Create AutoSSL for "Parked Domain"

[joako]

How do I create an AutoSSL for a "Parked Domain"?

Here's the full issue:

I have domain1.com setup and working great

I have domain2.com setup and working great. It just redirects the user to https://domain1.com.

The customer uses domain2.com for their email on an outside Microsoft Exchange server. I have domain2.com/autodiscover/autodiscover.xml properly redirecting to https://exchange.domain2.com/autodiscover/autodiscover.xml

However when you attempt to setup Exchange on an iPhone device the autodiscover function doesn't work. I believe the cause if this is visiting https://domain2.com/autodiscover/autodiscover.xml there is a security error as the certificate the server is using on domain2.com is actually the certificate for domain1.com

I just want Cpanel to add a certifcate for domain2.com with as little fuss or hacking as possible.

 

[cPanelMichael]

Hello @joako,

However when you attempt to setup Exchange on an iPhone device the autodiscover function doesn't work. I believe the cause if this is visiting https://domain2.com/autodiscover/autodiscover.xml there is a security error as the certificate the server is using on domain2.com is actually the certificate for domain1.com

Can you let us know the specific error message you encounter?

Thank you.

 

[joako]

I have an account with domaina.com as the primary domain, and domainb.com as the parked domain.

When I visit https://domainb.com (parked domain) with a web browser I get a certificate error. When I inspect the certificate I can see it is issued to https://domaina.com (main domain).

Hence my simple question: How do I generate an AutoSSL for a parked domain (domainb.com)?

 

[cPanelMichael]

Hello @joako,

AutoSSL will automatically include aliases (parked domains) in the certificate issued for it's parent domain. This should not result in any error messages when accessing the secure URL for the aliased domain. Can you let us know the specific error message that you see in your web browser, or post a screenshot of what you see? Also, in WHM >> Manage AutoSSL, under the Logs tab, do you notice any errors when viewing the recent log for the corresponding account username?

Thank you.

 

[joako]

For the 3rd time:

When a user visits https://domainb.com (parked domain) the browser gives a CERTIFICATE ERROR. When inspecting the certificate is is for domaina.com which is the account's primary domain.

In the AutoSSL log there is nothing about the parked domain.

How do I generate an AutoSSL for an add on domain??

 

[joako]

Ticket ID 10157301

Can you have a look at that one?

 

[cPanelMichael]

When a user visits https://domainb.com (parked domain) the browser gives a CERTIFICATE ERROR. When inspecting the certificate is is for domaina.com which is the account's primary domain.

Hi @joako,

It's not abnormal for the browser to show multiple domain names as part of the same SSL certificate because that's how certificates are issued with AutoSSL. You can read more about that at:

SSL FAQ and Troubleshooting - Version 74 Documentation - cPanel Documentation

I do understand you are seeing a certificate error, so we will take a closer look at the affected domain name as part of the support ticket to determine the specific reason the error message appears. I'll monitor the ticket and update this thread with the outcome.

How do I generate an AutoSSL for an add on domain??

Addon domains are automatically processed as part of the AutoSSL cron job when added to an account.

Thank you.

 

[joako]

for the FOURTH TIME:

The user gets a CERTIFICATE ERROR.

The certificate presented only contains the primary domain name.

If the certificate had the primary and add-on domain there would be no certificate error.

How do I generate an AutoSSL for a parked domain?

 

[sparek-3]

You might want to read through the thread at:

AutoSSL and aliases

I'm not exactly clear on what you're specific problem is, and I suspect what you are running into is something related to the way cPanel issues these certificates. But some of that might apply.

From what I can understand:

You have an account (VirtualHost) called domain1.tld. This essentially means that the ServerName for this VirtualHost is domain1.tld.

You also have a domain alias or parked domain, domain2.tld, on this VirtualHost. This domain is added as a ServerAlias to domain1.tld's VirtualHost.

So essentially you have a VirtualHost that has the ServerName domain1.tld. And ServerAliases www.domain1.tld, mail.domain1.tld, domain2.tld, www.domain2.tld, mail.domain2.tld.

You may have added domain2.tld after domain1.tld has existed for a while and already had a certificate issued for it (and for www.domain1.tld and mail.domain1.tld)

When the domain2.tld alias is added as a ServerAlias to this VirtualHost, this means that AutoSSL has to reissue the certificate for domain1.tld, www.domain1.tld, mail.domain1.tld while also adding domain2.tld, www.domain2.tld, mail.domain2.tld to this newly reissued certificate. This does not appear to be happening.

My proposal (as detailed in the link above) is to treat Domain Aliases (parked domains) as you would addon domains, and set them with their own VirtualHost entry.

This way, the certificate for domain1.tld, www.domain1.tld, mail.domain1.tld does not have to be reissued. Instead a new certificate for domain2.tld, www.domain2.tld, mail.domain2.tld just has to be issued.

This always made more sense to me.

But it's not the way cPanel previously did parked domains... before SSL everywhere became a thing. Before SSL everywhere became a thing, this wasn't an issue. But this is all part of the logistics of trying to deploy SSL everywhere that wasn't fully thought all the way through.

 

[joako]

I suspect it's a bug in WHM, because when I look at the certificates on the server I see there's expired ones with domain1 and domain2 on it, but the latest certificate only has domain1.

Now I switch to using Comodo, "Check" AutoSSL again, and it generated the correct certificate. However, I manually had to restart httpd for it to take effect.

Of course I switched back to LetsEncrypt, hopefully it renews correctly next time.

 

[cPanelMichael]

Now I switch to using Comodo, "Check" AutoSSL again, and it generated the correct certificate. However, I manually had to restart httpd for it to take effect.

Of course I switched back to LetsEncrypt, hopefully it renews correctly next time.

Feel free to reply to the existing support ticket if you'd like us to take a closer look at this issue to rule out any problems with the AutoSSL feature, or open a new ticket if the issue occurs again in the future.

Thank you.