4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
939
22
168
So I look on any server and click the Manage SSL Hosts option. I see tons of "self signed" certificates that the customers did not install. What are they doing there? Plus I see lots of expired AutoSSL certs. What's up with that?

This is a total mess. I'm not sure what you guys have been doing in these recent releases but you're causing us a lot of work to clean up this mess.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @4u123,

Self-signed certificates are automatically installed if a signed certificate (either manually installed or through AutoSSL) is not available as of cPanel version 62. Here's the relevant section from the cPanel 62 Release Notes:

Automatically install best available certificate for new addon domain, parked domain, or subdomain
When you create an addon domain, parked domain, or subdomain, the system will attempt to automatically secure that domain with an existing certificate. If no certificate exists within the domain’s virtual host, but another certificate matches the domain, the system will secure the domain with that certificate.

If no certificate matches the domain, the system will install a self-signed certificate for the domain.

All websites receive an SSL certificate
Any website created in cPanel & WHM now receives an SSL certificate. A self-signed certificate is added if no other SSL certificates are available.
cPanel version 66 includes an option to disable self-signed certificates. You can read about this on the following post:

Problem with automatically generated self-signed SSL certificates

Plus I see lots of expired AutoSSL certs. What's up with that?
Can you browse to the "Logs" tab in "WHM >> Manage AutoSSL" and let us know what you see in the log files for the accounts with expired AutoSSL certificates?

Thank you.
 

4u123

Well-Known Member
PartnerNOC
Jan 2, 2006
939
22
168
Hello @4u123,

Self-signed certificates are automatically installed if a signed certificate (either manually installed or through AutoSSL) is not available as of cPanel version 62.
A typically stupid idea.

What happens if you enable AutoSSL on a user that has already had self-signed certs automatically installed? Will the AutoSSL cert override the self-signed cert? Or will that need deleting manually first?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
What happens if you enable AutoSSL on a user that has already had self-signed certs automatically installed? Will the AutoSSL cert override the self-signed cert? Or will that need deleting manually first?
AutoSSL will automatically attempt to replace self-signed certificates when it's enabled on an account. EX:

Code:
4:32:02 AM Checking websites for “cpusername” …
4:32:02 AM The website “domain.tld”, owned by “cpusername”, has a faulty SSL certificate (OPENSSL_VERIFY:0:18:DEPTH_ZERO_SELF_SIGNED_CERT NOT_ALL_DOMAINS). AutoSSL will attempt to replace this certificate.
Thank you.