added as aliases to.

Thank you.

 

[livingmiracles]

Using aliases would achieve what you are seeking as far as I understand, but keep in mind aliases are designed to only open the same content of the domain name they are added as aliases to.

I happen to have a development version of the site at "dev.sitename.net" (in a separate "dev" directory outside of the parent site's /public_html folder). I set up an alias for that but it keeps redirecting to the parent site. I think this is probably what you were referring to, correct?

Is there any way to set up aliases for a "dev" site like this without separating out the "dev" site into a separate cPanel? If I could change the "Domain Root" of the alias, I suppose that might do the trick, but I don't see a way to do that.

 

[cPanelMichael]

Hello,

Domain aliases don't have their own virtual hosts, and thus it's not possible to configure a custom document root.

Thank you.

 

[livingmiracles]

Ok thank you Michael!

So in summary, looks like I won't be able to combine everything into one certificate due to my website configuration.

 

[livingmiracles]

Quick follow-up question: You mentioned that it was intended behavior that cPanel (Comodo) issued separate certificates for all subdomains. But what about Let's Encrypt? As I mentioned, they seem to be limiting the certificates to 24 domains/subdomains. However, the documentation I was looking at states: "Certificates that Let's Encrypt provides can secure a maximum of 100 domains per certificate."

Is there a way to get all of the domains combined onto one certificate via Let's Encrypt?

 

[cPanelMichael]

Hello,

It's not possible to have all of the domain names on a single virtual host, even with Let's Encrypt. It's likely you'd need to purchase a multi-domain (UCC) certificate from a commercial SSL certificate provider to achieve this.

Thank you.

 

[livingmiracles]

Thanks Michael,

So, am I correct that the Let's Encrypt certificates limit the number of domains to 24 (despite the documentation mentioning a limit of 100)?

 

[cPanelMichael]

So, am I correct that the Let's Encrypt certificates limit the number of domains to 24 (despite the documentation mentioning a limit of 100)?

It can secure 100 domain names per virtual host, but addon domain names and subdomains have their own virtual hosts. In the example you are referencing, are those 24 domain names part of separate virtual host entries?

Thank you.

 

[livingmiracles]

In the example you are referencing, are those 24 domain names part of separate virtual host entries?

If subdomains are considered separate virtual host entries, then yes, I believe so. Here is an example from one of the 3 certificates:

X509v3 Subject Alternative Name:
[removed]

 

[cPanelMichael]

Hello,

It's possible this works slightly differently with Let's Encrypt. Feel free to open a support ticket using the link in my signature so we can take a closer look at your system and determine exactly which domain names are included in a single certificate when using Let's Encrypt vs Comodo.

Thank you.

 

[livingmiracles]

Hi Michael,

Ok, good to know. After encountering this limitation, I've been exploring alternate strategies for resolving my initial issue. However, if/when I have time, I will gladly open a ticket to explore the situation Let's Encrypt, I appreciate the offer and your input

Thank you,
JP

 

[david364]

In my case, I created a cPanel > new subdomain yesterday, and it was incorporated into the Let's Encrypt certificate for the entire domain, as desired. But today I created more new subdomains, and each was given its own certificate. Sounds like a bug (maybe a foolish optimization to avoid creating certificates too often?), not desired results. I find a single, multiple-subdomain certificate easier to manage as compared to one certificate for each subdomain (I have well under the limit of 24). I will try to find a workaround. Please record my vote.

 

[david364]

Merely running AutoSSL again (cPanel > SSL/TLS Status > Run AutoSSL) doesn't merge certificates when they already exist. Apparently, AutoSSL merges certificates for subdomains having a common parent at the time a new or renewed certificate is created. So the bug is that when a new subdomain new.example.com is created in cPanel, it may or may not be considered to have example.com as a parent. Perhaps the solution is to delete all user certificates, then create a new subdomain; it would then be guaranteed to merge. But this could disrupt current traffic to other domains in the account, which is not acceptable. The cPanel developers should think about how to sovle this.

 

[david364]

It is now a year later and the problem still exists. I read the above postings and tried deleting the separate subdomain (local.example.com, used to provide secure access on my local development server) in cPanel then creating it again as an Alias. Instantly the alias subdomain was combined with the existing wildcard *.example.com domain name covered by the AutoSSL certificate. I didn't have to do anything else, other than excluding certain specific subdomains that had errors from AutoSSL. Success!