Auto SSL creates certificates with wrong CN and SANs

Aidan Brookes

• September 05, 2018 10:24

Hi, We have a cPanel account with the main domain example.com. This domain has a wildcard certificate to cover *.example.com. Now I wish to add example2.com and example3.com etc via the cPanel API. They need to be on the same account so that all domains point to the same document root. They will all need their own SSL certificates and I'm trying to use AutoSSL with Let's Encrypt for this. Using the cPanel API I added example2.com as an addon domain to this account. This created them as a subdomain of example.com e.g. example2com.example.com. The addon domain is created correctly and points to the correct document root. However, the AutoSSL causes a problem because it assigns the wildcard certificate. This means that when you visit example2.com the SSL certificate is for *.example.com. Of course, this means it is invalid and shows warning errors in browsers. To get around this I have attempted to add the addon domains in a container subdomain (as subdomains of a subdomain don't get covered by the wildcard) e.g. example2com.container.example.com. This prevented the wildcard problem, however, the certificates that AutoSSL created are almost always broken with incorrect CN and random SANs from other domains in the container subdomain. Does anyone have any ideas for workarounds for either of these problems? Regards, Aidan Brookes

• 

  cPanelLauren

  • September 05, 2018 18:04

  Hi @Aidan Brookes Rather than create these as addon domains which will pose a problem with the Wildcard and all domains residing on the same VirtualHost is it not possible to create these separately but redirect them? For the issue with the incorrect CN/SAN's can you describe that further? Possibly provide an example (just replace your domain names with example, domain, test etc.) Thanks!

  0
• 

  Aidan Brookes

  • September 06, 2018 11:33

  Hi, "and all domains residing on the same VirtualHost" confuses me as reading the documentation on "Common name: whm.example1.co.uk SANs: example2couk.example2couk.example.co.uk, example1.co.uk, example1couk.example1couk.example.co.uk, webdisk.example1.co.uk, whm.example1.co.uk, www.example2couk.example2couk.example.co.uk, www.example1couk.example1couk.example.co.uk Valid from September 6, 2018 to December 5, 2018 Serial Number: ************************** Signature Algorithm: sha256WithRSAEncryption Issuer: Let's Encrypt Authority X3 Any idea's why example1.co.uk is showing in example2.co.uk SSL certificate when they should be on separate virtual hosts? (This is what I see when I use

  0
• 

  cPanelLauren

  • September 06, 2018 12:43

  Hi @Aidan Brookes You're correct, it's Aliases not Addon domains that share the VirtualHost because addon's are subdomains of the primary domain, I misspoke. While I can replicate this behavior with the Let's Encrypt provider (which is a 3rd party provider) I cannot do so with Comodo. Can you confirm that with the cPanel provider this issue does not occur? Thanks!

  0
• 

  Aidan Brookes

  • September 10, 2018 09:11

  Hi, I spoke to my provider and we changed AutoSSL to use Comodo and not Let's Encrypt. I then removed all domains as addon domains and re-added them. Comodo then installed working SSL certificates with correct CN and SANs for all domains. Switching to Comodo has fixed my problem. Thanks for your help!

  0
• 

  cPanelLauren

  • September 10, 2018 13:19

  Hi @Aidan Brookes Awesome! I'm really happy to hear that! Thank you for following up here and letting us know.

  0

Please sign in to leave a comment.