Skip to main content
cPanel Technical Support has been heavily impacted by hurricane Beryl and our ability to respond to tickets has been hindered as a result. We appreciate your understanding and patience as we address these delays.

AutoSSL fails for addon domains when valid wildcard cert is installed

Comments

5 comments

  • cPanelMichael
    Hello @MaxFein, This topic was brought up in a support ticket. Here's a summary of the response sent by one of our Technical Analysts: [QUOTE] After reviewing the issue. It seems to be working as intended per reviewing the changes documented in the change logs. We definitely intend to scan the account's SSL datastore to find ANY available certificate which would match the new domain under the account. 2017-05-02 v62. Fixed case CPANEL-11278: Only install best available ssl when setting up a new vhost. Fixed case CPANEL-12327: Ensure best available ssl is installed for new vhosts. == Automatically install best available certificate for new addon domain, parked domain, or subdomain When you create an addon domain, parked domain, or subdomain, the system will attempt to automatically secure that domain with an existing certificate. If no certificate exists within the domain's virtual host, but another certificate matches the domain, the system will secure the domain with that certificate. If no certificate matches the domain, the system will install a self-signed certificate for the domain. == Disabling "Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains. [?]" in the tweak settings should resolve this issue. cPanel mainly implemented this change for two reasons. -- AutoSSL can issue an SSL automatically if enabled for accounts. -- Now that Apache SNI is available on most servers, this change resolves an issue regarding sites not having an SSL installed on their vhost causing them to display a different site. == Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users' browser. To avoid both of these concerns, we strongly recommend that you enable AutoSSL. ==
    Let us know if you have any additional questions. Thank you.
    0
  • MaxFein
    Hi, I am unsure how the ticket described the issue... I understand how/why the wildcard certificate got installed, as per Fixed case CPANEL-11278: Only install best available ssl when setting up a new vhost. Fixed case CPANEL-12327: Ensure best available ssl is installed for new vhosts. The issue that I'm trying to raise is that if I install a wildcard certificate for the first level subdomain of the cPanel primary domain (like *.primary.tld) then the automatic nature of AutoSSL is essentially blocked/broken for addon domains. This seems to be the case regardless of how the wildcard certificate is obtained (eg. applies to wildcard certificates purchased via cPanel SST/TLS Wizard or other 3rd party, or issued by LetsEncrypt via acme.sh/certbot/etc). I know that all I have to do is uninstall the certificate, but I'd like to be able to use AutoSSL to automatically issue certificates without needing a touch. So, if I have to choose between using either wildcard certificates or automatic AutoSSL for addon domains, then I'd like to choose a third option... namely, using second level subdomains when creating addon domains, for example, like this: #--------------------------------------------- #--> Addon: example.com cpapi2 --user=user_name AddonDomain addaddondomain dir=%2Fpublic_html%2Fexample.com newdomain=example.com subdomain=example.com9 #--------------------------------------------- note: '9' in subdomain=example.com9 is an arbitrary value (can be useful for rewrites and such...)
    This seems like it will work with the current certificate install logic. Wondering if using second level subdomains for addons like this seems to present any issues? Cheers, Max
    0
  • cPanelMichael
    Hello Max,
    Wondering if using second level subdomains for addons like this seems to present any issues?

    I can't think of a scenario where that would present a problem. The addon domain itself will work the same way with a second-level subdomain that it would with a first-level subdomain. Simply ensure you configure the document root to your preference when creating it. I encourage you to vote and add feedback to the following feature request: Let's Encrypt Wildcard Certificates Once implemented, it would allow for Wildcard SSL support with AutoSSL. Thank you.
    0
  • rinkleton
    This is an interesting issue. Very similar to one of my on-going issues. In my case it relates to EV certs rather than wildcard but the principle that it's not an autossl generated cert still remains. Let me see if I can reword the issue: Day 1 - Create account with primary domain example.com - DNS resolves - Install wildcard or EV cert. Day 2 - Create Addon domain example2.com [domain] (DNS does not resolve now), sub.example.com [subdomain] (DNS does reslove), doc root doesn't matter. Day 3 - AutoSSL runs. It determines that the best cert for the addon VHOST block is the wildcard/EV cert because it only thinks it needs to cover sub.example.com at this time. Cert is applied. Day 4 - example2.com's DNS resolves now. Day 5 - AutoSSL runs. It sees the addon VHOST already has a valid non-autossl cert and does not attempt anything. This leaves example2.com uncovered forever. In my particular case it involves parked domains that are in the main VHOST block with the primary domain (which has an EV cert). My workaround was to always use addons and create a fake subdomain that is never used. This puts the domain in it's own VHOST block. This works when wildcard certs are not used. So to the OP, I'd just recommend not using a wildcard cert. Just make part of your creating a subdomain process, running autossl for that account. You'll get a usable cert in a few minutes. There is still the issue that EV certs on the primary domain prevent prevent autossl from working on parked domains.
    0
  • DrewMathers
    I have found another workaround for this issue. Remove the incorrectly applied certificate from the addon domain's vhost, then rerun AutoSSL. 1. cPanel > SSL/TLS > Manage SSL sites 2. Click "Uninstall" opposite addon.domain.com, addon.com, www.addon.com, etc. 3. cPanel > SSL/TLS Status 4. Click: RunAutoSSL
    This is a manual process through the UI, but I suppose it could be scripted.
    0

Please sign in to leave a comment.