"Reduced SSL coverage" for non-existent domains

RyanR

Active Member
Jul 22, 2020
25
3
3
London
cPanel Access Level
Root Administrator
Hi,

We recently migrated all of our sites from a 3rd party provider to our own server because our sites were performing very poorly with the 3rd party provider and we're not getting a bunch of AutoSSL warnings which don't make sense...

All of the warnings we are getting are for mail.website.com and some for ipv6.website.com with the latter fixed by adding the appropriate IPv6 DNS rule which is fine; however for the mail.website.com ones we don't use the mail subdomain for any of our sites at the moment...

I'm assuming during migration it added those subdomains, I know I can fix it by either deleting those dns rules or by excluding it from AutoSSL but what I am really wanting is... if the dns rule doesn't exist on a dig lookup then AutoSSL shouldn't try and create a SSL cert / renew the certificate for those domains?

We never used to get these emails come through even when we would create a new account on our old cPanel server.

For reference AutoSSL's options are setup to only notify on failure only.

Any advice would be much appreciated.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
Most likely the culprit here is just a difference in the notification settings on the new server vs the old. The same actions were being taken but the new server is set to notify you of this. Either way if the domain exists in the userdata AutoSSL will attempt to perform a DCV check.

You can manage notifications sent to you and their priority at WHM>>Server Contacts>>Contact Manager -> Notifications.
 

RyanR

Active Member
Jul 22, 2020
25
3
3
London
cPanel Access Level
Root Administrator
Hi,

Which notification in Contact Manager --> Notifications does this one relate to? It doesn't really give any details on each notification for what type of emails it affects nor does the email tell me what notification it is...
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
You've also not let me know which notification you're receiving, so I'd be happy to let you know which one to disable if you'd like to let me know the exact notification you're receiving, or you can click the documentation link (the ?) at the top of the interface which will take you to the documentation which has a rundown of literally every event that triggers a notification, including the template which is used for this. For convenience sake: Contact Manager | cPanel & WHM Documentation
 

RyanR

Active Member
Jul 22, 2020
25
3
3
London
cPanel Access Level
Root Administrator
Hi Lauren,

There is no identifier to tell me what type of email this is, other than what I've already explained about it's subject "Reduced SSL coverage" for domains that haven't been setup... ipv6, www, mail
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
So looking at the Contact Manager:

AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured.
AutoSSL renews a certificate but the new certificate lacks at least one domain that the previous certificate secured.
Note:
This setting also requires you to enable the Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured. setting in WHM’s Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL).​
AutoSSL/CertificateInstalledReducedCoverage.*.tmpl​

This is the one that handles reduced coverage, as is noted in the name.
 

RyanR

Active Member
Jul 22, 2020
25
3
3
London
cPanel Access Level
Root Administrator
So looking at the Contact Manager:

AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured.
AutoSSL renews a certificate but the new certificate lacks at least one domain that the previous certificate secured.
Note:
This setting also requires you to enable the Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured. setting in WHM’s Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL).​
AutoSSL/CertificateInstalledReducedCoverage.*.tmpl​

This is the one that handles reduced coverage, as is noted in the name.

I'm still getting these emails about the mail subdomains & ipv6 subdomains. Any idea how to stop the mail ones without having to setup mail subdomains and without manually excluding domains.

Also, is there a way to find out a master list of excluded domains/subdomains in autossl?