The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Let's Encrypt Auto SSL cert's Common Name not primary account domain

Discussion in 'Security' started by go4, Sep 14, 2016.

  1. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    53
    Hi,

    Testing Let's Encrypt and Auto SSL and it looks great. Nice work on getting this into cPanel guys.

    I have one issue though: when I enable it for an account the certificate is issued and, as expected, includes primary domain and subdomains, all with and without www in the Alt Name field. The problem is that the Common Name for the cert is not primarydomain.com, it's www.subdomain.primarydomain.com.

    Is there any way to control this? I'd expect the primary domain name to be the CN.

    Thanks.
     
  2. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    53
    Maybe my question didn't make sense?

    To clarify what I'm seeing is that when enabled for an account the cert is issued
    • in the name of a subdomain attached to that account (not the first subdomain alphabetically, nor the latest added, not sure how this is chosen?)
    rather than being issued in the name of the primary domain. (Primary and other subdomains are noted as 'DNS Names' in the cert).

    Trying to understand
    • if this is expected behaviour
    • if there's likely to be a way to choose which domain a cert is issued in the name of
    • if the cert can be edited
    Example attached, showing visiting primary domain (the green bit being the primary domain)

    Thanks.

    cldup.com/8N10FoUkok-3000x3000.png
     
    #2 go4, Sep 21, 2016
    Last edited by a moderator: Sep 21, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,221
    Likes Received:
    1,193
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is normal for addon domain names, as they are essentially configured as subdomains in their respective Virtual Hosts, with an alias to to the actual domain name.

    To note, a recent support inquiry was submitted regarding order of the names as they appear in the certificate. To summarize, it was explained that "CA/Browser Forum Baseline Requirements" mandate the use of subjectAltName (SAN), so unless you're using an SSL or TLS client that doesn't support subjectAltName (in which case it's probably insecure), the CN value is completely ignored and has no effect on the validity of the certificate.

    Thank you.
     
  4. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    9
    Likes Received:
    1
    Trophy Points:
    53
    OK, thanks for that.
     
  5. go4support

    go4support Registered

    Joined:
    May 1, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Reseller Owner
    Hi,
    Following on from what Go4 asked about the primary domain not being the common name on the certificate.

    Using cPanel & WHM 64.0 (build 18). I believe this had recently been upgraded around 6 Apr 2017.

    I have a hosting account called subdomaindeptpub with a primary domain of subdomain.dept.state.gov.au which is pointing to my hosting account via an A record. I converted this website over to use https on the 23/3/2017 and all seemed to be working fine.

    Then a couple of days ago I noticed that the website was displaying "subdomain.dept.state.gov.au uses an invalid security certificate. The certificate is only valid for www.subdomain.dept.state.gov.au Error code: SSL_ERROR_BAD_CERT_DOMAIN".

    I checked the Manage AutoSSL log file as follows:
    Code:
    Log for the AutoSSL run for all users: Monday, April 28, 2017 5:43:02 AM GMT+1000 (Let’s Encrypt™)
    5:43:02 AM This system has AutoSSL set to use “Let’s Encrypt™”.
    5:44:04 AM Checking websites for “subdomaindeptpub” …
    5:44:04 AM The website “subdomain.dept.state.gov.au”, owned by “subdomaindeptpub”, has a faulty SSL certificate (NOT_ALL_DOMAINS AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
    5:44:04 AM WARN The domain “subdomain.dept.state.gov.au” failed domain control validation: “subdomain.dept.state.gov.au” does not resolve to any IPv4 addresses on the internet.
    5:44:18 AM WARN The domain “mail.subdomain.dept.state.gov.au” failed domain control validation: The system failed to fetch the <abbr title="Domain Control Validation">DCV</abbr> file at “<a href="[URL]http://mail.subdomain.dept.state.gov.au/.well-known/acme-challenge/VFRY5KCBG5C9WE-BYYES_L_3R7YLONHM[/URL]">[URL]http://mail.subdomain.dept.state.gov.au/.well-known/acme-challenge/VFRY5KCBG5C9WE-BYYES_L_3R7YLONHM[/URL]</a>” because of an error: The system failed to send an <abbr title="Hypertext Transfer Protocol">HTTP</abbr> “GET” request to “[URL]http://mail.subdomain.dept.state.gov.au/.well-known/acme-challenge/VFRY5KCBG5C9WE-BYYES_L_3R7YLONHM[/URL][URL='http://mail.subdomain.dept.state.gov.au/.well-known/acme-challenge/VFRY5KCBG5C9WE-BYYES_L_3R7YLONHM”']”[/URL] because of an error: Could not connect to 'mail.subdomain.dept.state.gov.au:80': Connection timed out . The domain “mail.subdomain.dept.state.gov.au” resolved to an IP address “203.21.194.92” that does not exist on this server.
    5:44:19 AM WARN The domain “cpanel.subdomain.dept.state.gov.au” failed domain control validation: “cpanel.subdomain.dept.state.gov.au” does not resolve to any IPv4 addresses on the internet.
    5:44:19 AM WARN The domain “webdisk.subdomain.dept.state.gov.au” failed domain control validation: “webdisk.subdomain.dept.state.gov.au” does not resolve to any IPv4 addresses on the internet.
    5:44:19 AM WARN The domain “webmail.subdomain.dept.state.gov.au” failed domain control validation: “webmail.subdomain.dept.state.gov.au” does not resolve to any IPv4 addresses on the internet.
    5:44:19 AM The system will attempt to renew SSL certificates for the following websites:
    5:44:19 AM subdomain.dept.state.gov.au ([URL='http://www.subdomain.dept.state.gov.au']www.subdomain.dept.state.gov.au[/URL])
    5:44:24 AM SUCCESS The system has installed a new certificate onto “subdomaindeptpub”’s website “subdomain.dept.state.gov.au”.
    5:44:24 AM The system has completed the AutoSSL check for “subdomaindeptpub”.
    
    It seems that AutoSSL is creating a new SSL Certificate for my domain because its 29 days from expiring. It appears to check the expiry status each day. In my case the new certificate only applied to the www.subdomain.dept.state.gov.au domain not the primary subdomain.dept.state.gov.au unlike what it had previously done and consequently created the browser error.

    The only way to temporarily solve the issue was to delete the new certificate and re-instate the previous one which covered both domains subdomain.dept.state.gov.au and www.subdomain.dept.state.gov.au .


    How do I make sure that the FQDNs appear on the certificate or at the very least the primary domain (subdomain.dept.state.gov.au) appears so I don't get the same issue again?


    Thanks
     
    #5 go4support, May 1, 2017
    Last edited by a moderator: May 1, 2017
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,221
    Likes Received:
    1,193
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This shows that domain validation failed for “subdomain.dept.state.gov.au” because it did not resolve to an IP address associated with the account on the cPanel server. Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look and see why the domain name isn't validated (assuming the DNS is resolving correctly).

    Thank you.
     
Loading...

Share This Page