Only allow https if the website has a certificate

[kenneth-vkd]

Hi
We are in the workings of switching to WHM and cPanel from an older Plesk Automation 11.5 (HELM) platform and we are currently facing an issue that we could previously not solve and have also been unable to solve with WHM.
What we want to accomplish is to make sure that if a website does not have a SSL/TLS certificate assigned, then communication on port 443 should be denied at a level where we do not even get to see the warning about the server certificate.
On a custom setup, where we do not have any control panel at all, we would accomplish this by using Nginx and create a separate Nginx vhost for the SSL communication and since a given domain did not have SSL vhost assigned, then communication was denied.

How can I accomplish this kind of task on WHM?

 

[Michael Henderson]

Hi, and welcome to WHM and cPanel, I am sure will will be happy with your choice. May i ask what your infrastructure looks like ? are all connections coming into nginx via 1 IP address then reverse proxying to cpanel server ?

 

[kenneth-vkd]

Hi
We do currently not have any proxy set up between nginx and cpanel.
What we have is a custom setup with apache and then nginx for the reverse proxy of the SSL connection to that server. The benefit here is that I can use nginx to only open up port 443 for the domains that have an actual certificate.

However we want to have a similar setup with WHM/cPanel where a domain can be accessed on http://domain.tld, but not on https://domain.tld. When a domain is then assigned an SSL certificate, then it can be accessed on http://domain.tld and https://domain.tld

I have seen other providers using WHM/cPanel where a domain did not have an SSL certificate and was therefore not accessible from https. I could however not see how this was done.

I do not know if nginx proxy can be conifgured on WHM to handle this or if something else should be configured to handle this kind of task?

 

[cPanelMichael]

What we want to accomplish is to make sure that if a website does not have a SSL/TLS certificate assigned, then communication on port 443 should be denied at a level where we do not even get to see the warning about the server certificate.

Hello,

There's a FAQ entry on this topic at:

SSL FAQ and Troubleshooting - Documentation - cPanel Documentation.

However, keep in mind the AutoSSL feature offers free signed SSL certificates:

Securing your site; Comodo, cPanel, & AutoSSL | cPanel Blog
Manage AutoSSL - Documentation - cPanel Documentation

Additionally, by default a self-signed certificate is automatically assigned to any domain name that doesn't utilize the AutoSSL feature.

Thank you.

 

[kenneth-vkd]

Hi
Since we are not going to be offering free certificates, AutoSSL would not be an option here.
What I would really like is to know how I can use WHM/cPanel to completely block access to https://domain.tld if they do not have a valid SSL certificate.

Do I need to buy a special plugin for WHM or what is required to do this. I have seen other providers using WHM/cPanel having this feature, but I could not find out how they have implemented it.

 

[kenneth-vkd]

I have now found a solution for separating accounts with SSL and accounts without SSL, by creating multiple IP-addresses on the server and then handling the access rights using the network firewall.

This does however require manual action from our technical team, so a solution to handle this with one IP or a solution to automatically switch to the other IP when SSL is configured, would be preferable.

 

[cPanelMichael]

Hello,

You're likely going to run into issues going forward if you decide to prevent websites from using SSL certificates as the direction of the product is headed towards TLS-Only. You can read more about this on the following thread:

Problem with automatically generated self-signed SSL certificates

Thank you.

 

[kenneth-vkd]

Hi
I know that this is an issue. Perhaps it would be better to have the primary IP be accessible on both http and https and the secondary for HTTP only.
The main reason is that many of our current customer do not understand the things regarding https and then when they get fx. Office 365 or another Microsoft Exchange solution and their email client suddenly complains about certificate errors, then our support staff has to spend unecessary time on explaining to the customer what the reason is for this and where they can read about on our website.

So it is not really to prevent customers from using SSL/TLS certificates and HTTPS, but rather to avoid load on our support staff due to customers not understanding what this actually is.

So the better solution would be to have anyone, that might be an issue or ones that we know are an issue, be on the http only IP and anything else is just on the primary IP where they can get https.

 

[cPanelMichael]

The main reason is that many of our current customer do not understand the things regarding https and then when they get fx. Office 365 or another Microsoft Exchange solution and their email client suddenly complains about certificate errors, then our support staff has to spend unecessary time on explaining to the customer what the reason is for this and where they can read about on our website.

Hello,

Could you provide some examples of some of the issues customers are faced with? We've added several new features in the past few versions of cPanel to help address these types of concerns, so it's possible there's an existing feature that solves these problems you might not be aware of.

Thanks!

 

[kenneth-vkd]

Hi
The main issue that customers are facing is when using applications that rely on fx. the autodiscover feature for EWS (Microsoft Exchange Web Services) to autoconfigure their email client.
Since this tries https://domain.tld/AutoDiscover/Autodiscover.xml as one of the first things, customers will get a certificate warning since the certificate generated by WHM/cPanel is not trusted. I in fact tried keeping AutoSSL on, but for some reason the server still generated a selfsigned certificate, although we tried to force AutoSSL in WHM.
Not all our customers have all services with us and therefore may be using another provider for a specific service, such as Microsoft Exchange. So generally what happens is that the customer will call the provider of the given service, who will then look at the issue and tell the customer to call us and have us fix our webserver to not provide SSL/TLS for their domain.
If a feature is there to fx. detect the Autodiscover feature and give a response back to let the client software know that https://domain.tld/autodiscover/autodiscover.xml does not exist, without providing either a selfsigned certificate or a certifcate with a different name than domain.tld

If AutoSSL works then we can of course eliminate those issues, but then the customer will not come a buy a certificate from us, since the system provides AutoSSL, which means that we then have to once again make the customers unhappy, as we would then need to increase the pricing on our hosting, to make up for the income we do not get on certificates.

 

[cPanelMichael]

I in fact tried keeping AutoSSL on, but for some reason the server still generated a selfsigned certificate, although we tried to force AutoSSL in WHM.

Hello,

It seems like if we can address this issue, then it would solve the problem. Would you min opening a support ticket using the link in my signature so we can take a closer look and see why the signed SSL certificate isn't properly generated for the account?

Thank you.