Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Question about autoSSL

Discussion in 'Security' started by hinhthoi, Oct 13, 2017.

Tags:
  1. hinhthoi

    hinhthoi Member

    Joined:
    Mar 28, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Vietnam
    cPanel Access Level:
    Root Administrator
    Hi, I have a question about AutoSSL feature:

    Let's say I enable that feature by default, A new user signup with his primary domain while the primary domain is still not pointing to the server. Due to that reason, a valid SSL cert is not created for that primary domain.

    When the user starts changing the DNS to point his domain to the server, the AutoSSL feature should automatically add a valid SSL cert to the domain, is it correct? If yes, when does it happens (How long from the time it is propagated to the time that the AutoSSL takes action, I mean the waiting time).

    I also have another question. If a domain is already having valid SSL, then the user point DNS away from our server, when it is going to expire, will autoSSL still keep requesting for SSL renewal? (I'm worry it it does, because the request will fail, and Letsencrypt has limit on failure rate).

    I just worry if I enable autoSSL for all users, too many failures may results in problems.

    Thank you for any clarification!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, the AutoSSL check runs once daily as part of the following cron job:

    Code:
    # cat /etc/cron.d/cpanel_autossl
    32    3    *    *    *    root    /usr/local/cpanel/bin/autossl_check --all
    It can then take a few hours after that for the domain validation process to complete.

    Yes, assuming the existing certificate was generated through the AutoSSL feature, then the automatic attempts to renew the certificate before it expires would fail if the domain name does not resolve to the server. You should disable AutoSSL for the individual account in these cases.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    linux4me2 likes this.
  3. hinhthoi

    hinhthoi Member

    Joined:
    Mar 28, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Vietnam
    cPanel Access Level:
    Root Administrator
    Hi,

    I just want to be clear more about this problem. When the user change DNS of one of his domain away from our server, does AutoSSL still attempt to renew (and fail) or does it first check the DNS and only make an attempt if DNS if pointing to our server?

    Thank you very much.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It will attempt to validate the domain name if the AutoSSL feature is enabled on the account, and the domain validation attempt will fail when it detects the domain name does not resolve to the cPanel server.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    linux4me2 and hinhthoi like this.
  5. hinhthoi

    hinhthoi Member

    Joined:
    Mar 28, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Vietnam
    cPanel Access Level:
    Root Administrator
    Hi Micheal,

    Thank you very much for your clarification. I think it is a disaster to enable autoSSL for all users because if this reason. When Letsencrypt detects high rate of renewal failures it will block our IP, and renewal requests for working domains will not work.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice