Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Free Auto-SSL - compared to - Paid RapidSSL

Discussion in 'Security' started by davetanguay, Jul 2, 2018.

  1. davetanguay

    davetanguay Active Member

    Joined:
    Mar 30, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    56
    With the recent SSL requirements due to changes with Google Chrome on July 1st... I've had some hosting customers ask:

    What's the difference between the Free AutoSSL (Comodo) and purchasing a RapidSSL Certificate from GeoTrust or from any certificate authority?

    I understand the advantages of getting an EV or Wildcard Cert, but what are some disadvantages if a site just uses the Free AutoSSL Comodo SSL Certificate that comes with any CPanel account.

    I've read there's a 200 domain limit for AutoSSL, but read that is per CPanel account... not per server.

    Is this the end of paid SSL?

    Some things I've gathered...

    RapidSSL includes a Site Seal and $10,000 of Warranty

    I can't find any details about the Free AutoSSL Comodo Cert yet.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 davetanguay, Jul 2, 2018
    Last edited by a moderator: Jul 3, 2018
  2. SS-Maddy

    SS-Maddy Well-Known Member

    Joined:
    Mar 28, 2009
    Messages:
    100
    Likes Received:
    5
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Hello @davetanguay,

    1. AutoSSL (cPanel partnered, Comodo issued) certificate is valid for 90 days and has to be extended after that. RapidSSL or other paid certificates, you get has, minimum 1 year validity
    2. You can only have Domain Validated SSLs with AutoSSL, but there are Organisation Validation and Extended Validation which you will have to pay for, and the validation in those two cases is a manual process as far as I know. For eCommerce websites, OV and EV is recommended, because those SSL validation would ensure physical address and reachability over phone for those enterprises.
    3. As you mentioned, $10000+ warranty is missing. But I haven't heard an incident where a provider had to give away the warranty amount because of a breach, though.

    More details at, Manage AutoSSL - Version 68 Documentation - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. davetanguay

    davetanguay Active Member

    Joined:
    Mar 30, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    56
    1. AutoSSL (cPanel partnered, Comodo issued) certificate is valid for 90 days and has to be extended after that.

    Right but doesn't the certificate just automatically renew every 90 days... so they get it free for the life of the cpanel hosting account?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. SS-Maddy

    SS-Maddy Well-Known Member

    Joined:
    Mar 28, 2009
    Messages:
    100
    Likes Received:
    5
    Trophy Points:
    68
    cPanel Access Level:
    Root Administrator
    Yes. It gets auto renewed on every 90 days and is free. You just have to make sure that the SSLs are renewed atleast a week prior and if not renewed have a system to alert you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,760
    Likes Received:
    131
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @SS-Maddy is correct in the differences between SSL's

    The AutoSSL system will notify you if a certificate does not pass the DCV check by default these notifications are enabled, they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. davetanguay

    davetanguay Active Member

    Joined:
    Mar 30, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    56
    >>>>> The AutoSSL system will notify you if a certificate does not pass the DCV check by default these notifications are enabled, they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose.

    I've never had to valid a Free SSL from auto-ssl initially or even after 90 days. It seems it is automatic.

    So this leads me back to my initial question in the post... what are the disadvantages of just using a free SSL that comes with auto-ssl rather than a paid certificate?

    The only difference I see is that a paid one includes a "warranty" amount.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,760
    Likes Received:
    131
    Trophy Points:
    118
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Can you clarify what you mean here? I'm not sure I understand this sentence.


    We've given you the advantages and disadvantages of both, what are you looking for specifically?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. davetanguay

    davetanguay Active Member

    Joined:
    Mar 30, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    56
    >>>>> I've never had to valid a Free SSL from auto-ssl initially or even after 90 days. It seems it is automatic.
    Can you clarify what you mean here? I'm not sure I understand this sentence.

    You stated "they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose."

    What do you mean they need to be validated? Does my customer need to manually validate it somehow by confirming an email sent to them? I've never had to do this for any customers on my CPanel servers for the free Auto-SSL. It seems to me the auto-SSL is renewed every 90 days automatically.

    How are the free SSL certificates validated after 90 days? Is there some sort of manual validation that needs to be done? Or is it automatic?

    >>>>> We've given you the advantages and disadvantages of both, what are you looking for specifically?

    Well since the 90 day Free Certificate appears to be automatically renewed without requiring any type of manual verification or validation, it doesn't seem like there are any disadvantages to the Free SSL compared to a Paid SSL Certificate... other than a "warranty" that comes with a paid one.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. fidividi

    fidividi Well-Known Member

    Joined:
    Feb 15, 2013
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The only thing I would like to add, is a technical limitation of AutoSSL; and that is, validation is happening via the ACME/.well-known... HTTP validation method which means the DNS records need to exist and point to your server (and also no funny http rewrite/redirect rules to avoid reaching the .well-known folder).

    I wouldn't say disadvantage, but as a technical limitation, I always explain to my customers that all those DNS records have to be valid and point to us before we can validate.

    This is not the case with a premium SSL certificates, for example you can even use the SSL certificate locally in an isolated environment once you have the private key/bundle/certificate even without internet access and without it being public and exposed to web.
     
  10. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,676
    Likes Received:
    85
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Well, you still have to domain validate some how.
     
  11. fidividi

    fidividi Well-Known Member

    Joined:
    Feb 15, 2013
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Yes, and that can be through domain registry email verification... admin@... or based on whois. It does not require the DNS record to be valid/public/on the same server the admin has access to.
     
  12. cPanelFelipe

    cPanelFelipe Member
    Staff Member

    Joined:
    Apr 10, 2013
    Messages:
    9
    Likes Received:
    7
    Trophy Points:
    78
    Some points to offer here:

    1) AutoSSL is a framework that allows arbitrary providers to issue SSL certificates for cPanel servers. The default provider uses cPanel’s own (Comodo-backed) CA; cPanel also provides a plugin that allows use of Let’s Encrypt instead. It is also possible for third parties to write their own AutoSSL provider modules, e.g., to provide free SSL via a different CA.

    2) The 200 domains limit is per certificate, and it will be raised soon to 1,000. This limit is for the cPanel/Comodo AutoSSL provider. Let’s Encrypt’s per-certificate limit is 100 domains, and LE imposes other significant rate limits that the cPanel/Comodo provider does not. Moreover, unlike Comodo, LE does not consider an ancestor domain’s validation to suffice as validation for a subdomain. For these reasons, cPanel believes its own default provider will produce more reliable SSL coverage for most users.

    3) To answer the original question on this thread: paid DV certificates offer warranties that neither Let’s Encrypt nor free cPanel/Comodo certificates provide.

    4) The “Global DCV Passthrough” feature, available with EasyApache 4, largely solves the .htaccess issues that affected AutoSSL at first.

    5) cPanel & WHM v74 will add DNS-based validation for SSL certificates as a fallback when HTTP-based validation fails. This will alleviate the requirement that domains resolve to the server that requests the certificate.
     
    cPanelLauren and Infopro like this.
  13. davetanguay

    davetanguay Active Member

    Joined:
    Mar 30, 2008
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    56
    >>>>> 2) The 200 domains limit is per certificate, and it will be raised soon to 1,000.

    Just to confirm, this is per CPanel account and not per server, correct?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    179
    Likes Received:
    22
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,676
    Likes Received:
    85
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    It's per VirtualHost

    There can only be 1 certificate per VirtualHost.

    If you open up your /etc/apache2/conf/httpd.conf file and browse through the multitude of VirtualHost sections, you'll see:

    ServerName

    Which will list 1 domain name (kind of the "name" for that VirtualHost) and then you'll see:

    ServerAlias

    Which may have many, many, many domain names listed. These are domain names that will also match this VirtualHost.

    In order for the certificate to be proper, it will have to list all of those domain names (ServerName + ServerAlias) as SANs on the certificate (well, technically 1 of the domain names will be listed as the CN - typically the ServerName - and all of the domain names in the ServerAlias will be listed as SANs).

    What this limit is saying is that cPanel Comodo certificates can have at most 200 domain names attached to (1 CN + 199 SANs ... or is it 1 CN + 200 SANs? ... meh, this is a question of 1 domain name - who cares). Let's Encrypt on the other hand only allows for 100 SANs (or 99 ... is the Common Name included in any of these calculations? Anybody know?)

    You can get around this... and it always made more sense to me... to just create more VirtualHosts. Rather than adding ServerAliases to a VirtualHost every time a Domain Alias (parked domain) is created... just create a new VirtualHost. Then you don't have this problem. I'm not sure what the advantage is of using massively long ServerAlias directives vs more VirtualHosts (but that discussion gets this thread off topic... so let's not discuss that here).
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice