Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Create a new certificate for user account main domain and domain alias?

Discussion in 'Security' started by JustAGuyUsingWHM, Oct 1, 2018.

  1. JustAGuyUsingWHM

    JustAGuyUsingWHM Member

    Joined:
    Sep 6, 2018
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    England
    cPanel Access Level:
    Root Administrator
    Background:
    I have a server running CPanel 74.0.8 with a number of accounts, hosting a variety of websites on different SSL certificates (paid, free and autossl).

    Inside one account the website is secured using a Comodo Free SSL certificate. This was done because the old certificate was a Symantec certificate and browsers were about to stop trusting it (security issue), and I couldn't figure out how to create a new AutoSSL certificate - the user account doesn't have one installed, where as other user accounts already have one.

    Question 1:
    How do I create a new certificate for AutoSSL on an existing account? Unfortunately this isn't immediately obvious, I can see how to switch between existing certificates, generate a self-signed certificate and use an externally generated one but not how to generate a CPanel AutoSSL certificate from scratch.

    Question 2:
    Following on from Q1. Is it possible to apply an AutoSSL CPanel certificate to the main domain and an alias domain? The documentation seems to indicate this happens auto magically when the alias is created, which hasn't happened because there is no AutoSSL certificate, so would be possible to do this after the alias was created?

    More Info:
    I aware I can enable AutoSSL to replace invalid and expiring certificates. I suspect I could turn this on, delete my existing certificates (just for the one user account!), run Check AutoSSL and it might create a new AutoSSL certificate, but that seems like a scary approach and I'm a little hesitant to enable this as it will affect all user accounts on the server and I don't know what it considers an invalid certificate..

    Thanks. Help and guidance is much appreciated.
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,447
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @JustAGuyUsingWHM

    To create a new SSL for an account manually you can do this a couple of different ways:

    1. Over SSH you can run the following:
    Code:
    autossl_check  --user=$user
    2. From WHM>>SSL/TLS>>Manage AutoSSL -> Manage Users -> Check "$user"

    Both of these start the automated DCV process. You can check the status of the request by going to WHM>>SSL/TLS>>Manage AutoSSL -> Logs

    This *should* happen automagically actually, if it isn't I would suggest checking the AutoSSL logs to find the reason why it didn't.

    An invalid certificate would be considered a certificate that didn't cover all the domains on the account, didn't sufficiently cover them (i.e., only covers domain.tld not www.domain.tld) and an expiring certificate is of course one that is due to expire soon.

    If you do check the logs on the accounts that didn't get an SSL issued for some reason reply back with the error given in the logs and we should be able to get you pointed in the right direction to get it resolved.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JustAGuyUsingWHM

    JustAGuyUsingWHM Member

    Joined:
    Sep 6, 2018
    Messages:
    13
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    England
    cPanel Access Level:
    Root Administrator
    Thanks for the excellent response. That helps - especially the clarification on invalid domains.

    After a little investigation and thought I think the issues I have are:

    1) The Domain Name Server for the domain is not the cPanel Server. The WHM DNS is disabled. I was confused because I didn't set-up the accounts\domains and assumed cPanel controlled them. However when trying to validate the domain with LetsEncrypt it became obvious they weren't the same records (doh!). I'm guessing cPanel keeps it's own "pseudo" domain zone records for creating things like the AutoSSL certificates.

    2) The logs are showing warnings on some additional proxy sub-domains: cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains which haven't been applied to the active name servers. These take the form of "WARN Skipping duplicate domains (misconfigured?): ... sub-domain.here ... ". I suspect if I remove these from the cPanel DNS, or add them to the active Name Servers, these warnings will disappear.

    3) The logs are showing warnings on some genuine historic sub-domains (websites) which are no longer accessible. These look like "ERROR Local DNS DCV error: historic.subdomainhere : The DNS query to “_cpanel-dcv-test-record for the DCV challenge returned no “TXT” record that matches the value ...". Obviously if the website isn't accessible on the internet (no name-server reference) and the DNS zone records can't be updated (because cPanel has no access) then the sub-domain is never going to validate! I guess this needs cleaning up too :(

    So... I think if I clean out the proxy domains and unused sub-domains from cPanels DNS zone records, then AutoSSL will analyse the account and see the existing certificate as valid (which I can clarify in the logs), at which point I should be able to click Check "$user" under manage auto ssl and it'll create new cPanel (comodo) SSL certificate for the domain on that account.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,447
    Likes Received:
    503
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @JustAGuyUsingWHM


    You're most welcome and I'm glad I could help sort things out for you.

    A really easy way to do this is to make use of domain exclusions in cPanel. You can exclude specific domains from AutoSSL checks by going to cPanel>>Security>>SSL/TLS Status
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice