Secure 3,500 domains per SSL certificate

Operating System & Version
Centos 7
cPanel & WHM Version
94.0.10

perplex

Member
May 3, 2016
15
1
53
UK
cPanel Access Level
Root Administrator
Hello

I've had a problem for several years now and simply can't seem to find a solution.

I have multiple client cPanel accounts with up to 3,500 domains each. The issue is that I need to have an SSL certificate for every domain (3,500) in each cPanel account. Using cPanel AutoSSL the max limit appears to only be 200 domains! I would be super-happy if anyone can provide me with a solution or workaround to my dilemma.

Thanks
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,070
775
313
cPanel Access Level
Root Administrator
Hey there! There aren't going to be any tools that will handle that situation. Can I ask why there are so many domains per cPanel account? I'm not sure that is really an intended use of the software if those are all addon domains.
 

perplex

Member
May 3, 2016
15
1
53
UK
cPanel Access Level
Root Administrator
Hey there! There aren't going to be any tools that will handle that situation. Can I ask why there are so many domains per cPanel account? I'm not sure that is really an intended use of the software if those are all addon domains.
Hey cPRex

I think we've spoken before :)

Yes, so I have been using cPanel to host whole domain portfolios (Parked Domains), these are both for sale, some have developed websites others have mini-sites on them. Splitting the domains up to host 200 /per cPanel would potentially create hundreds of cPanels to manage! So it's simply not possible, I am hopeful that someone can point me to a solution, there must be one?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,070
775
313
cPanel Access Level
Root Administrator

sparek-3

Well-Known Member
Aug 10, 2002
2,019
226
368
cPanel Access Level
Root Administrator
Are these domain aliases or addon domains?

Been saying it for quite a while (ever since the SSL for everyone craze started), cPanel needs to move away from domain aliases and towards addon domains with shared DocumentRoots.

Domain Aliases (parked domains) just adds the domain to the ServerAlias directive in the web server configuration. If you have 10 domain aliases, then a single VirtualHost in the web server configuration is responsible for 11 domains (the main domain + the 10 domain aliases), so a certificate has to be generated for all 11 domain names. (And regenerated every time one of those domains is added or deleted from the domain alias list)

Addon domains create their own VirtualHost containers. So if you have 10 addon domains, then you have 11 VirtualHost containers - the main domain + the 10 addon domains. Each VirtualHost can have it's own certificate. So you'd actually have 11 certificates generated. When one is deleted... so what? The certificate doesn't get automatically renewed when it's renewal comes up. Want to add an 11th addon domain? Just generate a new certificate for that 11th domain name.

Now... having said all of that... I actually have no idea how cPanel's AutoSSL works in regards to this. I could forsee the issue with domain aliases and certificate (re)generation, so I implemented my own solution. My "AutoSSL" doesn't depend on anything that cPanel does with automatic SSL generation. So I may be speaking out of turn here.

Additionally, I would agree that 3500 domains on a single cPanel account is probably an extreme edge case and doesn't reflect the intent of cPanel. When you get into edge cases like this... you really can't expect the software to work the same as it does for everyone else the uses it within the realm of intention. There's likely always going to extreme cases where a user wants a piece of software do to something it's not specifically designed for, but the issue is that the user is "one" user. The other 99,999 users use the software within the bounds of intention. I would not expect a developer to bend over backwards to appease that one user if there's no justification for the other users.
 

SS-Maddy

Well-Known Member
Mar 28, 2009
130
16
68
cPanel Access Level
Root Administrator
@perplex Not sure whether you have already tried this out. But you may try the option of FleetSSL which is a third party plugin which uses Lets Encrypt for issuing the certificate. I dont see any Lets Encrypt enforced rate limiting will affect your requirement. You may need to try out the 'Issue' option of


Do check with your trial version or contact their pre-sales before you purchase.
 

perplex

Member
May 3, 2016
15
1
53
UK
cPanel Access Level
Root Administrator
Are these domain aliases or addon domains?

Been saying it for quite a while (ever since the SSL for everyone craze started), cPanel needs to move away from domain aliases and towards addon domains with shared DocumentRoots.

Domain Aliases (parked domains) just adds the domain to the ServerAlias directive in the web server configuration. If you have 10 domain aliases, then a single VirtualHost in the web server configuration is responsible for 11 domains (the main domain + the 10 domain aliases), so a certificate has to be generated for all 11 domain names. (And regenerated every time one of those domains is added or deleted from the domain alias list)

Addon domains create their own VirtualHost containers. So if you have 10 addon domains, then you have 11 VirtualHost containers - the main domain + the 10 addon domains. Each VirtualHost can have it's own certificate. So you'd actually have 11 certificates generated. When one is deleted... so what? The certificate doesn't get automatically renewed when it's renewal comes up. Want to add an 11th addon domain? Just generate a new certificate for that 11th domain name.

Now... having said all of that... I actually have no idea how cPanel's AutoSSL works in regards to this. I could forsee the issue with domain aliases and certificate (re)generation, so I implemented my own solution. My "AutoSSL" doesn't depend on anything that cPanel does with automatic SSL generation. So I may be speaking out of turn here.

Additionally, I would agree that 3500 domains on a single cPanel account is probably an extreme edge case and doesn't reflect the intent of cPanel. When you get into edge cases like this... you really can't expect the software to work the same as it does for everyone else the uses it within the realm of intention. There's likely always going to extreme cases where a user wants a piece of software do to something it's not specifically designed for, but the issue is that the user is "one" user. The other 99,999 users use the software within the bounds of intention. I would not expect a developer to bend over backwards to appease that one user if there's no justification for the other users.
In answer to your question, my domains are parked as Aliases. I've done a bit more research and the best I can achieve using WHM and cPanel by tweaking settings is SSL for 1,000 domains only; however, due to this limit it would really be more like 500 domains as I would want both www.example.com and example.com secured.

I have 3,500 domains /per cPanel account x10 so this would leave me 3,000 /per account without SSL certificates. Reparking the domains in 500 batches is simply not an option as this would be extremely time-consuming and I would end up with 70 cPanel accounts to manage..OMG!

What I need in cPanel is for AutoSSL to batch domains in to groups of 500, then issue SSL for www.example.com and example.com. This way a new SSL certificate would be generated for every 500 domains. If there's definately not an existing solution out there, and I have looked high and low already, then do you think it's possible for a developer to create a cPanel compatible plugin to achieve this for me?
 

perplex

Member
May 3, 2016
15
1
53
UK
cPanel Access Level
Root Administrator
Hey there! There aren't going to be any tools that will handle that situation. Can I ask why there are so many domains per cPanel account? I'm not sure that is really an intended use of the software if those are all addon domains.
@cPRex Hey there, No the domains are actually parked as Aliases. I run a small web hosting business and I manage parked portfolios of domains for clients so that they may generate revenue from parking and also offer their domains for sale. Without SSL on their domains they're missing out on a lot of potential visitors to their sites. Hmmm I'm totally stumped at this point, there must be an answer out there somewhere! :)