Skip to main content

Downsides to Enabling AutoSSL on Existing Server?

Comments

6 comments

  • fate12
    I would like to know this as well. And what happens to the sites that allready got a certificate? Do I need to exclude those sites manually?
    0
  • sehh
    You can easily enable AutoSSL, it won't break anything but it may also not work on some domains. Please take a look at this thread, which I started some time go with the issues I encountered when I enabled AutoSSL: AutoSSL - htaccess whitelist
    0
  • cPanelMichael
    Hello,
    Is there any harm in just immediately enabling AutoSSL for all accounts on the server? Or are there things that adding an SSL certificate may break in an account? Or does that fact that even if a certificate is installed on an account it won't be used unless https redirects are in place, and that users need to explicitly tell their mail clients to use SSL, mean that nothing should break for existing users?

    There's generally no harm in enabling SSL for all accounts, however ensure you are aware of the domain and rate limits referenced on the document helps to answer this: AutoSSL will not attempt to replace pre-existing valid certificates that expire in more than three days. Thank you.
    0
  • cPanelMichael
    This does not appear in the linked Manage AutoSSL document. I assume it was removed in a recent update to the doc as it show last update 11/28/16. Is this still how it works? If so please put it back in the doc as I've been assuming its the 15 days documented for the cPanel cert provider (which I have selected along with "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates") and I'm trying to figure out why cert requests are not being generated for pre-existing certs expiring in 5 days.

    Hello @ralphday, This behavior changed slightly in cPanel version 60 due to the following case: Implemented case CPANEL-9130: Make AutoSSL default to not replacing non-AutoSSL certificates. As of cPanel version 60: AutoSSL will automatically attempt to renew cPanel-signed AutoSSL certificates within 15 days of the expiration date. For domain names with non-AutoSSL signed certificates, and when "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled, AutoSSL will attempt to issue a cPanel-signed AutoSSL certificate within 3 days of the expiration date. I've opened a case with our documentation team to ensure this behavior is documented, and I'll update this thread once the changes are published. On a side note, currently the AutoSSL logs will show a message like this, even when the "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" option is enabled: However, AutoSSL will not replace this certificate, because the certificate does not appear to come from an installed AutoSSL provider."
    This is confusing when "Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates" is enabled, as AutoSSL will in-fact eventually replace the certificate, so internal CPANEL-10103 is open to improve this message to account for that option. Thank you.
    0
  • cPanelJenn
    Hi @ralphday Documentation case DOC-8099 was opened to have the Manage SSL doc updated. We have updates coming for cPanel & WHM version 62 next week and I will also apply those updates to the 60 documentation. Thanks!
    0

Please sign in to leave a comment.