How to allow SSL certs on unhosted servers?

jndawson

Well-Known Member
Aug 27, 2014
232
23
18
Western US
cPanel Access Level
DataCenter Provider
(v.80.0.14)
We are running into more frequent occurrences of this scenario:

Hosted customer has another server somewhere (usually office mail server or remote web site) and wants to add an SSL cert. We provide AutoSSL to all our hosted customers, and the resultant DCV entries in the related zone prevent remote cert issuance. Customer gets upset. At least one customer has moved services to a competitor as a direct result of not being able to renew a cert on a remote server due to the DCV entry.

How does one work around this?
 

sparek-3

Well-Known Member
Aug 10, 2002
1,933
181
343
cPanel Access Level
Root Administrator
Not really following you on this.

In order for DCV to succeed, you have to be hosting the domain name. That's what DCV is - Domain Control Validation.

If you don't control the domain name... you can't validate it.
 
  • Like
Reactions: cPanelLauren

jndawson

Well-Known Member
Aug 27, 2014
232
23
18
Western US
cPanel Access Level
DataCenter Provider
Not really following you on this.
I may not have been clear.

In order for DCV to succeed, you have to be hosting the domain name. That's what DCV is - Domain Control Validation.

If you don't control the domain name... you can't validate it.
We control the subject domains in that our DNS are auth and the hosting is on our servers.

To try and clarify: The issue is one (actually, several) of our hosting customers (e.g., customer.tld) who hosts a server (e.g., companywebsite.customer.tld) elsewhere and wants to add an SSL cert to it. They can't due to the DCV entry in the customer.tld zone preventing validation on another server.

Hope that's more clear.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,933
181
343
cPanel Access Level
Root Administrator
Most DCV is done via web. Upload a certain, certain file to a certain, certain location on the certain, certain domain name (assuming that the certain, certain domain name is web accessible) then the domain control validation process accesses that file and verify it's contents is correct - and bingo... you've validated that you control the domain name.

It is true that DCV can be done through DNS or even email - a lot of that has automation issues and that's why automatic SSL vendors don't necessarily support it.

I'm assuming you're saying that customer.tld is hosted on a cPanel server but companywebsite.customer.tld isn't - or at least not the same server as customer.tld.

They're probably not going to be able to get a cPanel Sectigo signed certificate for companywebsite.customer.tld in that case. Although, they can probably get a Let's Encrypt certificate... but they would have to be responsible for automating that process on their server themselves... administration of the server hosting companywebsite.customer.tld would fall out of the realm of cPanel.

If you are talking about a purchased certificate, usually you can validate with an email sent to an @companywebsite.customer.tld email address. And that certificate would be good for 1 to 2 years.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,945
753
263
Houston
cPanel Access Level
DataCenter Provider
The AutoSSL provided for free by cPanel/Sectigo or even with Let's Encrypt is only valid for domains hosted locally. If your client has a domain hosted on another server they'll need to get a separate SSL for that domain.

AutoSSL with Section does do DNS fallback but that's not going to be effective in the event that the domain does not resolve to the server.