SSL on Parked Domain?

[wolverinejoe80]

hi guys,

i have a main website with SSL(just purchased)- it works fine, i have a green lock icon. everything is great.

and i have a park domain which is getting forwarded to my main website. but i get this message

Secure Connection Failed

The connection to example.com was interrupted while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

main website is made with Wordpress. htaccess file is rewritable.

is there anyway for my park domain to work properly?

 

[24x7server]

Hi,

You cannot install SSL on Parked domain because that actually acts as an alias to the main domain where it shares the document root together, so no separate SSL can be installed on it.. However, if you wish to have SSL on it, remove the domain as parked and add it as an addon domain.. You can later on put the website forwarding..

 

[cPanelMichael]

Hello,

The previous post is correct. However, note that if your hosting provider is using the AutoSSL feature and it's enabled on your account, then certificates for aliases (parked domains) should be trusted by your web browser.

Thank you.

 

[sparek-3]

Does AutoSSL revoke and reissue a certificate when a parked domain is added.

Say, for example, you create a brand new hosting account - example1.tld. Now, I'm not sure how AutoSSL goes about automatically generating a secure certificate for this domain name. It obviously has to wait until example1.tld is resolving back to the server. So there has to be a delay between the account being set up and the certificate being issued.

But say 10 days pass, example1.tld has received a secure certificate via AutoSSL (for example1.tld, www.example1.tld, and mai.example1.tld).

Now say another 5 days pass, and the owner of this account decides to park (or create an alias, I think that's the term we are using now) example2.tld on top of example1.tld. Now http://example1.tld and http://example2.tld are showing the same website, but https only works for example1.tld. Does AutoSSL regenerate the full certificate to include example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld? Or how does example2.tld even get a certificate?

You can't install just a new certificate for example2.tld, www.example2.tld, and mail.example2.tld because it is sharing a VirtualHost (ServerAlias) with example1.tld. A VirtualHost can only have one SSLCertificateFile directive per VirtualHost.

Seems the only possible solutions would be to either revoke example1.tld's certificate and reissue a new certificate for example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld. Or treat domain alias's like addon domains with their own VirtualHosts - although I'm not sure what other ramifications this might have.

Either way, I can see where this can be problematic if a user adds several domain aliases spaced out in specific time intervals.

So I'm curious as to how AutoSSL handles this. Or if it does.

 

[cPanelMichael]

Now say another 5 days pass, and the owner of this account decides to park (or create an alias, I think that's the term we are using now) example2.tld on top of example1.tld. Now http://example1.tld and http://example2.tld are showing the same website, but https only works for example1.tld. Does AutoSSL regenerate the full certificate to include example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld? Or how does example2.tld even get a certificate?

Hello,

The AutoSSL feature will automatically detect the new alias during the next scheduled AutoSSL check. It then attempts to renew the existing certificate for the parent domain name associated with the alias so that it includes the new alias and it's corresponding subdomains (e.g. mail.newalias.tld). If for some reason AutoSSL is unable to renew the certificate because the aliased domain name (or an existing domain name) fails the validation process, then the existing certificate remains installed and one of the following notifications is sent (if enabled):

Notify when AutoSSL cannot request a certificate because all domains on the website have failed DCV.
Notify when AutoSSL defers certificate renewal because a domain on the current certificate has failed DCV. The system will only send this notification in the latter half of a certificate’s renewal period.
Notify when AutoSSL will not secure new domains because a domain on the current certificate has failed DCV.
Notify when AutoSSL has renewed a certificate successfully.
Notify when AutoSSL has renewed a certificate and the new certificate lacks one or more of the website’s domains.
Notify when AutoSSL has renewed a certificate and the new certificate lacks at least one domain that the previous certificate secured

Thank you.

 

[sparek-3]

But aren't there rate limiting limitations in effect that prevent a certificate from being reissued too soon from it's last issuance?

At least I think there is with Let's Encrypt.

If a certificate for example1.tld is issued then you have to wait so many days before a certificate for example1.tld can be reissued (I think... there's a lot of rate limiting numbers and it's hard to wrap my head around all of them).

This just seems like a lot of extra CA signing requests potentially floating around out there. I'm not really a fan of all of this. Something like DANE, would seem to accomplish all of this better - although it depends on browsers adopting this functionality, not something cPanel really has control of.

 

[cPanelMichael]

But aren't there rate limiting limitations in effect that prevent a certificate from being reissued too soon from it's last issuance?

At least I think there is with Let's Encrypt.

Hello,

This is answered in-part on our SSL FAQ document:

Let's Encrypt only issues a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains. To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let's Encrypt interprets the virtual host as a new set of domains.

That said, we generally recommend using Comodo over Let's Encrypt due to the significant difference in the rate limits imposed by Let's Encrypt, especially on systems that utilize accounts that are likely to have a large number of subdomains or aliases. Here's some more information about the Let's Encrypt limits:

What rate limits does Let's Encrypt impose?
cPanel & WHM ships with the cPanel (powered by Comodo) provider. To install the Let's Encrypt™ AutoSSL provider plugin, read our The Let's Encrypt Plugin documentation.
Warnings:

• Certificates that Let's Encrypt provides through AutoSSL can secure a maximum of 100 subdomains per domain (Apache® virtual host).
• Let's Encrypt issues one certificate per domain, and issues a maximum of 20 certificates per week. Each certificate can secure up to 100 subdomains of the domain on the certificate.
• Let's Encrypt continues to issue up to 20 certificates per week, if you request more than 20 domain certificates.
• Let's Encrypt uses the domain's alias (parked domain), not the main domain, as the common name for AutoSSL. To use the main domain as the common name for AutoSSL, you must use cPanel or another AutoSSL provider. For more information, consult the Let's Encrypt Community Support page.

Thank you.

 

[sparek-3]

Well, you have to play the cards that you are dealt, so in that respect I can understand cPanel pushing this AutoSSL and these free DCV CA signed certificates.

But just my opinion, I'm not a huge fan of this free DCV CA signed certificate system. I think the industry (not necessarily cPanel, but the hosting industry as a whole, Google, and all of the other major players pushing for web "security") should have looked at other alternatives instead of pushing all of this DCV CA signed stuff on everybody.

A system like DANE - although it doesn't necessarily have to be DANE and I'm not suggesting that DANE is foolproof - would seem to have some considerable advantages over the CA signed DCV certificates system. Mainly being that you don't have to depend on a third party CA signing a certificate, and therefore would not have any ratelimiting to have to adhere to.

But it seems like the industry never considered any alternatives and just went straight to "let's do free DCV CA signed certificates" without any thought being put into how they are going to handle to massive onslaught of certificate requests, reissuings, and DCV delays. All while blacklisting all self-signed certificates.

Again, I'm preaching more towards the industry and not necessarily towards cPanel. This isn't an issue that cPanel has direct control of. I've just always been curious as to why nobody sees any real issues with the whole "free DCV CA signed certificates for everyone" scheme. Perhaps it's just my eternal pessimism.