WHM Resets Service SSL on it's own
I set all the services to use a wildcard SSL instead of the default, self-signed one, but it seems like every night it resets itself to the self-signed one? Is this supposed to be happening? Is there a way to stop it?
WHM 58 Build 26 - Cloudlinux 6.8
-
I set all the services to use a wildcard SSL instead of the default, self-signed one, but it seems like every night it resets itself to the self-signed one? Is this supposed to be happening? Is there a way to stop it?
Hello, Free cPanel-signed certificates for the hostname are generated as of cPanel 56. Here's the relevant quote from the New in version 56- Revoked. " New in version 56
- Self-signed.
- Invalid (For example, your server's hostname must be valid and resolve in DNS).
- Expires in less than one week. Note: Comodo" cross-signs these cPanel-signed certificates for additional security. Your server will automatically order the free signed certificate when the server runs the /usr/local/cpanel/bin/checkallsslcerts tool as part of the upcp maintenance script and connects to the license server. The server will download and install the certificate when it is available. When that signed certificate is less than seven days from expiration, your server will automatically order a replacement free signed certificate. The server will download and install the certificate when it is available. Otherwise, if the signed certificate expires, the server will install a self-signed certificate, and then replace that certificate with the free signed certificate when it is ready. If you wish to replace your services certificate with one from another provider, use WHM's .
If you create the /var/cpanel/ssl/disable_auto_hostname_certificate touch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate. The system will still automatically replace expired service certificates with self-signed certificates. Thank you.0 -
Ah thanks. I'm guessing it's assuming it's 'Invalid'. Is that because the the cert is wildcard and doesn't know how test if that is a valid domain? Or is is it because our server's hostname (while being valid and resolving), is different from the host name on the ssl? 0 -
Ah thanks. I'm guessing it's assuming it's 'Invalid'. Is that because the the cert is wildcard and doesn't know how test if that is a valid domain? Or is is it because our server's hostname (while being valid and resolving), is different from the host name on the ssl?
It shouldn't replace the certificate based on it being a wildcard SSL, as that issue was addressed in cPanel version 56: Implemented case CPANEL-5841: Wildcard certs that do not match the hostname should not be replaced. It's possible the replacement is due to the following condition: Has a weak signature algorithm. You can use the following command to determine the signature algorithm for your installed certificate:openssl x509 -noout -text -in /var/cpanel/ssl/system/certs/$cert-name.crt|grep Signature
Replace "$cert-name.crt" with the name of your wildcard certificate in /var/cpanel/ssl/system/certs/. Thank you.0
Please sign in to leave a comment.
Comments
3 comments