SSL on Parked Domain?

Hi,

You cannot install SSL on Parked domain because that actually acts as an alias to the main domain where it shares the document root together, so no separate SSL can be installed on it.. However, if you wish to have SSL on it, remove the domain as parked and add it as an addon domain.. You can later on put the website forwarding..

 

Does AutoSSL revoke and reissue a certificate when a parked domain is added.

Say, for example, you create a brand new hosting account - example1.tld. Now, I'm not sure how AutoSSL goes about automatically generating a secure certificate for this domain name. It obviously has to wait until example1.tld is resolving back to the server. So there has to be a delay between the account being set up and the certificate being issued.

But say 10 days pass, example1.tld has received a secure certificate via AutoSSL (for example1.tld, www.example1.tld, and mai.example1.tld).

Now say another 5 days pass, and the owner of this account decides to park (or create an alias, I think that's the term we are using now) example2.tld on top of example1.tld. Now http://example1.tld and http://example2.tld are showing the same website, but https only works for example1.tld. Does AutoSSL regenerate the full certificate to include example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld? Or how does example2.tld even get a certificate?

You can't install just a new certificate for example2.tld, www.example2.tld, and mail.example2.tld because it is sharing a VirtualHost (ServerAlias) with example1.tld. A VirtualHost can only have one SSLCertificateFile directive per VirtualHost.

Seems the only possible solutions would be to either revoke example1.tld's certificate and reissue a new certificate for example1.tld, www.example1.tld, mail.example1.tld, example2.tld, www.example2.tld, and mail.example2.tld. Or treat domain alias's like addon domains with their own VirtualHosts - although I'm not sure what other ramifications this might have.

Either way, I can see where this can be problematic if a user adds several domain aliases spaced out in specific time intervals.

So I'm curious as to how AutoSSL handles this. Or if it does.

 

But aren't there rate limiting limitations in effect that prevent a certificate from being reissued too soon from it's last issuance?

At least I think there is with Let's Encrypt.

If a certificate for example1.tld is issued then you have to wait so many days before a certificate for example1.tld can be reissued (I think... there's a lot of rate limiting numbers and it's hard to wrap my head around all of them).

This just seems like a lot of extra CA signing requests potentially floating around out there. I'm not really a fan of all of this. Something like DANE, would seem to accomplish all of this better - although it depends on browsers adopting this functionality, not something cPanel really has control of.

 

Well, you have to play the cards that you are dealt, so in that respect I can understand cPanel pushing this AutoSSL and these free DCV CA signed certificates.

But just my opinion, I'm not a huge fan of this free DCV CA signed certificate system. I think the industry (not necessarily cPanel, but the hosting industry as a whole, Google, and all of the other major players pushing for web "security") should have looked at other alternatives instead of pushing all of this DCV CA signed stuff on everybody.

A system like DANE - although it doesn't necessarily have to be DANE and I'm not suggesting that DANE is foolproof - would seem to have some considerable advantages over the CA signed DCV certificates system. Mainly being that you don't have to depend on a third party CA signing a certificate, and therefore would not have any ratelimiting to have to adhere to.

But it seems like the industry never considered any alternatives and just went straight to "let's do free DCV CA signed certificates" without any thought being put into how they are going to handle to massive onslaught of certificate requests, reissuings, and DCV delays. All while blacklisting all self-signed certificates.

Again, I'm preaching more towards the industry and not necessarily towards cPanel. This isn't an issue that cPanel has direct control of. I've just always been curious as to why nobody sees any real issues with the whole "free DCV CA signed certificates for everyone" scheme. Perhaps it's just my eternal pessimism.