Subdomain Issues with LetsEncrypt/CloudLinux when using 3rd party DNS providers.

[RyanR]

Hi,

I've posted this on features.cpanel.net and it's currently in a moderation queue because cPanel thinks they should be split up, however they're all very closely related and ultimately all fall down to one of two issues.

1. Incorrect use of subdomains in multiple areas
2. Lack of support for 3rd party DNS providers.

Let's go over the issues one by one...


##################################################


Subdomain Subdomains...

If you create a subdomain, for some silly reason cPanel decides to automatically create a www. subdomain which ends up leaving you with domains like:

• http://www.subdomain.website.com

When in reality how many sites have any of you ran into that that append www. to subdomains?


cPanel themselves don't even use www. subdomains on their subdomains so why does cPanel automatically add them for client subdomains?

Just look at the following two... they go nowhere because they aren't setup.

• https://www.features.cpanel.net/
• https://www.support.cpanel.net/

For reference, if you go and checkout the top 25 websites (According to Alexa) and/or checkout php.net, Cloudflare, CloudLinux, LiteSpeed, StackOverflow, Amazon Web Services, Google Cloud, DigitalOcean, WordPress... you won't find any of them prefixing any of their subdomains with an extra www.

Here are some example sites to show that they don't use www. on their subdomains.

• https://www.secure.php.net/
• https://www.mail.google.com/
• https://www.cloud.digitalocean.com/
• https://www.support.cloudflare.com/
• https://www.area51.stackexchange.com/
• https://www.developers.facebook.com/
• https://www.make.wordpress.org/

What happens as a result of these unnessercery www prefixes on subdomains?

AutoSSL then automatically attempts to generate SSL certificates for these www. subdomains and as a result of these unnessercery subdomains not being setup in external DNS providers like Cloudflare we get "AutoSSL reduced SSL coverage" emails sent to us.

It also affects 3rd party softwares like CloudLinux's "LVE Manager", specifically their feature called the "Web Monitoring Tool" where it incorrectly attempts to access these subdomains and of course they throw up errors because the subdomains don't actually exist.

Your current options are:

• Create those subdomain records in external DNS providers
• Manually go through every account/domain and remove the www. prefixes for subdomains, remembering to remove them every time you create a new subdomain
• Manually go through every account/domain and disable AutoSSL for those www. prefixed subdomains, remembering to disable them every time you create a new subdomain

My proposal options to solve the issue (not all, just one/some):

1. An option to disable www. subdomain generation for subdomains WHM side (Just in case some clients of cPanels want the www. subdomain added to subdomains)
2. Removal of automatic www. subdomain generation for subdomains (There is a chance that some clients do use www. subdomains for their subdomains, so probably not a wise option)
3. Add an option to disable AutoSSL notifications for failed generation of www. prefixed subdomains.
4. Add an option to disable AutoSSL attempting to generate SSL certificates for www. prefixed subdomains.
5. Add an option to disable AutoSSL notifications for DNS records that have no record (blank record, if no IP exists then move on..)
6. Add an option so if AutoSSL attempts to generate a SSL certificate, only notify the user of a failed certificate IF it had succeeded to generate a SSL certificate previously

I personally would want #2 as it's not a standard on the internet but as mentioned some people may use it so any of the other options would be a safe option.


##################################################


Custom Document Root Placeholder Subdomains

If you add an alias domain and setup a custom document root, you are forced to create a subdomain as a placeholder so the cPanel system can track / assign a document root to the alias domain.

You can see what I am talking about here: https://i.imgur.com/lEPG8BP.png

There is zero reason this domain should exist, be used, let alone be secured by LetsEncrypt. It's sole purpose is to help track/assign/route for the custom document root.


As a result of this

AutoSSL attempts to generate SSL certificates for these placeholder subdomains, which just like the above are irrelevant and just for cPanel's system purposes. As such because no domain has been setup in Cloudflare we get "AutoSSL reduced SSL coverage" emails sent to us.

It also affects 3rd party softwares like CloudLinux's "LVE Manager", specifically their feature called the "Web Monitoring Tool" where it incorrectly attempts to access these subdomains and of course they throw up errors because the subdomains don't actually exist.


Your current options for this are:

• Create those subdomain records in external DNS providers
• Manually go through every account/domain and disable AutoSSL for those placeholder domains, remembering to do this every time you add an alias domain.

My proposal options to solve this issue (not all, just one/some):

1. Change cPanel so that it marks these "document root placeholders" as such, so that AutoSSL, CloudLinux and any other software can easily ignore the subdomains from their routines.
2. Add an option to disable AutoSSL from attempting to generate SSL certificates for these subdomains (This option would likely need to use option 1 as well)
3. Add an option to disable AutoSSL notifications for failed generation of these placeholder subdomains.
4. Create a better system of tracking the document roots for alias domains, removing the need for subdomains.
5. Add an option to disable AutoSSL notifications for DNS records that have no record (blank record, if no IP exists then move on..)
6. Add an option so if AutoSSL attempts to generate a SSL certificate, only notify the user of a failed certificate IF it had succeeded to generate a SSL certificate previously

I personally would suggest #4 is the best option, however the other options would solve the issue too.


##################################################


Mail Subdomain

If you create a new cPanel account it automatically creates a mail. subdomain, however in my opinion it should NOT create a mail. subdomain by default IF the mail routing is setup to "Remote Mail Exchanger" because most of the time when this is set they'll more than likely be using Office365, GSuite or other comparable offerings which very very rarely have a mail subdomain.


As a result of this

AutoSSL attempts to generate SSL certificates for these mail subdomains, even though they aren't needed and as such because the subdomain doesn't exist in Cloudflare we get "AutoSSL reduced SSL coverage" emails sent to us.


Your current options for this are:

• Create a mail subdomain, even though it won't be used.
• Manually go through every account/domain and delete the mail subdomain that don't need it, remembering to do this with every subsequent domain/account
• Manually go through every account/domain and exclude the domain from AutoSSL, remembering to do this with every subsequent domain/account

My proposal options to solve this issue:

1. Change cPanel account creation so if "Remote Mail Exchanger" is setup on the account, the mail subdomains are not automatically created.
2. Add an option to disable the automatic generation of mail subdomains by default for all accounts (Maybe even only if Remote is checked)
3. Add an option to disable AutoSSL notifications for DNS records that have no record (blank record, if no IP exists then move on..)
4. Add an option so if AutoSSL attempts to generate a SSL certificate, only notify the user of a failed certificate IF it had succeeded to generate a SSL certificate previously

##################################################


Cloudflare API - Integration

Ultimately all of the above, could be solved by cPanel having some pre-made integrations with major 3rd party DNS providers like Cloudflare, Route53, Azure DNS, Google Cloud DNS... etc.

Considering cPanel & Cloudflare are very very commonly used together and the lack of complexity required to use the Cloudflare API this would be a good starting point for system for DNS management.

If cPanel sets up a templating system for integration scripts, you'd soon have lots of community built integrations for other DNS providers that could then be made official after some testing from other users.

It would also improve how you add subdomains, instead of having to add a subdomain both on Cloudflare & within cPanel you'd only have to do it in one place and then your DNS would be updated.

It would also let you use LetsEncrypt's DNS Validation because cPanel/AutoSSL would be able to add a DNS record straight to your Cloudflare account and then validate the entry with LE.

cPanel UI Side

Once you add your API key & email address to these integrations, you could then let the user see two columns of: "Remote Records" and "Local Records"

From this view the user should be either able to update the remote record to match the local record or vice versa.

Once all records are matching, all future DNS changes would update both the local records & remote records.


##################################################


I'd love to see everyones thoughts, criticisms or spot things I've overlooked because I'm sure there is something I've overlooked.

Thanks

 

[cPRex]

Hey there! Thanks for the feedback on all this. We didn't approve the feature request because it really should be split up into multiple things. Even though they all may be related to one area (DNS, SSL, etc) there are still several different individual pieces of work covered here.

###############################################
Subdomain Subdomains...

I actually agree with this one completely - it's kind of weird, but you'd be surprised how many people use it. Of the options 1-6 that you propose, I think 1 is the most likely. 2 would be too restrictive, as you said. 3 could be a good feature request. 4 could also be a good feature request, but it's fairly niche and likely not something that would get much action at this time. 5 doesn't make sense to me - if the DNS record is blank, we wouldn't be able to make an AutoSSL request for it anyway since the DNS for each domain has to resolve. 6 already exists, and is the option under WHM >> Contact Manager "Notifications" tab called "AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured. "

###############################################
Custom Document Root Placeholder Subdomains

I think in this section we need to clarify our terms a bit. An Alias simply adds an entry in the Apache configuration to make two domains reference the same document root. In that case, no additional subdomains are needed.

The page you are using creates an addon domain, which is a unique domain on the server that happens to share a cPanel account. We can see this text here on your screenshot showing this:

"An addon domain requires a subdomain in order to use a separate document root."

There have definitely been discussions over the years of not requiring a "primary" or "main" domain on a cPanel account to avoid some of the additional layers of subdomains that have been created, but that would be a substantial overhaul of the core functions of the product. I like option 4 on here as well, but it's a major undertaking that would literally change every aspect of how cPanel functions, so it's not likely something that will be happening soon.

##################################################
Mail Subdomain

I get this one too, although this really is a per-user setting. So many customers just expect that having mail.domain.com points to *somewhere* out of the box, since they have been typing a similar domain for years into Outlook, or Mail, or Thunderbird.

We do two things with the mail entry - create the DNS record and the Apache entry so there is a place to put an SSL on it. If you didn't want this to happen, you could edit the zone templates that are used when a new domain/zone is created, from WHM >> Edit Zone Templates. If you remove the mail record from the zone template, it will not get added to the DNS zone, and then AutoSSL won't be able to utilize it. I think that would cover option 2 that you listed.

1 would be a good feature request to include in a place like Tweak Settings.
I don't understand #3 on this one either. Much like the above, if the record doesn't exist, AutoSSL isn't going to worry about it.


##################################################
Cloudflare API - Integration

To me, this sounds like it would be one feature request, as this would be an entirely new product.

 

[RyanR]

We didn't approve the feature request because it really should be split up into multiple things. Even though they all may be related to one area (DNS, SSL, etc) there are still several different individual pieces of work covered here.

I totally disagree because they're all ultimately because of two things:

1. How/Why cPanel is creating subdomains (#1, #2 and #3 are all cPanel created subdomain issues)
2. Because the user is using 3rd party DNS providers like Cloudflare/Route53... etc.

###############################################
Subdomain Subdomains...

I actually agree with this one completely - it's kind of weird, but you'd be surprised how many people use it.

This is 2021, not 2000. Why are cPanel; A modern, "industry leading" web hosting platform encouraging outdated practices... cPanel has the ability and influence to encourage modernization and simplification.

The "world wide web" is redundant because the internet has evolved beyond the origins of the the www subdomain. All browsers by default use the http / https protocols and will accept connections from www or non-www.

What benefits do www subdomains add? None. They just make your URL even longer and add a few extra bytes to every transfer of data.

The best way to make such a change is to add an option to disable the www subdomain generation for subdomains and then after 12 months make it a default within all new installations & provide an option to existing installations offering them to disable it.

Google themselves have previously shown a disliking to www subdomains and recommended moving away from it. Hell, just look at the Chrome browser, if you visit a website that is www.website.com, the browser will only show website.com until you click in the URL bar.

Of course some of the proposals are too aggressive/restrictive, I purposely found as many options as I could think of to try and make sure I thought of

5 doesn't make sense to me - if the DNS record is blank, we wouldn't be able to make an AutoSSL request for it anyway since the DNS for each domain has to resolve.

They don't exist in external DNS providers (Cloudflare for example). It makes the request because cPanel has created the entry.

6 already exists, and is the option under WHM >> Contact Manager "Notifications" tab called "AutoSSL has renewed a certificate, but the new certificate lacks at least one domain that the previous certificate secured. "

This shows as "Disabled" I assume because I am using LetsEncrypt and as such I get notifications.

###############################################
Custom Document Root Placeholder Subdomains

I think in this section we need to clarify our terms a bit. An Alias simply adds an entry in the Apache configuration to make two domains reference the same document root. In that case, no additional subdomains are needed.

Yes, I meant Addon domain ^_^

There have definitely been discussions over the years of not requiring a "primary" or "main" domain on a cPanel account to avoid some of the additional layers of subdomains that have been created, but that would be a substantial overhaul of the core functions of the product. I like option 4 on here as well, but it's a major undertaking that would literally change every aspect of how cPanel functions, so it's not likely something that will be happening soon.

Yes, I can understand that being a big undertaking. Some of the other options mentioned are significantly less work but achieve essentially the same thing.

##################################################
Mail Subdomain

I get this one too, although this really is a per-user setting. So many customers just expect that having mail.domain.com points to *somewhere* out of the box, since they have been typing a similar domain for years into Outlook, or Mail, or Thunderbird.

Of course, but this is why I suggested ways to minimise the effect. Just like the previous, it comes down to cPanel adding DNS records when they aren't needed. Rather than blanket covering everyone provide options.

Not a single account on in my WHM uses a mail subdomain. We only host sites that use a 3rd party for their emails like GSuite, Office365... etc.

We do two things with the mail entry - create the DNS record and the Apache entry so there is a place to put an SSL on it. If you didn't want this to happen, you could edit the zone templates that are used when a new domain/zone is created, from WHM >> Edit Zone Templates. If you remove the mail record from the zone template, it will not get added to the DNS zone, and then AutoSSL won't be able to utilize it. I think that would cover option 2 that you listed.

Yes, zone templates does/would remove this entry from being added by default but it should be more intuitive with how it decides to add/not add and requiring the WHM admin to go in and edit that when not all customers will want it isn't the right way of doing it.

##################################################
Cloudflare API - Integration

To me, this sounds like it would be one feature request, as this would be an entirely new product.

Maybe, the only reason this was even mentioned was because it solves ALL of the above issues to an extent (even though there are some outdated practices, some unnessercery DNS entries... etc)