How to get an SSL Client Certificate for the same Addon Domain on 2 different cPanel servers?

[Michael-Inet]

Background:

For Server {servernameA.com} and Addon Domain {example.com} cPanel issues SSL Client Certificates in the form of:

Common Name: example.servernameA.com

Containing:
    example.com
    mail.example.com
    www.example.com
    example.servernameA.com
    www.example.com.servernameA.com

For rollover backup reasons I have {example.com} fully built out on 2 cPanel servers {servernameA.com} and {servernameB.com}. This causes “reduced AutoSSL coverage” errors like:

DNS DCV: The DNS query to “_cpanel-dcv-test-record.example.com”
for the DCV challenge returned no “TXT” record that matches the
value “_cpanel-dcv-test-record=FILTER”.; HTTP DCV: The system queried
for a temporary file at “http://mail.example.com/.well-known/pki-validation/FILTER.txt”,
but the web server responded with the following error: 404 (Not Found).
A DNS (Domain Name System) or web server misconfiguration may exist.
The domain “mail.example.com” resolved to an IP address “FILTER” that
does not exist on this server.

Since the Common Name for the cert is based off the Server {servernameA.com/servernameB.com} and not the actual Addon Domain, I’m curious if it would be possible to jury rig the cPanel process so the cert on both Servers fully ‘resolves’ whereby the certs look like:

servernameA

Common Name: example.servernameA.com

Containing:
    example.com
    mail.example.com
    www.example.com
    example.servernameA.com
    www.example.com.servernameA.com

servernameB

Common Name: example.servernameB.com

Containing:
    example.com
    mail.example.com
    www.example.com
    example.servernameB.com
    www.example.com.servernameB.com

# # #

Q1)

Would doing this violate the SSL Certificate ‘laws’/ ‘legality’ / ‘structure’ ?

Q2)

(I’ll assume yes to the above.)
Would there be any actual repercussions to users’ browser experience?

Q3)

Any thoughts on how to achieve this?
(I have a notion on how to create the workaround, but always looking for a better idea.)

# # #

Like most I have junk domains I can test this on, just wanted the opinions of the greater community before investing possibly 10s of man hours in the event there’s a simple, “Ah, no, not even possible because of XYZ.”

Hoping everyone is having a great Thanksgiving weekend.

Best,
Michael

 

[ffeingol]

Can you tell is if you are using the cPanel supplied DNS or Let's Encrypt.

I'm 100% sure this will not work for Let's encrypt. In order for Let's Encrypt to issue the SSL cert it has to resolve to the server (i.e. it puts a file in
.well-known for verification). Since the site can't resolve to two different servers, it will always fail on the non-active server.

I believe that the cPanel issued certs work in the same way, but we don't use them, so I can't tell you with 100% certainty.

This is part of what makes HA complex.

 

[Michael-Inet]

Can you tell is if you are using the cPanel supplied DNS or Let's Encrypt.

AutoSSL is cPanel (powered by Sectigo). I’m using external, completely independent, cPanel DNSOnly servers for a DNS cluster. (Which is a bit of a pita as updates are basically manual, but it makes life much easier on the web servers themselves, as their DNS is no longer used.)

I'm 100% sure this will not work for Let's encrypt. In order for Let's Encrypt to issue the SSL cert it has to resolve to the server (i.e. it puts a file in .well-known for verification). Since the site can't resolve to two different servers, it will always fail on the non-active server.

I believe that the cPanel issued certs work in the same way, but we don't use them, so I can't tell you with 100% certainty.

My thoughts on a .well-known workaround were to use incron and rsync to push the non-active server /pki-validation/temp-file.txt to the active server for resolution. While a bit dodgy, it should work unless the timing is excessively tight.

I think mostly my questions boil down to can two different Common Name certs contain the same domain name. I’m sure the technical answer is no they shouldn’t, but do the issuers actually scan all existing certs? Or do they just rely on the pki-validation (which is spoof-able if you actually do own the domain in question).

This is part of what makes HA complex.

Yup

Best,
Michael

 

[cPRex]

I think it would be best to manually sync the cert between the systems, as there aren't any official cPanel tools at this point to handle high-availability.

I think mostly my questions boil down to can two different Common Name certs contain the same domain name.

I know our provider checks as they won't issue multiple certs for the same domain. If we run into a situation where mutliple orders happen (IP or hostname changes causing delays) we manually kill the older orders so the newest will validate.

 

[Michael-Inet]

I think it would be best to manually sync the cert between the systems, as there aren't any official cPanel tools at this point to handle high-availability.

Hi Rex,

I’ll admit SSL land is not one of my in-depth knowledge areas, so probably a really newb question. Do SSL certs not include an IP reference of some sort? (I thought they did, which is why the OP is worded the way it is.)

If not, then yeah, manually syncing is going to be the easiest way. I don’t seem to be able to pull out just “example.com’s” cert, just “example.com.servernameA.com”:

WHM >> Home »SSL/TLS »SSL Storage Manager

Is there somewhere else in the GUI to extract them? Or are the certs stored on the server in individually ‘extractable’ format somewhere?

Thanks, and best,
Michael

 

[cPRex]

There's no relation to IP addresses and SSLs. In fact, IP addresses can't be secured (well, in most circumstances...) with an SSL, which is why we developed the cprapid automated hostname system, so users could have a secure login to WHM right from the start of their hosting experience.

You'll find individual SSL data in the /var/cpanel/ssl/apache_tls directory, with each domain having a subdirectory there.

 

[Michael-Inet]

Thank you Rex,

I'll go play with a junk domain I can switch DNS on without creating issues. One last question ('snort, yeah right!), I see the combined file contains the private key and the certificates file contains 3 certs. In (servernameB.com):

WHM >> Home »SSL/TLS »Install an SSL Certificate on a Domain

I should copy/paste the whole certificates file into the Certificate: box? Or just the first cert in that file?

Best,

Michael

PS: When I get it working I’ll update here the steps I took (in case you want to create a guide).

 

[cPRex]

When you're on the "Install an SSL Certificate on a Domain" page in WHM you'll get presented with three different boxes for each portion of the certificate. If you look at the "combined" file in the domain's directory you'll see a section for the private key between these blocks:

-----BEGIN RSA PRIVATE KEY-----
************stuff**************
-----END RSA PRIVATE KEY-----

so you can paste each section into the appropriate area.

It may be helpful to use a tool like CSR Decoder and Certificate Decoder | CSR Checker | Certificate Checker to see which portions are the actual domain cert and which are the provider's CA bundle, although if you're doing this work in the WHM interface it will usually fetch the bundle automatically for you if you don't provide it.