Create a new certificate for user account main domain and domain alias?

Sep 6, 2018
13
2
3
England
cPanel Access Level
Root Administrator
Background:
I have a server running CPanel 74.0.8 with a number of accounts, hosting a variety of websites on different SSL certificates (paid, free and autossl).

Inside one account the website is secured using a Comodo Free SSL certificate. This was done because the old certificate was a Symantec certificate and browsers were about to stop trusting it (security issue), and I couldn't figure out how to create a new AutoSSL certificate - the user account doesn't have one installed, where as other user accounts already have one.

Question 1:
How do I create a new certificate for AutoSSL on an existing account? Unfortunately this isn't immediately obvious, I can see how to switch between existing certificates, generate a self-signed certificate and use an externally generated one but not how to generate a CPanel AutoSSL certificate from scratch.

Question 2:
Following on from Q1. Is it possible to apply an AutoSSL CPanel certificate to the main domain and an alias domain? The documentation seems to indicate this happens auto magically when the alias is created, which hasn't happened because there is no AutoSSL certificate, so would be possible to do this after the alias was created?

More Info:
I aware I can enable AutoSSL to replace invalid and expiring certificates. I suspect I could turn this on, delete my existing certificates (just for the one user account!), run Check AutoSSL and it might create a new AutoSSL certificate, but that seems like a scary approach and I'm a little hesitant to enable this as it will affect all user accounts on the server and I don't know what it considers an invalid certificate..

Thanks. Help and guidance is much appreciated.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,119
663
263
Houston
cPanel Access Level
DataCenter Provider
Hi @JustAGuyUsingWHM

Question 1:
How do I create a new certificate for AutoSSL on an existing account? Unfortunately this isn't immediately obvious, I can see how to switch between existing certificates, generate a self-signed certificate and use an externally generated one but not how to generate a CPanel AutoSSL certificate from scratch.
To create a new SSL for an account manually you can do this a couple of different ways:

1. Over SSH you can run the following:
Code:
autossl_check  --user=$user
2. From WHM>>SSL/TLS>>Manage AutoSSL -> Manage Users -> Check "$user"

Both of these start the automated DCV process. You can check the status of the request by going to WHM>>SSL/TLS>>Manage AutoSSL -> Logs

Question 2:
Following on from Q1. Is it possible to apply an AutoSSL CPanel certificate to the main domain and an alias domain? The documentation seems to indicate this happens auto magically when the alias is created, which hasn't happened because there is no AutoSSL certificate, so would be possible to do this after the alias was created?
This *should* happen automagically actually, if it isn't I would suggest checking the AutoSSL logs to find the reason why it didn't.

I aware I can enable AutoSSL to replace invalid and expiring certificates. I suspect I could turn this on, delete my existing certificates (just for the one user account!), run Check AutoSSL and it might create a new AutoSSL certificate, but that seems like a scary approach and I'm a little hesitant to enable this as it will affect all user accounts on the server and I don't know what it considers an invalid certificate..
An invalid certificate would be considered a certificate that didn't cover all the domains on the account, didn't sufficiently cover them (i.e., only covers domain.tld not www.domain.tld) and an expiring certificate is of course one that is due to expire soon.

If you do check the logs on the accounts that didn't get an SSL issued for some reason reply back with the error given in the logs and we should be able to get you pointed in the right direction to get it resolved.

Thanks!
 
Sep 6, 2018
13
2
3
England
cPanel Access Level
Root Administrator
Thanks for the excellent response. That helps - especially the clarification on invalid domains.

After a little investigation and thought I think the issues I have are:

1) The Domain Name Server for the domain is not the cPanel Server. The WHM DNS is disabled. I was confused because I didn't set-up the accounts\domains and assumed cPanel controlled them. However when trying to validate the domain with LetsEncrypt it became obvious they weren't the same records (doh!). I'm guessing cPanel keeps it's own "pseudo" domain zone records for creating things like the AutoSSL certificates.

2) The logs are showing warnings on some additional proxy sub-domains: cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains which haven't been applied to the active name servers. These take the form of "WARN Skipping duplicate domains (misconfigured?): ... sub-domain.here ... ". I suspect if I remove these from the cPanel DNS, or add them to the active Name Servers, these warnings will disappear.

3) The logs are showing warnings on some genuine historic sub-domains (websites) which are no longer accessible. These look like "ERROR Local DNS DCV error: historic.subdomainhere : The DNS query to “_cpanel-dcv-test-record for the DCV challenge returned no “TXT” record that matches the value ...". Obviously if the website isn't accessible on the internet (no name-server reference) and the DNS zone records can't be updated (because cPanel has no access) then the sub-domain is never going to validate! I guess this needs cleaning up too :(

So... I think if I clean out the proxy domains and unused sub-domains from cPanels DNS zone records, then AutoSSL will analyse the account and see the existing certificate as valid (which I can clarify in the logs), at which point I should be able to click Check "$user" under manage auto ssl and it'll create new cPanel (comodo) SSL certificate for the domain on that account.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,119
663
263
Houston
cPanel Access Level
DataCenter Provider
Hi @JustAGuyUsingWHM


You're most welcome and I'm glad I could help sort things out for you.

So... I think if I clean out the proxy domains and unused sub-domains from cPanels DNS zone records, then AutoSSL will analyse the account and see the existing certificate as valid (which I can clarify in the logs), at which point I should be able to click Check "$user" under manage auto ssl and it'll create new cPanel (comodo) SSL certificate for the domain on that account.
A really easy way to do this is to make use of domain exclusions in cPanel. You can exclude specific domains from AutoSSL checks by going to cPanel>>Security>>SSL/TLS Status