AutoSSL- Subdomains Getting Split Across Multiple Certificates

May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Hello,

I have a WordPress multisite with about 50 subdomains in total (including the "www" versions). Due to circumstances with my CDN service, I need to have all of these subdomains (and the parent domain) issued as one combined SSL certificate so that I can upload it to the CDN's system.

According to what I've read, the limit for domains on a single SSL is 100. However, in my case (using AutoSSL with Let's Encrypt), they seem to be getting split into groups of 24, resulting in a total of 3 certificates for me. I can see the 3 certificates in WHM's "SSL Storage Manager."

In other words, even though all of the requests for the domains/subdomains are occurring at once, they are getting split up into 3 certificates, whereas I need to have them all combined into one.

I've tested this a couple times by deleting all existing "SSL hosts" (WHM > Manage SSL Hosts) and re-doing the request, by the result is the same every time.

Any advice would be greatly appreciated.

Thank you,
JP
 
May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Hi Michael,

Thank you for the reply and the link to the article!

The subdomains are added as their own separate subdomains in the parent site's cPanel account > Subdomains area.

I just tried using cPanel (Comodo) as the AutoSSL certificate provider and that actually resulted in separate certificates for every subdomain. Each individual certificate only shows the "www" and "non-www" version of a single subdomain. So instead of 3 certificates, I now have 26.

Ideally, I'd like to combine them into just a single certificate. Are you saying that it may be possible to do this by using domain aliases instead of subdomains?

Thank you,
JP
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
I just tried using cPanel (Comodo) as the AutoSSL certificate provider and that actually resulted in separate certificates for every subdomain. Each individual certificate only shows the "www" and "non-www" version of a single subdomain. So instead of 3 certificates, I now have 26.
Yes, this is in-fact the intended behavior.

Ideally, I'd like to combine them into just a single certificate. Are you saying that it may be possible to do this by using domain aliases instead of subdomains?
Using aliases would achieve what you are seeking as far as I understand, but keep in mind aliases are designed to only open the same content of the domain name they are added as aliases to.

Thank you.
 
May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Using aliases would achieve what you are seeking as far as I understand, but keep in mind aliases are designed to only open the same content of the domain name they are added as aliases to.
I happen to have a development version of the site at "dev.sitename.net" (in a separate "dev" directory outside of the parent site's /public_html folder). I set up an alias for that but it keeps redirecting to the parent site. I think this is probably what you were referring to, correct?

Is there any way to set up aliases for a "dev" site like this without separating out the "dev" site into a separate cPanel? If I could change the "Domain Root" of the alias, I suppose that might do the trick, but I don't see a way to do that.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello,

Domain aliases don't have their own virtual hosts, and thus it's not possible to configure a custom document root.

Thank you.
 
May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Quick follow-up question: You mentioned that it was intended behavior that cPanel (Comodo) issued separate certificates for all subdomains. But what about Let's Encrypt? As I mentioned, they seem to be limiting the certificates to 24 domains/subdomains. However, the documentation I was looking at states: "Certificates that Let's Encrypt provides can secure a maximum of 100 domains per certificate."

Is there a way to get all of the domains combined onto one certificate via Let's Encrypt?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello,

It's not possible to have all of the domain names on a single virtual host, even with Let's Encrypt. It's likely you'd need to purchase a multi-domain (UCC) certificate from a commercial SSL certificate provider to achieve this.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
So, am I correct that the Let's Encrypt certificates limit the number of domains to 24 (despite the documentation mentioning a limit of 100)?
It can secure 100 domain names per virtual host, but addon domain names and subdomains have their own virtual hosts. In the example you are referencing, are those 24 domain names part of separate virtual host entries?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello,

It's possible this works slightly differently with Let's Encrypt. Feel free to open a support ticket using the link in my signature so we can take a closer look at your system and determine exactly which domain names are included in a single certificate when using Let's Encrypt vs Comodo.

Thank you.
 
May 5, 2017
19
3
3
Kamas, Utah
cPanel Access Level
Root Administrator
Hi Michael,

Ok, good to know. After encountering this limitation, I've been exploring alternate strategies for resolving my initial issue. However, if/when I have time, I will gladly open a ticket to explore the situation Let's Encrypt, I appreciate the offer and your input :)

Thank you,
JP
 

david364

Active Member
Sep 15, 2013
38
5
8
cPanel Access Level
Reseller Owner
In my case, I created a cPanel > new subdomain yesterday, and it was incorporated into the Let's Encrypt certificate for the entire domain, as desired. But today I created more new subdomains, and each was given its own certificate. Sounds like a bug (maybe a foolish optimization to avoid creating certificates too often?), not desired results. I find a single, multiple-subdomain certificate easier to manage as compared to one certificate for each subdomain (I have well under the limit of 24). I will try to find a workaround. Please record my vote.
 

david364

Active Member
Sep 15, 2013
38
5
8
cPanel Access Level
Reseller Owner
Merely running AutoSSL again (cPanel > SSL/TLS Status > Run AutoSSL) doesn't merge certificates when they already exist. Apparently, AutoSSL merges certificates for subdomains having a common parent at the time a new or renewed certificate is created. So the bug is that when a new subdomain new.example.com is created in cPanel, it may or may not be considered to have example.com as a parent. Perhaps the solution is to delete all user certificates, then create a new subdomain; it would then be guaranteed to merge. But this could disrupt current traffic to other domains in the account, which is not acceptable. The cPanel developers should think about how to sovle this.