Automatically Created Subdomains & Their SSL Coverage
cPanel automatically creates a www and 6 service subdomains for every domain and subdomain.
- When you go to the "Manage SSL Hosts" interface these 7 subdomains are listed for domains but for subdomains only www is listed. Why is that?
- Is there a way to disable the creation of the www subdomain when creating new subdomains?
- How would you do that manually after the subdomain has been created, by deleting its DNS A record?
-
Hey hey! 1 - Subdomains don't get all the service domains created. No one will be logging into cpanel.sub.domain.com or sending email from mail.sub.domain.com unless those are specifically created manually, so I wouldn't expect those to show up. 2 - Sure, but it would take two steps. You would want to edit WHM >> Edit Zone Template to remove the www entry from the standard and standardvirtualftp template files so it doesn't create the DNS record, and you would also need to create a custom Apache template to remove the entry from the vhosts. With those two combined, it won't exist. Custom Templates | cPanel & WHM Documentation 3 - Yes, deleting the A record would be enough to stop it from working. 0 -
- But the subdomains do get all the service subdomains created, they are present in the DNS zone. Why are they not showing up in the "Manage SSL Hosts"?
- I use Cloudflare SSL which covers domain.com and *.domain.com. I know that AutoSSL will reissue a cert to cover any related subdomain and parked domain that is created. But for other vendors, do I need to install the same certificate manually for each subdomain I create?
- I know that in cPanel you can't have a parked domain with a manually installed cert. You need to it add as an addon domain for it to have its own cert. Is this correct?
0 -
Have you possibly modified the zone templates? I don't see the subdomains getting service domains created on a test server. I also wouldn't expect that to happen as that would lead to an exponentially-increasing number of domains and SSL certificates. What if I wanted to have secure.sub.domain.com - it would get messy quickly. For non-AutoSSL vendors, yes, you may need to install the SSL multiple times to cover all the domains you wish. Yes, you have to have at least an addon domain to install a unique SSL certificate. This is because the other domain types do not get a unique Apache vhost, so there is just no place to install the certificate in a cPanel environment. There is an older feature request related to this at 0 -
I have modified the templates but only to rearrange the items and only after I created all of my subdomains, so that couldn't have been the issue. On my end, subdomains get the www and all 6 service subdomains (whm, cpanel, webmail, webdisk, cpcalendars, cpcontacts). For example, my main domain's zone file has 500+ records because of all the addon domains' subdomains A, SPF, and DKIM TXT records. I don't plan to use those subdomains plus I won't send or authenticate email from them. - First of all, how can I troubleshoot this and stop cPanel from creating them?
- What do you advise, should I delete the existing ones? No one will ever use those as you said. Having a www for each subdomain is OK, although even that one won't be used since I always permanently redirect www to non-www traffic, but having those other records is just too much.
0 -
To expand on the last question: The following URLs are secured by the SSL since it is a first-level subdomain wildcard coverage: https://cpanel.domain.com/ https://webmail.domain.com/
But their counterparts with ports are not covered:https://domain.com:2083/ https://domain.com:2096/
0 -
I would delete all those records to avoid confusion, since we agree they'll never be used. As far as troubleshooting, I'm not sure - an strace of a subdomain creation on the command line would likely show where it's pulling those additional records from if you're sure they aren't coming from template modifications. At least that is likely how we'd approach it on our end. I'm not totally sure on the port issue, either. Is the SSL installed on the hostname of the server under the WHM >> Manage Service SSL Certificates area? If so, it should get anything related to secure access on those ports. If you're using just "domain.com" I would expect that having it installed on the main domain through either WHM or cPanel covers the ports properly also. 0 -
Thank you! The server hostname host.mymaindomain.com
has the cPanel cert and all ports are covered by the SSL. But for any domain hosted on the server, for example,MyMainDomain.com:2087
orClientMainDomain.com:2083
are not covered.0 -
That sounds like an issue with the SSL install. How were those certs installed? 0 -
Through the WHM "Install an SSL Certificate on a Domain" interface. One thing I noticed is even though all installed SSLs appeared in the /var/cpanel/ssl/apache_tls
and/home/user/ssl
folders, they did not appear in the/var/cpanel/ssl/domain_tls
folder if that is of any importance.0 -
I would expect them to show up in all three locations, as my server has every domain and subdomain listed in /var/cpanel/ssl/domain_tls with respective subfolders, and messing with this on a test machine confirmed that is indeed the issue. I'm not sure why they wouldn't have been installed there, but they do need to be present there to secure cPanel access properly. 0 -
Are you saying that you were able to replicate the issue? Should I open up a ticket? 0 -
I can only replicate the issue by manually moving the directory out of the way in /var/cpanel/ssl/domain_tls. What I don't know is why those files wouldn't be generated with a standard SSL installation. If you have a system you can reproduce this on and you have the SSL certificate files also, we'd be happy to do some testing for you through a ticket! 0 -
Here it is #95153353, thank you! 0 -
I'm following along with that now - it looks like we're waiting to get access to the system to check some things. 0 -
They got access but it's frustrating because the person handling the issue doesn't seem to get what I'm saying. This has become a standard issue for me when contacting support lately. To address the problem, first, we need to know what is the default cPanel behavior on this matter. Second, how my situation differs, and third, how to solve it. We haven't even got through the first step, except here with you Rex. This is the standard problem I have with support staff everywhere, they first assume that I need education on why the sun shines. I've done my homework. They either see that after bouncing messages back and forth for days or I just give up. I feel like I should be doing their job. On the other hand, last month's support staff person, I remember their name, was so good at handling my issue, that I tried to request him for other ones. They said it would take too long to wait for him. All of this should be easier for us customers. Even though I'm not yet an expert on this matter, I'm very analytical and can follow a complicated task when it is presented to me. 0 -
I get that, and it definitely happens. I do see it's been escalated and I've spoken with the current technician working on it, so the next reply should get you some good results. I believe we already found one thing that was missed. 0 -
Thank you! These days you have been a huge help for me. 0 -
We are still battling current issues: - Cloudflare cert not used on domains URL with ports.
- Hostname cert covering previous hostnames with the current one and not renewing when trying to issue a new one.
- Service subdomains creation for subdomains.
0 -
I found out why the first issue was happening. When the cert is installed cPanel creates entries in /var/cpanel/ssl/domain_tls like it usually does for certs created by AutoSSL. But in my case, when I installed third-party certs manually through the WHM interface, these were not created. So I created them myself. I copied the files from /var/cpanel/ssl/apache_tls to /var/cpanel/ssl/domain_tls and gave them proper permissions and ownership with these two commands. chmod 640 /var/cpanel/ssl/domain_tls/*/combined chown :mail /var/cpanel/ssl/domain_tls/*/combined
Now cPanel services can be accessed through domain URL with ports, likehttps://domain.com:2083/
and the system is recognizing that the URL is covered by the cert. But still, this is a huge red flag, the system is not working properly. I should not be doing this manually anytime I create a domain/subdomain. I explained everything in the ticket, so you can follow up. If you can please influence the staff to try and find out why is this happening so we can solve it.0 -
I do see the ticket has gotten interesting and I'm still following along. 0
Please sign in to leave a comment.
Comments
20 comments