The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

In Progress Downsides to Enabling AutoSSL on Existing Server?

Discussion in 'General Discussion' started by jcwacky, Aug 20, 2016.

Tags:
  1. jcwacky

    jcwacky Member

    Joined:
    Sep 4, 2002
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    I have a cPanel server with approximately 140 accounts on it. I'd like to enable AutoSSL, mainly so that new accounts will get certificates, but I also plan to update existing accounts with certificate support one at a time.

    Is there any harm in just immediately enabling AutoSSL for all accounts on the server? Or are there things that adding an SSL certificate may break in an account? Or does that fact that even if a certificate is installed on an account it won't be used unless https redirects are in place, and that users need to explicitly tell their mail clients to use SSL, mean that nothing should break for existing users?

    Or am I best disabling it for all existing accounts, keeping it enabled for all new accounts, and then manually enabling it for each old account one at a time to allow me to test for issues?
     
  2. fate12

    fate12 Active Member

    Joined:
    Oct 29, 2013
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I would like to know this as well.

    And what happens to the sites that allready got a certificate?
    Do I need to exclude those sites manually?
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    You can easily enable AutoSSL, it won't break anything but it may also not work on some domains.

    Please take a look at this thread, which I started some time go with the issues I encountered when I enabled AutoSSL:

    AutoSSL - htaccess whitelist
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    There's generally no harm in enabling SSL for all accounts, however ensure you are aware of the domain and rate limits referenced on the Manage AutoSSL document in the event an account hosts a large number of subdomains.

    Great question! The Manage AutoSSL document helps to answer this:

    AutoSSL will not attempt to replace pre-existing valid certificates that expire in more than three days.

    Thank you.
     
  5. ralphday

    ralphday Member

    Joined:
    Jun 5, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    This does not appear in the linked Manage AutoSSL document. I assume it was removed in a recent update to the doc as it show last update 11/28/16. Is this still how it works? If so please put it back in the doc as I've been assuming its the 15 days documented for the cPanel cert provider (which I have selected along with "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates") and I'm trying to figure out why cert requests are not being generated for pre-existing certs expiring in 5 days.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @ralphday,

    This behavior changed slightly in cPanel version 60 due to the following case:

    Implemented case CPANEL-9130: Make AutoSSL default to not replacing non-AutoSSL certificates.

    As of cPanel version 60:

    AutoSSL will automatically attempt to renew cPanel-signed AutoSSL certificates within 15 days of the expiration date.

    For domain names with non-AutoSSL signed certificates, and when "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled, AutoSSL will attempt to issue a cPanel-signed AutoSSL certificate within 3 days of the expiration date.

    I've opened a case with our documentation team to ensure this behavior is documented, and I'll update this thread once the changes are published.

    On a side note, currently the AutoSSL logs will show a message like this, even when the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option is enabled:

    This is confusing when "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled, as AutoSSL will in-fact eventually replace the certificate, so internal CPANEL-10103 is open to improve this message to account for that option.

    Thank you.
     
Loading...

Share This Page