Skip to main content

Automatically Created Subdomains & Their SSL Coverage

Comments

20 comments

  • cPRex Jurassic Moderator
    Hey hey! 1 - Subdomains don't get all the service domains created. No one will be logging into cpanel.sub.domain.com or sending email from mail.sub.domain.com unless those are specifically created manually, so I wouldn't expect those to show up. 2 - Sure, but it would take two steps. You would want to edit WHM >> Edit Zone Template to remove the www entry from the standard and standardvirtualftp template files so it doesn't create the DNS record, and you would also need to create a custom Apache template to remove the entry from the vhosts. With those two combined, it won't exist. Custom Templates | cPanel & WHM Documentation 3 - Yes, deleting the A record would be enough to stop it from working.
    0
  • vatra
    • But the subdomains do get all the service subdomains created, they are present in the DNS zone. Why are they not showing up in the "Manage SSL Hosts"?
    • I use Cloudflare SSL which covers domain.com and *.domain.com. I know that AutoSSL will reissue a cert to cover any related subdomain and parked domain that is created. But for other vendors, do I need to install the same certificate manually for each subdomain I create?
    • I know that in cPanel you can't have a parked domain with a manually installed cert. You need to it add as an addon domain for it to have its own cert. Is this correct?
    0
  • cPRex Jurassic Moderator
    Have you possibly modified the zone templates? I don't see the subdomains getting service domains created on a test server. I also wouldn't expect that to happen as that would lead to an exponentially-increasing number of domains and SSL certificates. What if I wanted to have secure.sub.domain.com - it would get messy quickly. For non-AutoSSL vendors, yes, you may need to install the SSL multiple times to cover all the domains you wish. Yes, you have to have at least an addon domain to install a unique SSL certificate. This is because the other domain types do not get a unique Apache vhost, so there is just no place to install the certificate in a cPanel environment. There is an older feature request related to this at
    0
  • vatra
    I have modified the templates but only to rearrange the items and only after I created all of my subdomains, so that couldn't have been the issue. On my end, subdomains get the www and all 6 service subdomains (whm, cpanel, webmail, webdisk, cpcalendars, cpcontacts). For example, my main domain's zone file has 500+ records because of all the addon domains' subdomains A, SPF, and DKIM TXT records. I don't plan to use those subdomains plus I won't send or authenticate email from them.
    • First of all, how can I troubleshoot this and stop cPanel from creating them?
    • What do you advise, should I delete the existing ones? No one will ever use those as you said. Having a www for each subdomain is OK, although even that one won't be used since I always permanently redirect www to non-www traffic, but having those other records is just too much.
    One more question: After I switched from AutoSSL to Cloudflare SSL, domain URLs with ports are no longer secure in the browser, for example,
    0
  • vatra
    To expand on the last question: The following URLs are secured by the SSL since it is a first-level subdomain wildcard coverage: https://cpanel.domain.com/ https://webmail.domain.com/
    But their counterparts with ports are not covered: https://domain.com:2083/ https://domain.com:2096/
    0
  • cPRex Jurassic Moderator
    I would delete all those records to avoid confusion, since we agree they'll never be used. As far as troubleshooting, I'm not sure - an strace of a subdomain creation on the command line would likely show where it's pulling those additional records from if you're sure they aren't coming from template modifications. At least that is likely how we'd approach it on our end. I'm not totally sure on the port issue, either. Is the SSL installed on the hostname of the server under the WHM >> Manage Service SSL Certificates area? If so, it should get anything related to secure access on those ports. If you're using just "domain.com" I would expect that having it installed on the main domain through either WHM or cPanel covers the ports properly also.
    0
  • vatra
    Thank you! The server hostname host.mymaindomain.com
    has the cPanel cert and all ports are covered by the SSL. But for any domain hosted on the server, for example, MyMainDomain.com:2087
    or ClientMainDomain.com:2083
    are not covered.
    0
  • cPRex Jurassic Moderator
    That sounds like an issue with the SSL install. How were those certs installed?
    0
  • vatra
    Through the WHM "Install an SSL Certificate on a Domain" interface. One thing I noticed is even though all installed SSLs appeared in the /var/cpanel/ssl/apache_tls
    and /home/user/ssl
    folders, they did not appear in the /var/cpanel/ssl/domain_tls
    folder if that is of any importance.
    0
  • cPRex Jurassic Moderator
    I would expect them to show up in all three locations, as my server has every domain and subdomain listed in /var/cpanel/ssl/domain_tls with respective subfolders, and messing with this on a test machine confirmed that is indeed the issue. I'm not sure why they wouldn't have been installed there, but they do need to be present there to secure cPanel access properly.
    0
  • vatra
    Are you saying that you were able to replicate the issue? Should I open up a ticket?
    0
  • cPRex Jurassic Moderator
    I can only replicate the issue by manually moving the directory out of the way in /var/cpanel/ssl/domain_tls. What I don't know is why those files wouldn't be generated with a standard SSL installation. If you have a system you can reproduce this on and you have the SSL certificate files also, we'd be happy to do some testing for you through a ticket!
    0
  • vatra
    Here it is #95153353, thank you!
    0
  • cPRex Jurassic Moderator
    I'm following along with that now - it looks like we're waiting to get access to the system to check some things.
    0
  • vatra
    They got access but it's frustrating because the person handling the issue doesn't seem to get what I'm saying. This has become a standard issue for me when contacting support lately. To address the problem, first, we need to know what is the default cPanel behavior on this matter. Second, how my situation differs, and third, how to solve it. We haven't even got through the first step, except here with you Rex. This is the standard problem I have with support staff everywhere, they first assume that I need education on why the sun shines. I've done my homework. They either see that after bouncing messages back and forth for days or I just give up. I feel like I should be doing their job. On the other hand, last month's support staff person, I remember their name, was so good at handling my issue, that I tried to request him for other ones. They said it would take too long to wait for him. All of this should be easier for us customers. Even though I'm not yet an expert on this matter, I'm very analytical and can follow a complicated task when it is presented to me.
    0
  • cPRex Jurassic Moderator
    I get that, and it definitely happens. I do see it's been escalated and I've spoken with the current technician working on it, so the next reply should get you some good results. I believe we already found one thing that was missed.
    0
  • vatra
    Thank you! These days you have been a huge help for me.
    0
  • vatra
    We are still battling current issues:
    • Cloudflare cert not used on domains URL with ports.
    • Hostname cert covering previous hostnames with the current one and not renewing when trying to issue a new one.
    • Service subdomains creation for subdomains.
    The third one is solved. First of all, subdomains do really get DNS A records for each even though they don't get ServerAlias directive, like service subdomains for domains.
    0
  • vatra
    I found out why the first issue was happening. When the cert is installed cPanel creates entries in /var/cpanel/ssl/domain_tls like it usually does for certs created by AutoSSL. But in my case, when I installed third-party certs manually through the WHM interface, these were not created. So I created them myself. I copied the files from /var/cpanel/ssl/apache_tls to /var/cpanel/ssl/domain_tls and gave them proper permissions and ownership with these two commands. chmod 640 /var/cpanel/ssl/domain_tls/*/combined chown :mail /var/cpanel/ssl/domain_tls/*/combined
    Now cPanel services can be accessed through domain URL with ports, like https://domain.com:2083/
    and the system is recognizing that the URL is covered by the cert. But still, this is a huge red flag, the system is not working properly. I should not be doing this manually anytime I create a domain/subdomain. I explained everything in the ticket, so you can follow up. If you can please influence the staff to try and find out why is this happening so we can solve it.
    0
  • cPRex Jurassic Moderator
    I do see the ticket has gotten interesting and I'm still following along.
    0

Please sign in to leave a comment.