hostname SSL cert replaced with cPanel issued version
Cpanel/WHM updated today on a few servers, and my SSL certificates on the hostname have all been replaced with Cpanel issued ones instead of the ones I had in place already. Can someone shed some light on why the certs I bought and paid for were replaced, unannounced, by these?
-
It was announced in the release notes before this was pushed to from current to release - you can find the details on this here: 56 Release Notes - Documentation - cPanel Documentation If you had valid certs in place, I'm guessing that they had a weak algorithm from the criteria listed for replacement unless they were just about to expire? 0 -
Valid and about a month old. This part is part of that linked announcement (thanks, by the way): "This system will only replace self-signed or expired certificates. It will not replace an existing certificate from a valid certificate authority." RapidSSL certs, 2048 bits. AFAIK, that's a valid issuer. 0 -
Even if had a weak algorithm, how dares cPanel to replace it? And what is a valid certificate authority? I could have my own certificate authority inside the organization i run, its not cPanel's authority to decide what is valid or not. Is mine. In a way even replacing self signed certs could be problematic. And the best of all : cPanel releasing valid certificates for valid domains without the owners accord, and Comodo happily cross-signing it. WTF ? Hey, maybe i could get a certificate for paypal.com from cPanel? Seems past 2-3 year, with every major upgrade cPanel changes stuff on our servers without thinking through, and without our accord. 0 -
Same thing happened to us!!! :-( Thank you for grinding our business to a screeching halt. I have an expedited ticket open for this: support request ID: 7531717 0 -
Hello, Here's the pertinent section of the version 56 release notes for new users who are visiting this thread for the first time: Free cPanel-signed hostname certificate As part of the introduction of this feature, cPanel offers valid cPanel & WHM license holders a free cPanel-signed hostname certificate for your server's services. This replaces the certificates for these services that meet any of the following conditions: [LIST] - Has a weak signature algorithm. " New in version 56
- Revoked. " New in version 56
- Self-signed.
- Invalid.
- Expires in less than one week. Note: Comodo" cross-signs these cPanel-signed certificates for additional security. Your server will automatically order the free signed certificate when the server runs the /bin/checkallsslcerts tool as part of the upcp maintenance script and connects to the license server. The server will download and install the certificate when it is available. When that signed certificate is less than seven days from expiration, your server will automatically order a replacement free signed certificate. The server will download and install the certificate when it is available. Otherwise, if the signed certificate expires, the server will install a self-signed certificate, and then replace that certificate with the free signed certificate when it is ready. If you wish to replace your services certificate with one from another provider, use WHM's .
There's also a blog post that goes into more detail on this new feature at:I have an expedited ticket open for this: support request ID: 7531717
I'm monitoring the support ticket and will update this thread with the outcome. Thank you.0 -
Could you verify if this was a wildcard certificate? Internal case CPANEL-5841 addresses an issue where wildcard certificates that do not match the hostname are unexpectedly replaced by checkallsslcerts during the update process. A resolution for this is scheduled for publication in the near future.
A resolution for this particular issue is now available in cPanel version 56.0.9: Implemented case CPANEL-5841: Wildcard certs that do not match the hostname should not be replaced. Thank you.0 -
Thanks for fixing this. I have to say that this is the first problem we have ever had with cPanel. It could have been much worse. :-) And thanks for refunding my expediting fee without me even asking. :-) 0 -
You can disable this functionality by creating the following file on your system:
/var/cpanel/ssl/disable_auto_hostname_certificate
I can disable that functionality AFTER the update changed everything .0 -
Interesting.. we have a couple of servers that use GeoTrust issued rapidSSL certs, and both are basically the same setting-wise aside from the hostname and early release tier 56 didn't overwrite the valid cert but today's release did on the other server (exp date of 10/2016).. what gives? 0 -
Interesting.. we have a couple of servers that use GeoTrust issued rapidSSL certs, and both are basically the same setting-wise aside from the hostname and early release tier 56 didn't overwrite the valid cert but today's release did on the other server (exp date of 10/2016).. what gives?
Would you mind opening a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.0 -
I found this thread wile trying to figure out why cPanel was replacing my SSL certificate. However, reading this thread leaves me with more questions than answers. To start with, I created the /var/cpanel/ssl/disable_auto_hostname_certificate file yesterday, yet again tonight cPanel replaced it with a free certificate. My certificate doesn't expire for another 21 days, and is issued by a trusted Certificate Authority. I don't want cPanel messing with my SSL certificates, so I created the file as mentioned to keep it from happening. Yet, it still happens. How can I disable this feature? 0 -
I don't want cPanel messing with my SSL certificates, so I created the file as mentioned to keep it from happening. Yet, it still happens. How can I disable this feature?
You can have cPanel disable service certificate management by creating this file/var/cpanel/ssl/disable_service_certificate_management0 -
Not sure if this is related, but all our SSL sites today are showing (Safari) "This certificate has an invalid issuer.", (Chrome) "this certificate has been revoked. ". Nothing has changed as far as we know, noticed it when visiting some of the sites. ========== Update, Its unrelated, Globalsign had an issue today. 0 -
Another ME TOO. It's simple. MY server. MY certificate. MY authority. PERIOD. How do we COMPLETELY DISABLE this MORONIC "feature"? Thank you. EDIT: From above ... You can have cPanel disable service certificate management by creating this file
/var/cpanel/ssl/disable_service_certificate_management
Thank God! Far out. This has cost us HOURS. Grrr.0
Please sign in to leave a comment.
Comments
14 comments