Problems with manual SSL certs and cPanel

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi.

I don't use AutoSSL. I've just redone my server and started over fresh. I'm having some issues with cPanel though. I use Let's Encrypt to generate my certificate and that seems to go okay. I have proxy-subdomains turned off and I've manually created the various sub-domains (whm, cpanel, webmail, etc).

After installing the Let's Encrypt certificate, I go into WHM to check that it's properly installed. I go to:
WHM >> SSL/TLS >> Manage SSL Hosts

For domains, I see some weird stuff. Some of my manually created sub-domains are there, some aren't. But what's weird, there's a mail.mydomain.com listed (where mydomain.com is my domain). I don't have a sub-domain called mail. I have one called webmail, which isn't listed.

Here's what I see under Manage SSL Hosts:
Code:
ipv6.mydomain.com
mydomain.com
mail.mydomain.com
www.mydomain.com
It shows the same group for both IPv4 and IPv6 addresses. The IPv6 shows as dedicated with SNI required, whereas the IPv4 address shows as shared with SNI not required.

These are the subdomains I have:
Code:
cpanel
cpcalendars
cpcontacts
webdisk
webmail
whm
I have A and AAAA records for all of those, plus my hostname, franklin, ipv4, ipv6, ns1, ns2, and www.

If I enable the Advanced Zone Editor and then in cPanel, if I go to the Zone Editor, I see everything that's inside my /var/named/mydomain.com.db file, all the subdomains, etc.

I copied the /var/named/mydomain.com.db file from the old server to the new server to setup the DNS records. I had to copy the old /etc/named.conf file to the new server as well because the new one contained some weird zones in it for some reason (ns1, ns2, franklin, mydomain.com, instead of just mydomain.com). Not sure why or how they got there or how to fix this. Any suggestions?

Thanks!
 
Last edited:

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I should probably add that I am using PowerDNS with a Bind backend. Not sure if that matters or not. I'm thinking maybe by moving the old /var/named/mydomain.com.db file to the new server, maybe I somehow inadvertently created this problem...
 

ChrisI

Technical Analyst II
Mar 24, 2014
67
12
83
cPanel Access Level
Root Administrator
Hello,

I believe I may have misread your initial response. My apologies. Those are normally added when the domains are added to the server if proxy subdomains are enabled. Were they enabled when the zone was first added? If they are being added with proxy subdomains disabled, you may want to create a ticket at cPanel Customer Portal so we can look into that a little more. If you do create a ticket for that, can you also provide the ticket ID here so we can follow up on it in this thread?

Thanks!
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello!

The subdomains that you pointed out are added by cPanel to allow the proxy subdomains to work properly. This page talks a little more about those.

Proxy Subdomains Explanation - cPanel Knowledge Base - cPanel Documentation

Thanks!
I think maybe I wasn't 100% clear here cPanelChrisI. I have Proxy subdomains turned off and I manually create the various subdomains that cPanel would create. I do this because right now, AutoSSL doesn't do what I want it to do. I use Let's Encrypt and I pass some command-line parameters to create an SSL certificate with some stuff that I can't get with AutoSSL. For example, some of the parameters I pass are:
Code:
--staple-ocsp --must-staple --hsts --redirect --rsa-key-size 2048 --uri
Here's what the various parameters do:
Code:
  --rsa-key-size N      Size of the RSA key. (default: 2048)

  --must-staple         Adds the OCSP Must Staple extension to the
                        certificate. Autoconfigures OCSP Stapling for
                        supported setups (Apache version >= 2.3.3 ). (default:
                        False)

  --redirect            Automatically redirect all HTTP traffic to HTTPS for
                        the newly authenticated vhost. (default: Ask)

  --hsts                Add the Strict-Transport-Security header to every HTTP
                        response. Forcing browser to always use SSL for the
                        domain. Defends against SSL Stripping. (default:
                        False)

  --uir                 Add the "Content-Security-Policy: upgrade-insecure-
                        requests" header to every HTTP response. Forcing the
                        browser to use https:// for every http:// resource.
                        (default: None)

  --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                        stapled to the certificate that the server offers
                        during TLS. (default: None)
So, with proxy subdomains turned off, I create the subdomains myself and redirect visitors to the proper port, unless of course, they're trying to access the .well-known/acme-challenge directory. I allow that through (so Let's Encrypt can verify I own the domain / subdomain).

I do not have a mail.mydomain.com subdomain. I have a webmail.mydomain.com subdomain. After rebooting the server, I look in WHM under Manage SSL Hosts and now I see the following domains listed:
Code:
mydomain.com 
mail.mydomain.com 
www.mydomain.com
The IPv6.mydomain.com is gone now. I would have expected to either see A) All the subdomains I've created plus my main domain, or B) Just my main domain. I think I might have an idea of what's going on though. I think cPanel has created some aliases for my domain. I see in /var/cpanel/userdata/<username>/mydomain.com
Code:
serveralias: mail.mydomain.com www.mydomain.com
Because I have A and AAAA records for webmail.mydomain.com and www.mydomain.com, I don't need the serveralias. I think if I edit those files to remove those serveralias's, perhaps they won't show up under WHM >> Manage SSL Hosts? There's an Apache template I need to modify as well and then rebuild the Apache config file, to remove the serveralias's directive from the Apache config.

What do you think? Is the mail.mydomain.com that cPanel shows coming from the /var/cpanel/userdata/<username>/mydomain.com file? Thanks!
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello,

I believe I may have misread your initial response. My apologies. Those are normally added when the domains are added to the server if proxy subdomains are enabled. Were they enabled when the zone was first added? If they are being added with proxy subdomains disabled, you may want to create a ticket at cPanel Customer Portal so we can look into that a little more. If you do create a ticket for that, can you also provide the ticket ID here so we can follow up on it in this thread?

Thanks!
I added the zone and then turned off the Proxy Subdomains in WHM >> Tweak Settings. I think you figured out what I meant originally and now we both understand what happened. Even though Proxy Subdomains are turned off under the Tweak Settings, I still see the mail.mydomain.com and the www.mydomain.com, but no subdomains I've actually created, under the SSL Hosts Manager or whatever it's called. What's supposed to be there? My main domain and all the subdomains or just the main domain? I really think cPanel is reading that serveralias directive in that file I talked about in the last post and I think if I just edit that out, things would be normal again.

Thanks.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
I believe I fixed it now. I copied vhost.default to vhost.local and ssl_vhost.default to ssl_vhost.local and modified the ServerAlias part of the script. Afterwards, I rebuilt the userdata files. The userdata files still aren't 100% right. For example, I have the subdomain webmail.mydomain.com, but in the webmail.mydomain.com userdata file I see:
Code:
serveralias: www.webmail.mydomain.com
Subdomains shouldn't have the www alias and I can remove each of those serveralias' manually from those userdata files, but I have a feeling cPanel might recreate them when it updates in the future or something. Not really sure how to prevent those serveralias entries from getting put in the userdata files to begin with....they're not in the /etc/apache/conf/httpd.conf file anymore, but I don't think they're causing any harm. Not really sure how the userdata files are used in cPanel. Should I manually remove those serveralias www entries or just leave them?

Thanks!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Subdomains shouldn't have the www alias and I can remove each of those serveralias' manually from those userdata files, but I have a feeling cPanel might recreate them when it updates in the future or something. Not really sure how to prevent those serveralias entries from getting put in the userdata files to begin with....they're not in the /etc/apache/conf/httpd.conf file anymore, but I don't think they're causing any harm. Not really sure how the userdata files are used in cPanel. Should I manually remove those serveralias www entries or just leave them?
Hello @Spork Schivago,

Updates should not overwrite your custom userdata entries, however I encourage you to open a feature request for the ability to control which default ServerAlias entries are automatically configured:

Submit A Feature Request

Thank you.
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hello @Spork Schivago,

Updates should not overwrite your custom userdata entries, however I encourage you to open a feature request for the ability to control which default ServerAlias entries are automatically configured:

Submit A Feature Request

Thank you.
I opened a feature request @cPanelMichael. It's awaiting moderation. Here's a link to it. If you think it can be worded better, please feel free to edit it or send me a PM with the suggested edits. I'm not very good at writing stuff like that anymore.

Add option to control ServerAlias www entries for subdomains

Thanks!
 
  • Like
Reactions: cPanelMichael