The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Let's Encrypt Auto SSL cert's Common Name not primary account domain

Discussion in 'Security' started by go4, Sep 14, 2016.

  1. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Testing Let's Encrypt and Auto SSL and it looks great. Nice work on getting this into cPanel guys.

    I have one issue though: when I enable it for an account the certificate is issued and, as expected, includes primary domain and subdomains, all with and without www in the Alt Name field. The problem is that the Common Name for the cert is not primarydomain.com, it's www.subdomain.primarydomain.com.

    Is there any way to control this? I'd expect the primary domain name to be the CN.

    Thanks.
     
  2. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Maybe my question didn't make sense?

    To clarify what I'm seeing is that when enabled for an account the cert is issued
    • in the name of a subdomain attached to that account (not the first subdomain alphabetically, nor the latest added, not sure how this is chosen?)
    rather than being issued in the name of the primary domain. (Primary and other subdomains are noted as 'DNS Names' in the cert).

    Trying to understand
    • if this is expected behaviour
    • if there's likely to be a way to choose which domain a cert is issued in the name of
    • if the cert can be edited
    Example attached, showing visiting primary domain (the green bit being the primary domain)

    Thanks.

    cldup.com/8N10FoUkok-3000x3000.png
     
    #2 go4, Sep 21, 2016
    Last edited by a moderator: Sep 21, 2016
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    This is normal for addon domain names, as they are essentially configured as subdomains in their respective Virtual Hosts, with an alias to to the actual domain name.

    To note, a recent support inquiry was submitted regarding order of the names as they appear in the certificate. To summarize, it was explained that "CA/Browser Forum Baseline Requirements" mandate the use of subjectAltName (SAN), so unless you're using an SSL or TLS client that doesn't support subjectAltName (in which case it's probably insecure), the CN value is completely ignored and has no effect on the validity of the certificate.

    Thank you.
     
  4. go4

    go4 Member

    Joined:
    Sep 3, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    OK, thanks for that.
     
Loading...

Share This Page