The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problems with manual SSL certs and cPanel

Discussion in 'Security' started by Spork Schivago, Apr 19, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi.

    I don't use AutoSSL. I've just redone my server and started over fresh. I'm having some issues with cPanel though. I use Let's Encrypt to generate my certificate and that seems to go okay. I have proxy-subdomains turned off and I've manually created the various sub-domains (whm, cpanel, webmail, etc).

    After installing the Let's Encrypt certificate, I go into WHM to check that it's properly installed. I go to:
    WHM >> SSL/TLS >> Manage SSL Hosts

    For domains, I see some weird stuff. Some of my manually created sub-domains are there, some aren't. But what's weird, there's a mail.mydomain.com listed (where mydomain.com is my domain). I don't have a sub-domain called mail. I have one called webmail, which isn't listed.

    Here's what I see under Manage SSL Hosts:
    Code:
    ipv6.mydomain.com
    mydomain.com
    mail.mydomain.com
    www.mydomain.com
    
    It shows the same group for both IPv4 and IPv6 addresses. The IPv6 shows as dedicated with SNI required, whereas the IPv4 address shows as shared with SNI not required.

    These are the subdomains I have:
    Code:
    cpanel
    cpcalendars
    cpcontacts
    webdisk
    webmail
    whm
    
    I have A and AAAA records for all of those, plus my hostname, franklin, ipv4, ipv6, ns1, ns2, and www.

    If I enable the Advanced Zone Editor and then in cPanel, if I go to the Zone Editor, I see everything that's inside my /var/named/mydomain.com.db file, all the subdomains, etc.

    I copied the /var/named/mydomain.com.db file from the old server to the new server to setup the DNS records. I had to copy the old /etc/named.conf file to the new server as well because the new one contained some weird zones in it for some reason (ns1, ns2, franklin, mydomain.com, instead of just mydomain.com). Not sure why or how they got there or how to fix this. Any suggestions?

    Thanks!
     
    #1 Spork Schivago, Apr 19, 2017
    Last edited: Apr 19, 2017
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I should probably add that I am using PowerDNS with a Bind backend. Not sure if that matters or not. I'm thinking maybe by moving the old /var/named/mydomain.com.db file to the new server, maybe I somehow inadvertently created this problem...
     
  3. cPanelChrisI

    cPanelChrisI Technical Analyst II
    Staff Member

    Joined:
    Mar 24, 2014
    Messages:
    67
    Likes Received:
    11
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
  4. cPanelChrisI

    cPanelChrisI Technical Analyst II
    Staff Member

    Joined:
    Mar 24, 2014
    Messages:
    67
    Likes Received:
    11
    Trophy Points:
    83
    cPanel Access Level:
    Root Administrator
    Hello,

    I believe I may have misread your initial response. My apologies. Those are normally added when the domains are added to the server if proxy subdomains are enabled. Were they enabled when the zone was first added? If they are being added with proxy subdomains disabled, you may want to create a ticket at cPanel Customer Portal so we can look into that a little more. If you do create a ticket for that, can you also provide the ticket ID here so we can follow up on it in this thread?

    Thanks!
     
    Spork Schivago likes this.
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I think maybe I wasn't 100% clear here cPanelChrisI. I have Proxy subdomains turned off and I manually create the various subdomains that cPanel would create. I do this because right now, AutoSSL doesn't do what I want it to do. I use Let's Encrypt and I pass some command-line parameters to create an SSL certificate with some stuff that I can't get with AutoSSL. For example, some of the parameters I pass are:
    Code:
    --staple-ocsp --must-staple --hsts --redirect --rsa-key-size 2048 --uri
    
    Here's what the various parameters do:
    Code:
      --rsa-key-size N      Size of the RSA key. (default: 2048)
    
      --must-staple         Adds the OCSP Must Staple extension to the
                            certificate. Autoconfigures OCSP Stapling for
                            supported setups (Apache version >= 2.3.3 ). (default:
                            False)
    
      --redirect            Automatically redirect all HTTP traffic to HTTPS for
                            the newly authenticated vhost. (default: Ask)
    
      --hsts                Add the Strict-Transport-Security header to every HTTP
                            response. Forcing browser to always use SSL for the
                            domain. Defends against SSL Stripping. (default:
                            False)
    
      --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                            requests" header to every HTTP response. Forcing the
                            browser to use https:// for every http:// resource.
                            (default: None)
    
      --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                            stapled to the certificate that the server offers
                            during TLS. (default: None)
    
    So, with proxy subdomains turned off, I create the subdomains myself and redirect visitors to the proper port, unless of course, they're trying to access the .well-known/acme-challenge directory. I allow that through (so Let's Encrypt can verify I own the domain / subdomain).

    I do not have a mail.mydomain.com subdomain. I have a webmail.mydomain.com subdomain. After rebooting the server, I look in WHM under Manage SSL Hosts and now I see the following domains listed:
    Code:
    mydomain.com 
    mail.mydomain.com 
    www.mydomain.com
    
    The IPv6.mydomain.com is gone now. I would have expected to either see A) All the subdomains I've created plus my main domain, or B) Just my main domain. I think I might have an idea of what's going on though. I think cPanel has created some aliases for my domain. I see in /var/cpanel/userdata/<username>/mydomain.com
    Code:
    serveralias: mail.mydomain.com www.mydomain.com
    
    Because I have A and AAAA records for webmail.mydomain.com and www.mydomain.com, I don't need the serveralias. I think if I edit those files to remove those serveralias's, perhaps they won't show up under WHM >> Manage SSL Hosts? There's an Apache template I need to modify as well and then rebuild the Apache config file, to remove the serveralias's directive from the Apache config.

    What do you think? Is the mail.mydomain.com that cPanel shows coming from the /var/cpanel/userdata/<username>/mydomain.com file? Thanks!
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I added the zone and then turned off the Proxy Subdomains in WHM >> Tweak Settings. I think you figured out what I meant originally and now we both understand what happened. Even though Proxy Subdomains are turned off under the Tweak Settings, I still see the mail.mydomain.com and the www.mydomain.com, but no subdomains I've actually created, under the SSL Hosts Manager or whatever it's called. What's supposed to be there? My main domain and all the subdomains or just the main domain? I really think cPanel is reading that serveralias directive in that file I talked about in the last post and I think if I just edit that out, things would be normal again.

    Thanks.
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I believe I fixed it now. I copied vhost.default to vhost.local and ssl_vhost.default to ssl_vhost.local and modified the ServerAlias part of the script. Afterwards, I rebuilt the userdata files. The userdata files still aren't 100% right. For example, I have the subdomain webmail.mydomain.com, but in the webmail.mydomain.com userdata file I see:
    Code:
    serveralias: www.webmail.mydomain.com
    
    Subdomains shouldn't have the www alias and I can remove each of those serveralias' manually from those userdata files, but I have a feeling cPanel might recreate them when it updates in the future or something. Not really sure how to prevent those serveralias entries from getting put in the userdata files to begin with....they're not in the /etc/apache/conf/httpd.conf file anymore, but I don't think they're causing any harm. Not really sure how the userdata files are used in cPanel. Should I manually remove those serveralias www entries or just leave them?

    Thanks!
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,029
    Likes Received:
    1,277
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @Spork Schivago,

    Updates should not overwrite your custom userdata entries, however I encourage you to open a feature request for the ability to control which default ServerAlias entries are automatically configured:

    Submit A Feature Request

    Thank you.
     
    Spork Schivago likes this.
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I opened a feature request @cPanelMichael. It's awaiting moderation. Here's a link to it. If you think it can be worded better, please feel free to edit it or send me a PM with the suggested edits. I'm not very good at writing stuff like that anymore.

    Add option to control ServerAlias www entries for subdomains

    Thanks!
     
    cPanelMichael likes this.
Loading...

Share This Page