Problem with automatically generated self-signed SSL certificates

[raven_kg]

Hello,
Last night our cPanel instance was updated to 62.0 (build 8) and now it creates self-assigned SSL certificate for each new addon domain. How can I completely disable this feature?

Thank you

 

[coasthost]

For the past few days, new accounts and subdomains created on my server are created with a self signed SSL cert. Which means i have to delete the SSL host after each new account or subdomain is created.

Is there an option to turn this off?

 

[Gavpeds]

I have now given up with this its just messing with my users sites. I have now disabled autossl on the feature list which all accounts used. To my surprise new accounts being added still get damn certificates. Please someone tell me how to stop this ridiculous system doing what it likes. When something starts harming my customers experience and essentially my business i feel cpanel has gone a step to far. All i want to do now is stop self signed or cpanel certificates being generated. I have two sites where i have paid for and setup the ssl which is fine but for all others i dont want any ssl. If this has been disabled in manage ssl and in the feature list why is it still generating certificates for newly added domains???

 

[cPanelMichael]

Hello,

It's by design that that self-signed SSL certificates are installed if no other SSL certificates are available. It's not possible to disable this functionality. Could you elaborate on what in-particular about the certificate is resulting in problems?

Here's the section from the cPanel 62 Release Notes where this is mentioned:

Automatically install best available certificate for new addon domain, parked domain, or subdomain
When you create an addon domain, parked domain, or subdomain, the system will attempt to automatically secure that domain with an existing certificate. If no certificate exists within the domain’s virtual host, but another certificate matches the domain, the system will secure the domain with that certificate.

If no certificate matches the domain, the system will install a self-signed certificate for the domain.

All websites receive an SSL certificate
Any website created in cPanel & WHM now receives an SSL certificate. A self-signed certificate is added if no other SSL certificates are available.

Thank you.

 

[Gavpeds]

This is an utter nightmare. Self signed makes google warn visitors to the site with self signed possibly turning away visitors.

The cpanel certificates are just u reliable. I have had issues with it not assigning certs to domains created via whmcs and was told it was our server that had turned this feature off. They have not. Cpanel you need to rethink this there are people everywhere having issues with this. I have already submitted a ticket and was told it's my host it's not they have been I contact as well and there are just so many problems with all this forcing us to use ssl I get why it's a good idea. Google and others are pushing for it but the implementation is a nightmare.

 

[Gavpeds]

Ok so our server host has been in touch as well now and seems there is not way to turn it off at all even of you turn autossl off you just get forced to use a self signed certificate. Great so now site visitors are going to get privacy warning from Google turning them away!

I don't particularly care if I use ssl or I dont I just want it to work either way.

I am stuck. I can't turn it off but I also can't fully take advantage of it as it fails in several sites mainly ones created via whmcs but all I get told is its my server host who has disabled this feature. I am beyond frustrated as are all the site owners I have on my server. Cpanel forces me to use it our host forces me to not yet cpanel then forces self signed which is terrible. So i am stuck in the middle and my users sites are suffering as a result.

All i can think of doing is putting this in every sites .htaccess file.

<IfModule mod_rewrite.c>
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteCond %{SERVER_PORT} ^443$ [OR]
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
</IfModule>

 

[sparek-3]

Yea, I have to agree with the negative argument on this.

I'm all in favor of free certificates. But I'm not really in such a favor of all of this forcing certificates on us. In a lot of ways, I think this goes beyond cPanel. I understand Google and the whole world wanting to make web browsing more secure, but if that's the case, why not just make the whole HTTP protocol secure? You won't be able to do that from a trust standpoint, but you can do that from an encryption standpoint. SSH and SFTP does this, why can't HTTP? Again, that's not really an issue for cPanel to tackle, it's an industry issue.

DCV certificates have never really given any trust. "Congrats! You own the domain name you are securing. We have no idea if that domain name is tied to an actual business or the business it pretends to be. But the information you send between you and the server is secure!"

I'm not sure how passing out millions of DCV secure certificates is the answer here.

Forcing SSL on accounts was setting up to be a nightmare. You have too many accounts that get set up, never point themselves to the server and AutoSSL for those accounts just sit in limbo (they can't verify because domain control validation never passes).

A better approach, probably would have been to offer free certificates but only explicitly. If someone wants a free certificate they have to request one. If you want to try and make this easier by placing something in their cPanel (I'm not sure if that is necessary) then you can do so. You can then test for DCV passing prior to attempting to issue a certificate. Auto-renew? I'm not sure if that's necessary either. Email the user to tell them their certificate is about to expire. If they can't find the time to log into their cPanel and reissue an updated certificate, then I'm sorry, I don't have a lot of sympathy for them.

Automatically issuing DCV certificates and then automatically renewing those certificates for every single domain in existence, that just cries out for my main point ... why isn't HTTP secure by default?

 

[raven_kg]

[sarcasm]Wow... Great solution![/sarcasm]

 

[swbrains]

On my server, I just noticed this happening for new accounts. It screwed up my script that I use to let customers install SSL certificates since the script looks to see if a cert is installed already and doesn't allow installation of our "real" certificate if one is already installed. I was able to work around this by checking if the installed cert is self-signed via the API call to get the cert info and act as if there is no installed cert if it finds only self-signed certs installed on that account.

The odd thing is that I have already installed on the server a wildcard domain that is a valid SSL certificate from a trusted authority (AlphaSSL) that I let customers use when they want to activate SSL for their subdomain. Yet cPanel still automatically installed a self-signed wildcard cert upon creation of the new subdomain account, ignoring the valid wildcard AlphaSSL cert.

Perhaps the problem in my case relates to the fact that the already-installed "real" cert is a wildcard cert? Could this be why cPanel doesn't see it and goes ahead and installs it's own self-signed cert upon creation of the subdomain account?

 

[bear]

Ok, I'd already posted this on a different thread, but in reality this one is where it should have been done. Sorry.
I don't want auto-anything (including SSL) installed on things I set up on my servers. It's not up to cPanel, or Google for that matter to foist that on folks, it's up to the site owner, and ultimately, the server admin. In this case, that's me.

How to disable the autogenerated SSL on new domains/accounts/etc, please?

 

[rahnev]

So is there a way to disable this automatic SSL generation when new account or domain is created? We want to manually generate them as on versions before 62?

 

[cPanelMichael]

Hello,

It's not possible to disable the automatic self-signed SSL certificate that's automatically generated for domain names that don't already take advantage of the AutoSSL feature. However, please open a support ticket using the link in my signature if this new functionality is installing self-signed SSL certificates in cases where a signed SSL certificate is available for installation.

The decision to implement this change in cPanel version 62 is part of the direction towards TLS-Only in the product. The functionality of other parts of the product will assume a SSL Virtual Host exists, and thus it would break functionality if a SSL certificate isn't installed on a domain.

I encourage the use of our Feature Request website to submit requests for changes to this behavior. This allows the community to vote on changes, and send their feedback to the Development team to consider.

Thank you.

 

[ethical]

wow I have to say this is a really silly feature. If you were going to force anything (which is bad to start with) force the use of LE certs at least they are real certs! self signed certs will only crate issues for everybody especially if they are forced on you and you don't even know it! sigh, off to fully enable autossl then and now wait to hear from people when they complain that their site is giving ssl warnings from users that use https everywhere... sigh...

 

[cPanelMichael]

sigh, off to fully enable autossl then and now wait to hear from people when they complain that their site is giving ssl warnings from users that use https everywhere... sigh...

The certificates generated through the AutoSSL feature should not result in browser warnings about the SSL certificate. Could you open a new thread expanding upon that specific issue so we can take a closer look?

Thank you.

 

[dortgendizayn]

Do you provide any script to remove all of self signed certificates at the same time?
At least we can run this script after addon domain and delete all self signed certificates.
And please find a way to disable this Auto(nightmare)SSL option. I'm so regret to activate this plugin.

 

[cPanelMichael]

Do you provide any script to remove all of self signed certificates at the same time?
At least we can run this script after addon domain and delete all self signed certificates.
And please find a way to disable this Auto(nightmare)SSL option. I'm so regret to activate this plugin.

Hello @dortgendizayn,

Could you provide some more information about how the SSL certificates (and the AutoSSL feature) are resulting in problems on your system? The direction of the product is heading towards TLS-only, so it's a good idea to work towards addressing the issues you are facing rather than deleting the certificates.

Thank you.

 

[sparek-3]

I understand the web is wanting to move to more secure protocols, meaning that groups want everything to be https:// instead of http:// and the current way to do that is to provide a secure certificate (whether that be self-signed, free DCV, paid DCV, or expensive EV).

The question I have with this, what happens when an account is set up on a server and that domain name never points to the server? How is AutoSSL (which provides free DCV certificates) going to deal with this? Maybe this isn't a problem for most hosting companies, but we have resellers that appear to set up domain names that never point to the server. DCV certificates are never going to work for accounts that never resolve back to the server. When a domain name moves to a different server, do they take this certificate with them or do they generate a new certificate? If a new certificate, what happens to the old certificate? What if the new server they move to isn't cPanel or doesn't support AutSSL or cPanel signed certificates, what happens then?

I get the desire to move to a more secure platform. I get that content providers, search engine giants, and others want to see the web more secure. But if that's the case, why doesn't the industry push to make HTTP (not HTTPS) a secure protocol? Why not look to provide encryption directly into the HTTP protocol? Don't confuse encryption with authenticity. Encryption just means data is encrypted as it pass back and forth on the connection. Authenticity has to do with verifying the party on end A is who they say they are. DCV certificates don't provide any (or very little if any) authenticity - but they don't provide encryption. Self-signed certificates provide encryption without authenticity but self-signed certificates were banished to hell several years ago because the industry wanted to.

Making HTTP a secure, encrypted protocol isn't a cPanel issue. It's above cPanel's pay grade. Perhaps there's a technical reason as to why this can't be done. But was it even ever considered? Perhaps a new protocol needs to be written. I don't know. It just seems like there wasn't a lot of thought, a lot of foresight put into this push to make the whole web secure, they just settled on "Let's make every domain name get a secure certificate." And I'm not sure if that's really the best approach.

 

[cPanelNick]

Perhaps the problem in my case relates to the fact that the already-installed "real" cert is a wildcard cert? Could this be why cPanel doesn't see it and goes ahead and installs it's own self-signed cert upon creation of the subdomain account?

Hi swbrains,

The system will only pickup the wildcard certificate if it is in the user's ssl storage. I'm assuming the subdomains are on newly created account and not created inside of an existing account. The system does not have access to other users accounts when finding the best available certificate as this would require us to share the key files between accounts which would not be an acceptable security practice.

 

[cPanelNick]

Ok, I'd already posted this on a different thread, but in reality this one is where it should have been done. Sorry.
I don't want auto-anything (including SSL) installed on things I set up on my servers. It's not up to cPanel, or Google for that matter to foist that on folks, it's up to the site owner, and ultimately, the server admin. In this case, that's me.

How to disable the autogenerated SSL on new domains/accounts/etc, please?

Hi bear,

One of the goals of this feature was to ensure that the user did not get someone else's site when accessing their domain on https://. The "install best available" functionality solved this problem:

Change Default SSL Certificate to Invalid Certificate
Generate and install a self signed ssl cert for each virtualhost that doesn't have one.

Its very important that we understand why you want to disable this functionality in order to ensure we build the right solution. We need to know more about what problems this is causing for you so we can explore a solution that does not regress the above feature requests.

Thank you.

 

[sparek-3]

Its very important that we understand why you want to disable this functionality in order to ensure we build the right solution. We need to know more about what problems this is causing for you so we can explore a solution that does not regress the above feature requests.

I can't really speak for bear on this, but I'm going to add my 2 cents here.

I think I would be fine with forcing each new VirtualHost (new account, new subdomain, new addon domain, new parked domain) to generate and install a self-signed certificate. There's no DCV step required for these. I do think that this (or any auto certificate installing) will result in a lot more clutter, as it's just another thing that has to be kept up with (either by server administrators or by the server itself or both). But I would really prefer for this to be a configuration option instead of just being pushed on us. Something like I detailed on the feature request:

Disable Automatic self-signed SSL

I don't like the implicit "install best available certificate" Perhaps I'm just extra paranoid, but I'm not all that confident that the system is always going to be able to pick the "best available certificate". If I could explicitly tell the system to always install a self-signed certificate for every new VirtualHost, I think I would like that better. Then if a VirtualHost needs a certificate installed, I can deal with that as I see fit.