Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL on Parked Domain?

Discussion in 'Security' started by wolverinejoe80, Jan 11, 2018.

  1. wolverinejoe80

    wolverinejoe80 Registered

    Joined:
    Jan 11, 2018
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    seattle
    cPanel Access Level:
    Website Owner
    hi guys,

    i have a main website with SSL(just purchased)- it works fine, i have a green lock icon. everything is great.

    and i have a park domain which is getting forwarded to my main website. but i get this message


    main website is made with Wordpress. htaccess file is rewritable.

    is there anyway for my park domain to work properly?
     
    #1 wolverinejoe80, Jan 11, 2018
    Last edited by a moderator: Jan 11, 2018
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,835
    Likes Received:
    85
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    You cannot install SSL on Parked domain because that actually acts as an alias to the main domain where it shares the document root together, so no separate SSL can be installed on it.. However, if you wish to have SSL on it, remove the domain as parked and add it as an addon domain.. You can later on put the website forwarding..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,277
    Likes Received:
    1,846
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The previous post is correct. However, note that if your hosting provider is using the AutoSSL feature and it's enabled on your account, then certificates for aliases (parked domains) should be trusted by your web browser.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,711
    Likes Received:
    96
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Does AutoSSL revoke and reissue a certificate when a parked domain is added.

    Say, for example, you create a brand new hosting account - example1.tld. Now, I'm not sure how AutoSSL goes about automatically generating a secure certificate for this domain name. It obviously has to wait until example1.tld is resolving back to the server. So there has to be a delay between the account being set up and the certificate being issued.

    But say 10 days pass, example1.tld has received a secure certificate via AutoSSL (for example1.tld, www.example1.tld, and mai.example1.tld).

    Now say another 5 days pass, and the owner of this account decides to park (or create an alias, I think that's the term we are using now) example2.tld on top of example1.tld. Now http://example1.tld and http://example2.tld are showing the same website, but https only works for example1.tld. Does AutoSSL regenerate the full certificate to include example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld? Or how does example2.tld even get a certificate?

    You can't install just a new certificate for example2.tld, www.example2.tld, and mail.example2.tld because it is sharing a VirtualHost (ServerAlias) with example1.tld. A VirtualHost can only have one SSLCertificateFile directive per VirtualHost.

    Seems the only possible solutions would be to either revoke example1.tld's certificate and reissue a new certificate for example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld. Or treat domain alias's like addon domains with their own VirtualHosts - although I'm not sure what other ramifications this might have.

    Either way, I can see where this can be problematic if a user adds several domain aliases spaced out in specific time intervals.

    So I'm curious as to how AutoSSL handles this. Or if it does.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,277
    Likes Received:
    1,846
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The AutoSSL feature will automatically detect the new alias during the next scheduled AutoSSL check. It then attempts to renew the existing certificate for the parent domain name associated with the alias so that it includes the new alias and it's corresponding subdomains (e.g. mail.newalias.tld). If for some reason AutoSSL is unable to renew the certificate because the aliased domain name (or an existing domain name) fails the validation process, then the existing certificate remains installed and one of the following notifications is sent (if enabled):

    Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV.
    Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. The system will only send this notification in the latter half of a certificate’s renewal period.
    Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV.
    Notify when AutoSSL has renewed a certificate successfully.
    Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website’s domains.
    Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,711
    Likes Received:
    96
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    But aren't there rate limiting limitations in effect that prevent a certificate from being reissued too soon from it's last issuance?

    At least I think there is with Let's Encrypt.

    If a certificate for example1.tld is issued then you have to wait so many days before a certificate for example1.tld can be reissued (I think... there's a lot of rate limiting numbers and it's hard to wrap my head around all of them).

    This just seems like a lot of extra CA signing requests potentially floating around out there. I'm not really a fan of all of this. Something like DANE, would seem to accomplish all of this better - although it depends on browsers adopting this functionality, not something cPanel really has control of.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,277
    Likes Received:
    1,846
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is answered in-part on our SSL FAQ document:

    That said, we generally recommend using Comodo over Let's Encrypt due to the significant difference in the rate limits imposed by Let's Encrypt, especially on systems that utilize accounts that are likely to have a large number of subdomains or aliases. Here's some more information about the Let's Encrypt limits:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,711
    Likes Received:
    96
    Trophy Points:
    328
    cPanel Access Level:
    Root Administrator
    Well, you have to play the cards that you are dealt, so in that respect I can understand cPanel pushing this AutoSSL and these free DCV CA signed certificates.

    But just my opinion, I'm not a huge fan of this free DCV CA signed certificate system. I think the industry (not necessarily cPanel, but the hosting industry as a whole, Google, and all of the other major players pushing for web "security") should have looked at other alternatives instead of pushing all of this DCV CA signed stuff on everybody.

    A system like DANE - although it doesn't necessarily have to be DANE and I'm not suggesting that DANE is foolproof - would seem to have some considerable advantages over the CA signed DCV certificates system. Mainly being that you don't have to depend on a third party CA signing a certificate, and therefore would not have any ratelimiting to have to adhere to.

    But it seems like the industry never considered any alternatives and just went straight to "let's do free DCV CA signed certificates" without any thought being put into how they are going to handle to massive onslaught of certificate requests, reissuings, and DCV delays. All while blacklisting all self-signed certificates.

    Again, I'm preaching more towards the industry and not necessarily towards cPanel. This isn't an issue that cPanel has direct control of. I've just always been curious as to why nobody sees any real issues with the whole "free DCV CA signed certificates for everyone" scheme. Perhaps it's just my eternal pessimism.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice