kenneth-vkd

Active Member
Apr 1, 2017
37
2
8
Denmark
cPanel Access Level
DataCenter Provider
Hi
I know that in 2017 there is no doubt that every website should use SSL/TLS.
The reality is however that many older websites do not use SSL/TLS.
Currently I have an issue where multiple customers, running their email on Microsoft Exchange or Office 365, are getting certificate warnings from their email client due to mismatch in the certificate name.
The cause of this is because Apache has a default listener running for SSL, so even if I disable SSL for a given website, it will just respond with the certificate of the WHM instance.

Is there an option in WHM, where I can configure Apache to just refuse the SSL connection if there is no certificate assigned to the website or is there an addon to handle this?

I have tried to assign 2 public IP-addresses to the WHM server and allow only SSL on one of them, but then I get a problem when a customer adds an SSL certificate on their website and then they have to update the settings of DNS.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Currently I have an issue where multiple customers, running their email on Microsoft Exchange or Office 365, are getting certificate warnings from their email client due to mismatch in the certificate name.
Hello,

Have you considered using the AutoSSL feature? It will issue free signed SSL certificates to the domain names on your system, including "mail.domain.tld". It's documented at:

Manage AutoSSL - Version 68 Documentation - cPanel Documentation
What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

Thank you.
 

kenneth-vkd

Active Member
Apr 1, 2017
37
2
8
Denmark
cPanel Access Level
DataCenter Provider
Hi
We do know about AutoSSL and it is a really good feature. The only issue is that our company CEO wants to bill the customers for SSL, although it is from AutoSSL and technically free for us.
This is why I wanted to know if there was a way to disable SSL completely, so that the server will not even respond with an SSL connection if no valid certificate is present for the requested domain.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
This is why I wanted to know if there was a way to disable SSL completely, so that the server will not even respond with an SSL connection if no valid certificate is present for the requested domain.
Hello,

It's not possible to disable SSL functionality for email on a per-domain basis. As far as the SSL certificates, they are utilized as part of the Domain TLS feature:

What is Domain TLS - cPanel Knowledge Base - cPanel Documentation

The mismatched certificate warning should go away if the user enters the server's SSL certificate name (as configured in "WHM >> Manage Service SSL Certificates) instead of "mail.domain.tld" in their email client. Or, are they setting up their email client settings using an alternate method (E.g. AutoDiscover)?

Thank you.
 

kenneth-vkd

Active Member
Apr 1, 2017
37
2
8
Denmark
cPanel Access Level
DataCenter Provider
Hi
I think you might have misunderstood the question slightly, as we are already aware of the specific issue with accounts hosted on our servers.
However, the issue comes when users are having either Office 365 or on-premise Microsoft Exchange, or similar services, that support the autodiscover feature.
Since autodiscover will look for https://domain.tld/autodiscover/autodiscover.xml, before looking in https://autodiscover.domain.tld/autodiscover/autodiscover.xml, it will trigger the issue with the certificate for srv01.domain.tld before the actual service that is used. And since the webserver cannot refuse the connection or return the 404 error before having presented the client with the server default certificate, it will show a warning in the users email client. Although it does no damage, accepting the certificate, it still plants doubt with the user when given such a question.

The dream scenario would be to have the webserver respond with an unencrypted answer and therefore making the client silently continue to the correct URL for the autodiscover data.

Perhaps the issue has to be solved by the Apache developers, but that might not happen as the world is going more and more towards a world of HTTPS and HTTP/2
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
However, the issue comes when users are having either Office 365 or on-premise Microsoft Exchange, or similar services, that support the autodiscover feature.
Since autodiscover will look for https://domain.tld/autodiscover/autodiscover.xml, before looking in https://autodiscover.domain.tld/autodiscover/autodiscover.xml, it will trigger the issue with the certificate for srv01.domain.tld before the actual service that is used. And since the webserver cannot refuse the connection or return the 404 error before having presented the client with the server default certificate, it will show a warning in the users email client. Although it does no damage, accepting the certificate, it still plants doubt with the user when given such a question.
Hi Kenneth,

Would you mind posting step-by-step instructions on how we can reproduce this behavior?

We do know about AutoSSL and it is a really good feature. The only issue is that our company CEO wants to bill the customers for SSL, although it is from AutoSSL and technically free for us.
The best approach would be to discuss this further to see if this is a policy that can be changed, as the AutoSSL feature is designed to prevent issues like this from occuring since it installs a free signed SSL certificate on a domain name and it's subdomains (e.g. mail.domain.tld).

Thank you.