Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to allow SSL certs on unhosted servers?

Discussion in 'Security' started by jndawson, Jun 7, 2019.

  1. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    226
    Likes Received:
    21
    Trophy Points:
    18
    Location:
    Western US
    cPanel Access Level:
    DataCenter Provider
    (v.80.0.14)
    We are running into more frequent occurrences of this scenario:

    Hosted customer has another server somewhere (usually office mail server or remote web site) and wants to add an SSL cert. We provide AutoSSL to all our hosted customers, and the resultant DCV entries in the related zone prevent remote cert issuance. Customer gets upset. At least one customer has moved services to a competitor as a direct result of not being able to renew a cert on a remote server due to the DCV entry.

    How does one work around this?
     
  2. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Not really following you on this.

    In order for DCV to succeed, you have to be hosting the domain name. That's what DCV is - Domain Control Validation.

    If you don't control the domain name... you can't validate it.
     
    cPanelLauren likes this.
  3. jndawson

    jndawson Well-Known Member

    Joined:
    Aug 27, 2014
    Messages:
    226
    Likes Received:
    21
    Trophy Points:
    18
    Location:
    Western US
    cPanel Access Level:
    DataCenter Provider
    I may not have been clear.

    We control the subject domains in that our DNS are auth and the hosting is on our servers.

    To try and clarify: The issue is one (actually, several) of our hosting customers (e.g., customer.tld) who hosts a server (e.g., companywebsite.customer.tld) elsewhere and wants to add an SSL cert to it. They can't due to the DCV entry in the customer.tld zone preventing validation on another server.

    Hope that's more clear.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    Most DCV is done via web. Upload a certain, certain file to a certain, certain location on the certain, certain domain name (assuming that the certain, certain domain name is web accessible) then the domain control validation process accesses that file and verify it's contents is correct - and bingo... you've validated that you control the domain name.

    It is true that DCV can be done through DNS or even email - a lot of that has automation issues and that's why automatic SSL vendors don't necessarily support it.

    I'm assuming you're saying that customer.tld is hosted on a cPanel server but companywebsite.customer.tld isn't - or at least not the same server as customer.tld.

    They're probably not going to be able to get a cPanel Sectigo signed certificate for companywebsite.customer.tld in that case. Although, they can probably get a Let's Encrypt certificate... but they would have to be responsible for automating that process on their server themselves... administration of the server hosting companywebsite.customer.tld would fall out of the realm of cPanel.

    If you are talking about a purchased certificate, usually you can validate with an email sent to an @companywebsite.customer.tld email address. And that certificate would be good for 1 to 2 years.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,502
    Likes Received:
    509
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The AutoSSL provided for free by cPanel/Sectigo or even with Let's Encrypt is only valid for domains hosted locally. If your client has a domain hosted on another server they'll need to get a separate SSL for that domain.

    AutoSSL with Section does do DNS fallback but that's not going to be effective in the event that the domain does not resolve to the server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice