SSL Notifications in cPanel 68

[zodiac9797]

Hello

As much as i like AutoSSL it's giving us a lot of problems. I don't think that cPanel/WHM should have a feature enabled by default if it effects end users.

First, AutoSSL was enabled by default and all the SSL's were issued for our cpanel accounts / users. Then we managed to disable AutoSSL for a new accounts and manually disabled all the AutoSSL's for selected users and left enabled only for the users that we choose.

But now AutoSSL's are expiring for the users that we disabled in the meantime and now they are receiving warning emails and that means a lot of unnecessary job for our support.

After reading this thread we tried that api script, but it's not working because the users that we don't want to receive warning emails are disabled under AutoSSL configuration. Even if we try to manually login to cPanel -> Contact Information and uncheck AutoSSL notifications it doesn't work. It stays always checked.

I can not believe that the only solution is to enable AutoSSL AGAIN for all of our users, then run API script and then manually disable AGAIN AutoSSL for the selected users. ????? That's a lot of work for our support team.

If we disable AutoSSL in the feature manager DISABLED list, why our users have an option to see AutoSSL notifications in cPanel -> Contact Information? Shouldn't this be connected? Also if we set DISABLED for an user under Manage AutoSSL, why cPanel -> Contact Information regarding AutoSSL still exists and it's enabled?

 

[cPanelMichael]

Hi @zodiac9797,

The issues you have described are solved in cPanel & WHM version 70. AutoSSL notifications are not sent when AutoSSL is disabled for the account, and AutoSSL contact preferences are not visible in cPanel if AutoSSL is disabled for the feature list assigned to the account.

Thank you.

 

[zodiac9797]

Thank you @cPanelMichael

Here is what we had to do to disable end user AutoSSL emails.
Maybe someone else will find it useful to save some time.

1. We had to turn on (enable) AutoSSL for all user accounts. When disabled you can't change AutoSSL emails in cPanel -> Contact information or by using shell script

2. Then we run shell script, which you can find in this post, here is some extra info:
notify_autossl_renewal=0
(AutoSSL has renewed a certificate.)

notify_autossl_renewal_coverage=0
(AutoSSL will not secure a new domain because a domain on the current certificate has failed DCV.)

notify_autossl_expiry_coverage=0
(AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV.)

notify_autossl_expiry=0
(AutoSSL certificate expiry.)

notify_ssl_expiry=0
(SSL certificate expiry.)

3. After that we had to once again disable AutoSSL for all user accounts and the enable it for the user accounts we choose

As Michael told this will be sort out in v70, but we couldn't wait another 20-30 days since we were under huge pressure from our users, and even our resellers end users received AutoSSL warning emails, which p*** our resellers...

It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. Any chance of setting this limit higher or even removing it?

 

[cPanelMichael]

It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. Any chance of setting this limit higher or even removing it?

Hello @zodiac9797,

This type of request is better suited for our feature request website. I encourage you to open a feature request for this via the following URL:

Submit A Feature Request

Thank you.

 

[sparek-3]

It would be easier if there were no 200 SSL's limit, then we could enable AutoSSL for all of our users, but we have big servers with thousands of users. Any chance of setting this limit higher or even removing it?

I thought the 200 limit was per VirtualHost.

Or is my definition of VirtualHost and everyone else's definition of VirtualHost different?

Essentially you can attach up to 199 SANs to a certificate (plus the 1 common name = 200).

At least that's how I was understanding this.

Is there a limit to the number of certificates you can issue out per server (per IP, I guess?)

Say you have a server with 10,000 cPanel users. That's 10,000 VirtualHosts (at least). AutoSSL would be able to issue a certificate for all 10,000 of these (although, you'd probably run into a rate limit, X number issued per day).

But if one of those accounts had 201 domain aliases, only the first 199 (plus the 1 ServerName) would be attached as SANs to the certificate.

That's how I understood this.

 

[cPanelMichael]

Hi @sparek-3,

Yes, you are correct that the limit is per virtual host. I've rarely seen reports where the limit was met, but it is possible to reach the limit if an account makes use of several aliases (parked domains). This document is useful for understanding virtual hosts:

How Your Server Handles Domains and Virtual Hosts - cPanel Knowledge Base - cPanel Documentation

Additionally, there's an entire section on the rate limits at:

Manage AutoSSL - Version 70 Documentation - cPanel Documentation

Thank you.

 

[zodiac9797]

Thank you @sparek-3 and @cPanelMichael !

I was completely wrong regarding the 200 limit. Don't know why I "read" that we can have up to 200 certificates. Anyways this is much better, now we can enable AutoSSL for all of our users. And when I think that I was manually disabling certificates, what a dumba* :D

 

[feldon27]

As others have said, this is not information that end users need to see. Whether the cPanel account that a customer uses to manage their website is AutoSSL enabled or not is irrelevant to 99.9% of customers.

These e-mails are also an issue for hosting companies that sell SSL certificates who are now being put on the defensive to explain why customers should buy their certificates when free ones are provided.

Yes, these messages can be disabled. This is not the point. The point is, these messages should not have been enabled. It's forcing web hosts to answer thousands of support e-mails, defend their business practices, and make changes on servers to disable messages that serve no purpose. My suggestion is that cPanel should immediately run a script on ALL cPanel/WHM servers to disable the messages. Admins then have the option of opting in as desired.

cPanel/WHM's philosophy should be to "do no harm". In this regard, the AutoSSL deployment has failed to meet this standard.

 

[feldon27]

Hi @zodiac9797,

The issues you have described are solved in cPanel & WHM version 70. AutoSSL notifications are not sent when AutoSSL is disabled for the account, and AutoSSL contact preferences are not visible in cPanel if AutoSSL is disabled for the feature list assigned to the account.

Thank you.

I would go one step further and disable these notifications by default. My understanding is, there is nothing customers can do about AutoSSL certificates and only admins can resolve any issues. This is not front-facing information that customers need to have.

 

[The Emperor]

My clients attacked hosting support with questions about these letters. Please make the global option to disable such notifications.
So far I've disabled notifications via the API, the script is below, I think many will need it.

#!/bin/bash

/bin/ls -1 /var/cpanel/users | while read USER; do
  /bin/echo "Now processing ${USER} ..."
  /usr/bin/cpapi2 --user=${USER} CustInfo savecontactinfo notify_autossl_expiry_coverage=0 notify_autossl_renewal_coverage=0
done

I only signed up to the forum so I could give you my congrats!

Well, congratulations and many many thanks, you put an end to a long nightmare for the last 1 and a half year !

 

[cPanelMichael]

Hello,

As of cPanel & WHM version 70, it's possible to disable the notifications globally using Web Host Manager. Here's the pertinent section from the cPanel & WHM version 70 Release Notes:

Global options to disable AutoSSL notifications
In cPanel & WHM version 70, we added options to disable AutoSSL notifications for cPanel users. You can disable the following AutoSSL notifications in WHM's Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL):

Notes:

• If you deselect any of the following options, the system will also remove the corresponding option from cPanel's Contact Information interface (Home >> cPanel >> Preferences >> Contact Information).
• If you deselect any of the following options, the system sets the corresponding option to disabled in WHM's Contact Manager interface (Home >> WHM >> Server Contacts >> Contact Manager).
• The system will not send notifications to cPanel users for options that you disable.
• These options override the user's current settings.
• Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV. — AutoSSL cannot request a new certificate if all of the domains on a website fail domain control validation (DCV).
• Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. — AutoSSL will not attempt to renew a certificate if a currently-secured domain fails DCV. All currently-secured domains must pass DCV for AutoSSL to attempt to renew a certificate during normal circumstances. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a renewal.
• Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV . — AutoSSL will not attempt to secure new domains if a currently-secured domain fails DCV. All of the currently-secured domains and at least one of the unsecured domains must pass DCV for AutoSSL to attempt to issue a new certificate. However, If the certificate will expire in three days or fewer, AutoSSL will drop coverage for the domains that fail and force a reissue.

Note:

• If the certificate expires in three days or fewer, the system does not send this notification.
• Notify when AutoSSL has renewed a certificate successfully. — When AutoSSL renews a certificate, the system will send a notification.
• Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website’s domains. — AutoSSL renews a certificate even if the new certificate does not contain any of the domains from the previous certificate.
• Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured. — AutoSSL renews certificates even if the new certificate does not contain any domains from the previous certificate

Additionally, the set_autossl_metadata_key WHM API 1 function makes it possible to do this from the command line:

WHM API 1 Functions - set_autossl_metadata_key - Developer Documentation - cPanel Documentation

Here's an example of the command you would use to disable all notifications found under "WHM >> Manage AutoSSL >> Options":

whmapi1 set_autossl_metadata_key key=notify_autossl_expiry value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_expiry_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage_reduced value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_uncovered_domains value=0

Thank you.

 

[dynaweb]

I found this thread because today my STABLE install upgraded to 70.0.48 and send messages to all my clients. One client said he thought it may be indication of a virus and was reporting it to me as a heads-up.

I see there is now an option in Manage AutoSSL -> Options, but this appears to disable the messages completely?

As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients.

I am sure the answer is here somewhere in this long thread, and I apologize if it is, but how do I set these to go only to me?

 

[Metro2]

As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients.

Big +1

 

[cPanelMichael]

Hi @dynaweb,

The WHM >> Manage AutoSSL notification settings control whether a specific AutoSSL notification type is active on the system. For the enabled AutoSSL notification types, you can use WHM >> Contact Manager to control if the enabled notification types are sent to the administrator, and you can use cPanel >> Contact Information for each account to control whether the enabled notification types are sent to the individual cPanel users. Alternatively, you can use the command quoted in the following post to disable these notifications for all cPanel users on the system in lieu of manually accessing cPanel >> Contact Information for each account:

Post 2496419

Thank you.

 

[cPanelNick]

As a server Admin, I would like to receive these notifications, but obviously not have them go to my clients.

Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for.

v74+ supports Ancestor DCV (cPanel/Comodo provider only) and DNS DCV (cPanel/Comodo provider only) which reduces the number of cases where the site cannot pass DCV. This will also help reduce the number of notifications.

 

[DomineauX]

Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for.

This is much improved, and frankly the kind of options that should be included by default on new features that incorporate notifications that could be sent to users. Preferably with the default set to not send anything to users.

I love cPanel, product and company, but want the choice of what communication cPanel has with clients to be in my (company) hands.

 

[willke]

Attached is the UI for configuring the notifications in v74+. This should allow the configuration you are looking for.

v74+ supports Ancestor DCV (cPanel/Comodo provider only) and DNS DCV (cPanel/Comodo provider only) which reduces the number of cases where the site cannot pass DCV. This will also help reduce the number of notifications.

I am on v70.0.48 but I do not see these options - should I?

Will.

 

[cPanelLauren]

I am on v70.0.48 but I do not see these options - should I?

As indicated in the response those notifications will be introduced in v74 of cPanel. You won't have them just yet.


Thanks!

 

[anton_latvia]

We installed new server, moved few customers from other server and with notifications disabled in WHM - they still got these automatic emails about expired SSL certificates, so we had to run that very-old script..

 

[cPRex]

@anton_latvia - are you referring to this script?

whmapi1 set_autossl_metadata_key key=notify_autossl_expiry value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_expiry_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_coverage_reduced value=0 ; whmapi1 set_autossl_metadata_key key=notify_autossl_renewal_uncovered_domains value=0

or was it something else you needed to do? I haven't had any other reports of that issue recently so you're always welcome to open a ticket with our team to have us take a look.