Free Auto-SSL - compared to - Paid RapidSSL

davetanguay

Active Member
Mar 30, 2008
38
1
58
With the recent SSL requirements due to changes with Google Chrome on July 1st... I've had some hosting customers ask:

What's the difference between the Free AutoSSL (Comodo) and purchasing a RapidSSL Certificate from GeoTrust or from any certificate authority?

I understand the advantages of getting an EV or Wildcard Cert, but what are some disadvantages if a site just uses the Free AutoSSL Comodo SSL Certificate that comes with any CPanel account.

I've read there's a 200 domain limit for AutoSSL, but read that is per CPanel account... not per server.

Is this the end of paid SSL?

Some things I've gathered...

RapidSSL includes a Site Seal and $10,000 of Warranty

I can't find any details about the Free AutoSSL Comodo Cert yet.
 
Last edited by a moderator:

SS-Maddy

Well-Known Member
Mar 28, 2009
130
18
68
cPanel Access Level
Root Administrator
Hello @davetanguay,

1. AutoSSL (cPanel partnered, Comodo issued) certificate is valid for 90 days and has to be extended after that. RapidSSL or other paid certificates, you get has, minimum 1 year validity
2. You can only have Domain Validated SSLs with AutoSSL, but there are Organisation Validation and Extended Validation which you will have to pay for, and the validation in those two cases is a manual process as far as I know. For eCommerce websites, OV and EV is recommended, because those SSL validation would ensure physical address and reachability over phone for those enterprises.
3. As you mentioned, $10000+ warranty is missing. But I haven't heard an incident where a provider had to give away the warranty amount because of a breach, though.

More details at, Manage AutoSSL - Version 68 Documentation - cPanel Documentation
 

davetanguay

Active Member
Mar 30, 2008
38
1
58
1. AutoSSL (cPanel partnered, Comodo issued) certificate is valid for 90 days and has to be extended after that.

Right but doesn't the certificate just automatically renew every 90 days... so they get it free for the life of the cpanel hosting account?
 

SS-Maddy

Well-Known Member
Mar 28, 2009
130
18
68
cPanel Access Level
Root Administrator
1. AutoSSL (cPanel partnered, Comodo issued) certificate is valid for 90 days and has to be extended after that.

Right but doesn't the certificate just automatically renew every 90 days... so they get it free for the life of the cpanel hosting account?
Yes. It gets auto renewed on every 90 days and is free. You just have to make sure that the SSLs are renewed atleast a week prior and if not renewed have a system to alert you.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,281
313
Houston
Hello @SS-Maddy is correct in the differences between SSL's

The AutoSSL system will notify you if a certificate does not pass the DCV check by default these notifications are enabled, they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose.
 

davetanguay

Active Member
Mar 30, 2008
38
1
58
>>>>> The AutoSSL system will notify you if a certificate does not pass the DCV check by default these notifications are enabled, they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose.

I've never had to valid a Free SSL from auto-ssl initially or even after 90 days. It seems it is automatic.

So this leads me back to my initial question in the post... what are the disadvantages of just using a free SSL that comes with auto-ssl rather than a paid certificate?

The only difference I see is that a paid one includes a "warranty" amount.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,281
313
Houston
I've never had to valid a Free SSL from auto-ssl initially or even after 90 days. It seems it is automatic.
Can you clarify what you mean here? I'm not sure I understand this sentence.


So this leads me back to my initial question in the post... what are the disadvantages of just using a free SSL that comes with auto-ssl rather than a paid certificate?
We've given you the advantages and disadvantages of both, what are you looking for specifically?
 

davetanguay

Active Member
Mar 30, 2008
38
1
58
>>>>> I've never had to valid a Free SSL from auto-ssl initially or even after 90 days. It seems it is automatic.
Can you clarify what you mean here? I'm not sure I understand this sentence.

You stated "they will need to be validated every 90-days as opposed to a paid certificate that is good for a period of time you choose."

What do you mean they need to be validated? Does my customer need to manually validate it somehow by confirming an email sent to them? I've never had to do this for any customers on my CPanel servers for the free Auto-SSL. It seems to me the auto-SSL is renewed every 90 days automatically.

How are the free SSL certificates validated after 90 days? Is there some sort of manual validation that needs to be done? Or is it automatic?

>>>>> We've given you the advantages and disadvantages of both, what are you looking for specifically?

Well since the 90 day Free Certificate appears to be automatically renewed without requiring any type of manual verification or validation, it doesn't seem like there are any disadvantages to the Free SSL compared to a Paid SSL Certificate... other than a "warranty" that comes with a paid one.
 

fidividi

Well-Known Member
Feb 15, 2013
48
0
56
cPanel Access Level
Root Administrator
So this leads me back to my initial question in the post... what are the disadvantages of just using a free SSL that comes with auto-ssl rather than a paid certificate?
The only thing I would like to add, is a technical limitation of AutoSSL; and that is, validation is happening via the ACME/.well-known... HTTP validation method which means the DNS records need to exist and point to your server (and also no funny http rewrite/redirect rules to avoid reaching the .well-known folder).

I wouldn't say disadvantage, but as a technical limitation, I always explain to my customers that all those DNS records have to be valid and point to us before we can validate.

This is not the case with a premium SSL certificates, for example you can even use the SSL certificate locally in an isolated environment once you have the private key/bundle/certificate even without internet access and without it being public and exposed to web.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,087
243
368
cPanel Access Level
Root Administrator
This is not the case with a premium SSL certificates, for example you can even use the SSL certificate locally in an isolated environment once you have the private key/bundle/certificate even without internet access and without it being public and exposed to web.
Well, you still have to domain validate some how.
 

cPanelFelipe

Member
Staff member
Apr 10, 2013
20
14
128
Some points to offer here:

1) AutoSSL is a framework that allows arbitrary providers to issue SSL certificates for cPanel servers. The default provider uses cPanel’s own (Comodo-backed) CA; cPanel also provides a plugin that allows use of Let’s Encrypt instead. It is also possible for third parties to write their own AutoSSL provider modules, e.g., to provide free SSL via a different CA.

2) The 200 domains limit is per certificate, and it will be raised soon to 1,000. This limit is for the cPanel/Comodo AutoSSL provider. Let’s Encrypt’s per-certificate limit is 100 domains, and LE imposes other significant rate limits that the cPanel/Comodo provider does not. Moreover, unlike Comodo, LE does not consider an ancestor domain’s validation to suffice as validation for a subdomain. For these reasons, cPanel believes its own default provider will produce more reliable SSL coverage for most users.

3) To answer the original question on this thread: paid DV certificates offer warranties that neither Let’s Encrypt nor free cPanel/Comodo certificates provide.

4) The “Global DCV Passthrough” feature, available with EasyApache 4, largely solves the .htaccess issues that affected AutoSSL at first.

5) cPanel & WHM v74 will add DNS-based validation for SSL certificates as a fallback when HTTP-based validation fails. This will alleviate the requirement that domains resolve to the server that requests the certificate.
 

davetanguay

Active Member
Mar 30, 2008
38
1
58
>>>>> 2) The 200 domains limit is per certificate, and it will be raised soon to 1,000.

Just to confirm, this is per CPanel account and not per server, correct?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,087
243
368
cPanel Access Level
Root Administrator
It's per VirtualHost

There can only be 1 certificate per VirtualHost.

If you open up your /etc/apache2/conf/httpd.conf file and browse through the multitude of VirtualHost sections, you'll see:

ServerName

Which will list 1 domain name (kind of the "name" for that VirtualHost) and then you'll see:

ServerAlias

Which may have many, many, many domain names listed. These are domain names that will also match this VirtualHost.

In order for the certificate to be proper, it will have to list all of those domain names (ServerName + ServerAlias) as SANs on the certificate (well, technically 1 of the domain names will be listed as the CN - typically the ServerName - and all of the domain names in the ServerAlias will be listed as SANs).

What this limit is saying is that cPanel Comodo certificates can have at most 200 domain names attached to (1 CN + 199 SANs ... or is it 1 CN + 200 SANs? ... meh, this is a question of 1 domain name - who cares). Let's Encrypt on the other hand only allows for 100 SANs (or 99 ... is the Common Name included in any of these calculations? Anybody know?)

You can get around this... and it always made more sense to me... to just create more VirtualHosts. Rather than adding ServerAliases to a VirtualHost every time a Domain Alias (parked domain) is created... just create a new VirtualHost. Then you don't have this problem. I'm not sure what the advantage is of using massively long ServerAlias directives vs more VirtualHosts (but that discussion gets this thread off topic... so let's not discuss that here).
 
  • Like
Reactions: cPanelLauren