hostname SSL cert replaced with cPanel issued version

bear

Well-Known Member
Sep 24, 2002
137
4
168
cPanel Access Level
Root Administrator
Cpanel/WHM updated today on a few servers, and my SSL certificates on the hostname have all been replaced with Cpanel issued ones instead of the ones I had in place already. Can someone shed some light on why the certs I bought and paid for were replaced, unannounced, by these?
 

PenguinInternet

Well-Known Member
PartnerNOC
Jun 20, 2007
192
24
68
Cardiff, UK
cPanel Access Level
DataCenter Provider
Twitter
It was announced in the release notes before this was pushed to from current to release - you can find the details on this here: 56 Release Notes - Documentation - cPanel Documentation

If you had valid certs in place, I'm guessing that they had a weak algorithm from the criteria listed for replacement unless they were just about to expire?
 

bear

Well-Known Member
Sep 24, 2002
137
4
168
cPanel Access Level
Root Administrator
Valid and about a month old. This part is part of that linked announcement (thanks, by the way):
"This system will only replace self-signed or expired certificates. It will not replace an existing certificate from a valid certificate authority."
RapidSSL certs, 2048 bits. AFAIK, that's a valid issuer.
 
  • Like
Reactions: Mike Waters

Kobor

Member
Apr 5, 2012
7
1
53
cPanel Access Level
Root Administrator
Even if had a weak algorithm , how dares cPanel to replace it?
And what is a valid certificate authority? I could have my own certificate authority inside the organization i run, its not cPanel's authority to decide what is valid or not. Is mine.
In a way even replacing self signed certs could be problematic.

And the best of all : cPanel releasing valid certificates for valid domains without the owners accord, and Comodo happily cross-signing it. WTF ? Hey, maybe i could get a certificate for paypal.com from cPanel?

Seems past 2-3 year, with every major upgrade cPanel changes stuff on our servers without thinking through, and without our accord.
 
  • Like
Reactions: Mike Waters

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello,

Here's the pertinent section of the version 56 release notes for new users who are visiting this thread for the first time:

Free cPanel-signed hostname certificate
As part of the introduction of this feature, cPanel offers valid cPanel & WHM license holders a free cPanel-signed hostname certificate for your server's services. This replaces the certificates for these services that meet any of the following conditions:
  • Has a weak signature algorithm. — New in version 56
  • Revoked. — New in version 56
  • Self-signed.
  • Invalid.
  • Expires in less than one week.
Note:

Comodo™ cross-signs these cPanel-signed certificates for additional security.

Your server will automatically order the free signed certificate when the server runs the /bin/checkallsslcerts tool as part of the upcp maintenance script and connects to the license server. The server will download and install the certificate when it is available.

When that signed certificate is less than seven days from expiration, your server will automatically order a replacement free signed certificate. The server will download and install the certificate when it is available. Otherwise, if the signed certificate expires, the server will install a self-signed certificate, and then replace that certificate with the free signed certificate when it is ready.

If you wish to replace your services certificate with one from another provider, use WHM's Manage Service SSL Certificates interface ( Home >> Service Configuration >> Manage Service SSL Certificates ).

If you create the /var/cpanel/ssl/disable_auto_hostname_certificate touch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate.

Important:
  • Your server's hostname must be valid and resolve in DNS.
  • Your server must have a valid cPanel & WHM license.
  • This system will only replace self-signed or expired certificates. It will not replace an existing certificate from a valid certificate authority.
Important:

You can disable the free cPanel-signed hostname certificate. You can configure this setting in Manage2's Update Company Information interface (Dashboard >> Company >> Update Company Information).

For more information, see the section on updated features in Manage2.
There's also a blog post that goes into more detail on this new feature at:

The cPanel Market Provider, and free hostname SSLs | cPanel Blog

RapidSSL certs, 2048 bits. AFAIK, that's a valid issuer.
Could you verify if this was a wildcard certificate? Internal case CPANEL-5841 addresses an issue where wildcard certificates that do not match the hostname are unexpectedly replaced by checkallsslcerts during the update process. A resolution for this is scheduled for publication in the near future.

Even if had a weak algorithm , how dares cPanel to replace it?
And what is a valid certificate authority? I could have my own certificate authority inside the organization i run, its not cPanel's authority to decide what is valid or not. Is mine. In a way even replacing self signed certs could be problematic.
You can disable this functionality by creating the following file on your system:

Code:
/var/cpanel/ssl/disable_auto_hostname_certificate
As mentioned in the documentation, the system will no longer order, download, and install a free cPanel-signed hostname certificate when this file exists.

Seems past 2-3 year, with every major upgrade cPanel changes stuff on our servers without thinking through, and without our accord.
I encourage you to join our Edge-Users mailing list. For instance, with this particular feature, we sent out an email to our Edge-Users mailing list on March 14th that noted this change and sought out feedback and questions about the feature. You can subscribe to the list by visiting the following URL:

Edge-Users Info Page

I have an expedited ticket open for this: support request ID: 7531717
I'm monitoring the support ticket and will update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Could you verify if this was a wildcard certificate? Internal case CPANEL-5841 addresses an issue where wildcard certificates that do not match the hostname are unexpectedly replaced by checkallsslcerts during the update process. A resolution for this is scheduled for publication in the near future.
A resolution for this particular issue is now available in cPanel version 56.0.9:

Implemented case CPANEL-5841: Wildcard certs that do not match the hostname should not be replaced.

Thank you.
 

PPNSteve

Well-Known Member
Mar 13, 2003
414
6
168
Somewhere in Ilex Forest
cPanel Access Level
Root Administrator
Twitter
Interesting.. we have a couple of servers that use GeoTrust issued rapidSSL certs, and both are basically the same setting-wise aside from the hostname and early release tier 56 didn't overwrite the valid cert but today's release did on the other server (exp date of 10/2016).. what gives?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Interesting.. we have a couple of servers that use GeoTrust issued rapidSSL certs, and both are basically the same setting-wise aside from the hostname and early release tier 56 didn't overwrite the valid cert but today's release did on the other server (exp date of 10/2016).. what gives?
Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 
Nov 10, 2013
6
1
3
cPanel Access Level
Reseller Owner
I found this thread wile trying to figure out why cPanel was replacing my SSL certificate. However, reading this thread leaves me with more questions than answers.

To start with, I created the /var/cpanel/ssl/disable_auto_hostname_certificate file yesterday, yet again tonight cPanel replaced it with a free certificate.

My certificate doesn't expire for another 21 days, and is issued by a trusted Certificate Authority.

I don't want cPanel messing with my SSL certificates, so I created the file as mentioned to keep it from happening. Yet, it still happens. How can I disable this feature?
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
I don't want cPanel messing with my SSL certificates, so I created the file as mentioned to keep it from happening. Yet, it still happens. How can I disable this feature?
You can have cPanel disable service certificate management by creating this file

Code:
/var/cpanel/ssl/disable_service_certificate_management
 

jonh

Well-Known Member
Feb 15, 2016
86
5
8
NY
cPanel Access Level
Root Administrator
Not sure if this is related, but all our SSL sites today are showing (Safari) "This certificate has an invalid issuer.", (Chrome) "this certificate has been revoked. ". Nothing has changed as far as we know, noticed it when visiting some of the sites.


==========
Update, Its unrelated, Globalsign had an issue today.
 
Last edited:

gruvin

Member
Feb 20, 2006
13
1
151
Another ME TOO.

It's simple. MY server. MY certificate. MY authority. PERIOD.

How do we COMPLETELY DISABLE this MORONIC "feature"?

Thank you.

EDIT: From above ...

You can have cPanel disable service certificate management by creating this file

Code:
/var/cpanel/ssl/disable_service_certificate_management
Thank God! Far out. This has cost us HOURS. Grrr.
 
Last edited: