Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable SSL for vhosts

Discussion in 'Security' started by kenneth-vkd, Nov 9, 2017.

Tags:
  1. kenneth-vkd

    kenneth-vkd Member

    Joined:
    Apr 1, 2017
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    I know that in 2017 there is no doubt that every website should use SSL/TLS.
    The reality is however that many older websites do not use SSL/TLS.
    Currently I have an issue where multiple customers, running their email on Microsoft Exchange or Office 365, are getting certificate warnings from their email client due to mismatch in the certificate name.
    The cause of this is because Apache has a default listener running for SSL, so even if I disable SSL for a given website, it will just respond with the certificate of the WHM instance.

    Is there an option in WHM, where I can configure Apache to just refuse the SSL connection if there is no certificate assigned to the website or is there an addon to handle this?

    I have tried to assign 2 public IP-addresses to the WHM server and allow only SSL on one of them, but then I get a problem when a customer adds an SSL certificate on their website and then they have to update the settings of DNS.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you considered using the AutoSSL feature? It will issue free signed SSL certificates to the domain names on your system, including "mail.domain.tld". It's documented at:

    Manage AutoSSL - Version 68 Documentation - cPanel Documentation
    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  3. kenneth-vkd

    kenneth-vkd Member

    Joined:
    Apr 1, 2017
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    We do know about AutoSSL and it is a really good feature. The only issue is that our company CEO wants to bill the customers for SSL, although it is from AutoSSL and technically free for us.
    This is why I wanted to know if there was a way to disable SSL completely, so that the server will not even respond with an SSL connection if no valid certificate is present for the requested domain.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It's not possible to disable SSL functionality for email on a per-domain basis. As far as the SSL certificates, they are utilized as part of the Domain TLS feature:

    What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

    The mismatched certificate warning should go away if the user enters the server's SSL certificate name (as configured in "WHM >> Manage Service SSL Certificates) instead of "mail.domain.tld" in their email client. Or, are they setting up their email client settings using an alternate method (E.g. AutoDiscover)?

    Thank you.
     
  5. kenneth-vkd

    kenneth-vkd Member

    Joined:
    Apr 1, 2017
    Messages:
    17
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    I think you might have misunderstood the question slightly, as we are already aware of the specific issue with accounts hosted on our servers.
    However, the issue comes when users are having either Office 365 or on-premise Microsoft Exchange, or similar services, that support the autodiscover feature.
    Since autodiscover will look for https://domain.tld/autodiscover/autodiscover.xml, before looking in https://autodiscover.domain.tld/autodiscover/autodiscover.xml, it will trigger the issue with the certificate for srv01.domain.tld before the actual service that is used. And since the webserver cannot refuse the connection or return the 404 error before having presented the client with the server default certificate, it will show a warning in the users email client. Although it does no damage, accepting the certificate, it still plants doubt with the user when given such a question.

    The dream scenario would be to have the webserver respond with an unencrypted answer and therefore making the client silently continue to the correct URL for the autodiscover data.

    Perhaps the issue has to be solved by the Apache developers, but that might not happen as the world is going more and more towards a world of HTTPS and HTTP/2
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,502
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi Kenneth,

    Would you mind posting step-by-step instructions on how we can reproduce this behavior?

    The best approach would be to discuss this further to see if this is a policy that can be changed, as the AutoSSL feature is designed to prevent issues like this from occuring since it installs a free signed SSL certificate on a domain name and it's subdomains (e.g. mail.domain.tld).

    Thank you.
     
Loading...

Share This Page