Installing purchased certificate on proxy subdomain

[kerb]

Hello,

I am attempting to install a purchased certificate on a webmail proxy subdomain, webmail.domain.com (not the real domain, of course). I read that this is recently supported.

I used WHM to generate the CSR. Now that I have it signed, I go to SSL/TLS -> Install an SSL Certificate on a Domain, and paste in the signed certificate. After clicking the Autofill button, everything fills in correctly. I select the IP address (non-user domains only) and click "Install"

I receive the following error:
"The certificate does not support the domain “webmail.domain.com”. It supports these domains: webmail.domain.com and www.webmail.domain.com."

The certificate was issued by COMODO through Namecheap, which automatically adds the www subdomain so that the certificate is issued for both with and without www. But the certificate definitely supports webmail.domain.com, as indicated in this odd error.

Is the additional www subdomain throwing things off? Is this a bug? Is there any work-around so I can get this certificate installed?

Thank you.

 

[cPanelMichael]

I receive the following error:
"The certificate does not support the domain “webmail.domain.com”. It supports these domains: webmail.domain.com and www.webmail.domain.com."

Hello,

This is actually the issue related to internal case CPANEL-13308. I updated the post you linked to better match the description of the issue:

Internal case CPANEL-13308 is open to address an issue where SSL certificates that are issued for the proxy subdomains (but don't contain the main domain) will not install on the server in WHM/cPanel.

As a workaround, try manually creating "webmail" as a subdomain via cPanel for this account and then try installing the SSL certificate again.

Thank you.

 

[kerb]

Thanks for your reply, and for updating the other post to clarify.

I tried creating the subdomain and installing the certificate - the certificate went ok then, but then the proxy subdomain stopped working. Going to webmail.domain.com just showed a directory listing of the subdomain directory (just cgi-bin in this case), and not the webmail login. I deleted the subdomain and it went back to showing webmail again, but also back to the wrong certificate.

The actual scenario we are trying to resolve is one I hope will be fixed with CPANEL-13308 anyway. We have the primary domain, domain.com, pointing to a different server that hosts a webapp for that domain. But the cPanel server still handles mail, and we want the customer to be able to use webmail.domain.com. AutoSSL of course fails to validate the primary domain since it points to another server, but it seems to give up and not try to validate any of the subdomains (which DO point to the cPanel server and would validate just fine).

Basically, we want customers who have primary domains pointing to other servers to still be able to use their proxy subdomains for things like webmail, with proper certificates (preferably through AutoSSL, but purchasing is fine too). Am I correct in my understanding that CPANEL-13308 will allow this when fixed?

Thanks again.

 

[cPanelMichael]

The actual scenario we are trying to resolve is one I hope will be fixed with CPANEL-13308 anyway. We have the primary domain, domain.com, pointing to a different server that hosts a webapp for that domain. But the cPanel server still handles mail, and we want the customer to be able to use webmail.domain.com. AutoSSL of course fails to validate the primary domain since it points to another server, but it seems to give up and not try to validate any of the subdomains (which DO point to the cPanel server and would validate just fine).

Basically, we want customers who have primary domains pointing to other servers to still be able to use their proxy subdomains for things like webmail, with proper certificates (preferably through AutoSSL, but purchasing is fine too). Am I correct in my understanding that CPANEL-13308 will allow this when fixed?

Hello,

A resolution has not yet been decided in CPANEL-13308, but yes, it's opened to report the exact issue you have described. I'll update the other thread with more information on the status of that case as it becomes available.

Thank you.