In many cases, you want to host a domain but you don't need the www, mail, or ftp prefixes. It appears WHM puts these in the DNS zone record for the domain whether you want them or not. This in turn creates issues with AutoSSL because it is trying to get a certificate that works for all hostnames in the domain's zone record and all my domains use an external DNS that I'm not going to add CNAME records to for host names I'm not using. I can view and edit details of these CNAME records from the WHM interface but I can't find out how to delete the record all together?
I'm curious why WHM creates the zone anyway when you create a new account and specify you are using external nameservers? If there's no need for it, then why create it in the first place?
This makes me think, why theoretically if DNS for the account is not being handled on the WHM server, you should indeed be able to delete the zone with no negative effect. But are we sure about this?
Let's say I have an account, and the only address I need to host is special.mydomain.com not www. not mail. just special. I need AutoSSL for just special.mydomain.com. So the account is created with the name special.mydomain.com (not mydomain.com) and DNS is hosted for mydomain.com at 3rd party server. If I delete the entire zone file on WHM for that account will AutoSSL still try to install a cert for special.mydomain.com?
Hello,
Several functions of cPanel/WHM rely on the existence of the zone even when the local name server isn't utilized. For instance, this allows administrators to utilize features such as SPF/DKIM creation within cPanel (for use to determine which specific records to add to the remote DNS host), and allows administrators to convert from using a remote DNS server to a local DNS server. It also allows for the successful transfer of cPanel accounts from a server without local DNS hosting to a server with local DNS servers.
Rather than deleting the zone records, you should instead exclude those domain names from the AutoSSL feature using the following option in cPanel:
SSL TLS Status - Version 68 Documentation - cPanel Documentation
Thank you.
Several functions of cPanel/WHM rely on the existence of the zone even when the local name server isn't utilized. For instance, this allows administrators to utilize features such as SPF/DKIM creation within cPanel (for use to determine which specific records to add to the remote DNS host), and allows administrators to convert from using a remote DNS server to a local DNS server. It also allows for the successful transfer of cPanel accounts from a server without local DNS hosting to a server with local DNS servers.
Rather than deleting the zone records, you should instead exclude those domain names from the AutoSSL feature using the following option in cPanel:
SSL TLS Status - Version 68 Documentation - cPanel Documentation
Thank you.
The problem is there are cases where you just want to host a website and nothing else. I used a domain I have for testing and deleted the zone file. It is just for hosting a website at www.mydomain.com. However, even with no local zone file, AutoSSL tries to verify mail.mydomain.com, webmail.mydomain.com, webdisk.mydomain.com, and cpanel.mydomain.com when I have none of those hosts in my DNS.
It seems to me it would be logical for WHM to ignore those hostnames if I selected remote mail exchanger and remote DNS when I setup the domain (which I did), UNLESS those hostnames have a DNS record in the remote DNS. Furthermore, in a standard setup for an account, in fact we all know, 99% of the time all those hostnames point to the same IP anyway so have different domain names for those services is sort of useless.
Last edited:
That's not correct. The option allows you to exclude AutoSSL on specific subdomains or domain names.
Is there a specific reason you need to delete the DNS zone? It's existence shouldn't actually cause any harm, and it's required for certain aspects of cPanel/WHM to function.
Thank you.
Thank you for pointing this out. I failed to notice this was the SSL/TLS within the account control panel, not WHM. Problem solved.
However I don't think WHM by default should be trying to get SSL certs for things like webmail. mail. when the user selected Remote Mail Exchanger to begin with.
What a pain to go through 20 accounts to add all those exclusions.
Last edited:
Hello,
I encourage you to submit a feature request for the ability to automatically disable all email-related subdomains as part of the AutoSSL functionality:
Submit A Feature Request
Thank you.
I encourage you to submit a feature request for the ability to automatically disable all email-related subdomains as part of the AutoSSL functionality:
Submit A Feature Request
Thank you.
Here's the issue I'm left with. I exclude all the unused subdomains and AutoSSL still generates warnings about the subdomains being excluded instead of not being able to be verified. What happens is the default email notifications will send an email with these type of AutoSSL warnings. So I turned it off before and was hoping to turn it back on. I just want to receive email warning when AutoSSL can't replace/renew a cert for a domain/subdomain that is NOT excluded. Is that possible? If not then I'm stuck either getting a bunch of unnecessary (in my opinion) notifications or not getting any at all including the ones that matter.
Wait... I just got an email for a domain that it couldn't renew that also had domains excluded. So it appears excluded domains won't trigger an email. Can someone confirm this is true?
Wait... I just got an email for a domain that it couldn't renew that also had domains excluded. So it appears excluded domains won't trigger an email. Can someone confirm this is true?
Hello,
You can browse to "cPanel >> Contact Information" to control which AutoSSL notifications are enabled on the account. As of cPanel 68, this includes:
AutoSSL has renewed a certificate. The system will notify you when it has installed an AutoSSL certificate.
AutoSSL cannot add any additional domains because domains that fail validation exist on the current certificate
AutoSSL cannot renew a certificate because domains that fail validation exist on the current certificate.
AutoSSL certificate expiry. The system will notify you if an AutoSSL certificate will expire soon.
SSL certificate expiry. The system will notify you if a non-AutoSSL certificate will expire soon.
In cPanel 68, you should not receive an email notification for domain names excluded from AutoSSL, however you may see a reference to those excluded domain names in the notification if AutoSSL cannot install or renew a certificate for a non-excluded domain name. Let us know if you are experiencing behavior different to this.
Thank you.
Yes, I see in 68 some of these past headaches around AutoSSL have been addressed. Great progress!
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| R | Can't get rid of infected file | Security | 1 | |
| E | PCI compliance is getting ridiculous | Security | 7 | |
| S | Forgot Userid and Password | Security | 2 | |
| N | AutoSSL override htaccess | Security | 14 | |
| J | Enable gui for user to override modsec rules? | Security | 3 |