The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hostname SSL cert replaced with cPanel issued version

Discussion in 'Security' started by bear, Apr 27, 2016.

Tags:
  1. bear

    bear Well-Known Member

    Joined:
    Sep 24, 2002
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Cpanel/WHM updated today on a few servers, and my SSL certificates on the hostname have all been replaced with Cpanel issued ones instead of the ones I had in place already. Can someone shed some light on why the certs I bought and paid for were replaced, unannounced, by these?
     
  2. PenguinInternet

    PenguinInternet Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2007
    Messages:
    149
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cardiff, UK
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    It was announced in the release notes before this was pushed to from current to release - you can find the details on this here: 56 Release Notes - Documentation - cPanel Documentation

    If you had valid certs in place, I'm guessing that they had a weak algorithm from the criteria listed for replacement unless they were just about to expire?
     
  3. bear

    bear Well-Known Member

    Joined:
    Sep 24, 2002
    Messages:
    113
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Valid and about a month old. This part is part of that linked announcement (thanks, by the way):
    "This system will only replace self-signed or expired certificates. It will not replace an existing certificate from a valid certificate authority."
    RapidSSL certs, 2048 bits. AFAIK, that's a valid issuer.
     
    Mike Waters likes this.
  4. Kobor

    Kobor Member

    Joined:
    Apr 5, 2012
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Even if had a weak algorithm , how dares cPanel to replace it?
    And what is a valid certificate authority? I could have my own certificate authority inside the organization i run, its not cPanel's authority to decide what is valid or not. Is mine.
    In a way even replacing self signed certs could be problematic.

    And the best of all : cPanel releasing valid certificates for valid domains without the owners accord, and Comodo happily cross-signing it. WTF ? Hey, maybe i could get a certificate for paypal.com from cPanel?

    Seems past 2-3 year, with every major upgrade cPanel changes stuff on our servers without thinking through, and without our accord.
     
    Mike Waters likes this.
  5. Mike Waters

    Mike Waters Registered

    Joined:
    Apr 28, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    South Greenfield, MO 65752
    cPanel Access Level:
    Root Administrator
    Same thing happened to us!!! :-(
    Thank you for grinding our business to a screeching halt.

    I have an expedited ticket open for this: support request ID: 7531717
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the pertinent section of the version 56 release notes for new users who are visiting this thread for the first time:

    There's also a blog post that goes into more detail on this new feature at:

    The cPanel Market Provider, and free hostname SSLs | cPanel Blog

    Could you verify if this was a wildcard certificate? Internal case CPANEL-5841 addresses an issue where wildcard certificates that do not match the hostname are unexpectedly replaced by checkallsslcerts during the update process. A resolution for this is scheduled for publication in the near future.

    You can disable this functionality by creating the following file on your system:

    Code:
    /var/cpanel/ssl/disable_auto_hostname_certificate
    As mentioned in the documentation, the system will no longer order, download, and install a free cPanel-signed hostname certificate when this file exists.

    I encourage you to join our Edge-Users mailing list. For instance, with this particular feature, we sent out an email to our Edge-Users mailing list on March 14th that noted this change and sought out feedback and questions about the feature. You can subscribe to the list by visiting the following URL:

    Edge-Users Info Page

    I'm monitoring the support ticket and will update this thread with the outcome.

    Thank you.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A resolution for this particular issue is now available in cPanel version 56.0.9:

    Implemented case CPANEL-5841: Wildcard certs that do not match the hostname should not be replaced.

    Thank you.
     
  8. Mike Waters

    Mike Waters Registered

    Joined:
    Apr 28, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    South Greenfield, MO 65752
    cPanel Access Level:
    Root Administrator
    Thanks for fixing this. I have to say that this is the first problem we have ever had with cPanel. It could have been much worse. :)
    And thanks for refunding my expediting fee without me even asking. :)
     
  9. Kobor

    Kobor Member

    Joined:
    Apr 5, 2012
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I can disable that functionality AFTER the update changed everything .
     
  10. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Interesting.. we have a couple of servers that use GeoTrust issued rapidSSL certs, and both are basically the same setting-wise aside from the hostname and early release tier 56 didn't overwrite the valid cert but today's release did on the other server (exp date of 10/2016).. what gives?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  12. sherwin_flight

    Joined:
    Nov 10, 2013
    Messages:
    6
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Reseller Owner
    I found this thread wile trying to figure out why cPanel was replacing my SSL certificate. However, reading this thread leaves me with more questions than answers.

    To start with, I created the /var/cpanel/ssl/disable_auto_hostname_certificate file yesterday, yet again tonight cPanel replaced it with a free certificate.

    My certificate doesn't expire for another 21 days, and is issued by a trusted Certificate Authority.

    I don't want cPanel messing with my SSL certificates, so I created the file as mentioned to keep it from happening. Yet, it still happens. How can I disable this feature?
     
  13. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    You can have cPanel disable service certificate management by creating this file

    Code:
    /var/cpanel/ssl/disable_service_certificate_management
    
     
  14. jonh

    jonh Well-Known Member

    Joined:
    Feb 15, 2016
    Messages:
    49
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    NY
    cPanel Access Level:
    Root Administrator
    Not sure if this is related, but all our SSL sites today are showing (Safari) "This certificate has an invalid issuer.", (Chrome) "this certificate has been revoked. ". Nothing has changed as far as we know, noticed it when visiting some of the sites.


    ==========
    Update, Its unrelated, Globalsign had an issue today.
     
    #14 jonh, Oct 13, 2016
    Last edited: Oct 13, 2016
  15. gruvin

    gruvin Member

    Joined:
    Feb 20, 2006
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Another ME TOO.

    It's simple. MY server. MY certificate. MY authority. PERIOD.

    How do we COMPLETELY DISABLE this MORONIC "feature"?

    Thank you.

    EDIT: From above ...

    Thank God! Far out. This has cost us HOURS. Grrr.
     
    #15 gruvin, Nov 24, 2016
    Last edited: Nov 24, 2016
Loading...

Share This Page