HTTPS Links for Sites Without AutoSSL Redirecting to Site With AutoSSL?

linux4me2

Well-Known Member
Aug 21, 2015
234
61
28
USA
cPanel Access Level
Root Administrator
I have one site, call it domainwithAutoSSL.com, on a shared IP address set up with AutoSSL. HTTPS is working just fine on that site. None of the other sites on that shared IP address have AutoSSL.

DomainwithAutoSSL.com happens to be a WordPress test site, and I was testing WordFence on it. I noticed that in WordFence's Live Traffic, other sites on the server that share the same IP address were showing up in the logs. All the URLs were HTTPS URLs that various search 'bots were testing.

If I try to browse to one of the HTTPS URLs that's erroneously showing up in the Live Traffic logs, I'm not redirected to domainwithAutoSSL.com. I'm taken to the correct domain and see the expected "Your connection is not secure" message from Firefox, so redirect issues don't seem to be the problem.

I found this post on WordFence's support site, which suggested the problem was with the virtual hosts on my managed VPS. I contacted my web host, and they say that there is no problem with the virtual host setup. They think the issue is with AutoSSL, and suggested I activate AutoSSL on all the sites on that IP, or just use it on domains that have dedicated IP addresses.

Now, it's my impression from reading the docs that AutoSSL should work just fine on a shared IP address, and redirects from non-AutoSSL sites using HTTPS URLs would not be an issue. Is there something I'm missing?
 

linux4me2

Well-Known Member
Aug 21, 2015
234
61
28
USA
cPanel Access Level
Root Administrator
I take it back, if I go to one of the non-AutoSSL sites and bypass the security warning, I am taken to domainwithAutoSSL.com, so it appears you have to either be using a dedicated IP address or have to enable AutoSSL for all the sites on a shared IP. Bummer.

So is that the way it's supposed to work, or is something broken?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,227
363
cPanel Access Level
DataCenter Provider
Twitter

linux4me

Member
Jul 14, 2007
20
1
53
Thank you, Michael.

So if you want to use AutoSSL on a shared IP and avoid HTTPS URLs for unsecured sites from redirecting to a secured site on that IP, you need to either:
  1. Make sure all domains and subdomains on the shared IP have valid AutoSSL certificates.
  2. Follow the instructions in the document article you linked to above. (Which looks to my inexperienced eyes like it won't work if each domain on the shared IP has its own AutoSSL cert because the code snippet points to a single certificate.)
It seems to me that if I have a spare IP address on the server, the best thing to do is to move all the sites I want to secure with SSL to that IP address, or to continue to use a dedicated IP for each SSL site as I did before AutoSSL?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,227
363
cPanel Access Level
DataCenter Provider
Twitter
It seems to me that if I have a spare IP address on the server, the best thing to do is to move all the sites I want to secure with SSL to that IP address, or to continue to use a dedicated IP for each SSL site as I did before AutoSSL?
Hello,

Yes, this is the best course of action if changing an account's IP address is a viable option on your server. Otherwise, like you mentioned, you would need to ensure each domain name uses it's own SSL certificate.

Thank you.
 
  • Like
Reactions: linux4me2

linux4me

Member
Jul 14, 2007
20
1
53
Hello,

Yes, this is the best course of action if changing an account's IP address is a viable option on your server. Otherwise, like you mentioned, you would need to ensure each domain name uses it's own SSL certificate.

Thank you.
I'm afraid I'm overlooking something. Why wouldn't changing an account's IP address be a viable option if I have an extra IP I can use just for AutoSSL domains?
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,902
2,227
363
cPanel Access Level
DataCenter Provider
Twitter
I'm afraid I'm overlooking something. Why wouldn't changing an account's IP address be a viable option if I have an extra IP I can use just for AutoSSL domains?
Hello,

It is in-fact an option you can use to address the issue. In some cases, administrators do not have access to more than one IP address on the server.

Thanks!
 
  • Like
Reactions: linux4me2