Skip to main content

Problem with automatically generated self-signed SSL certificates

Comments

37 comments

  • coasthost
    For the past few days, new accounts and subdomains created on my server are created with a self signed SSL cert. Which means i have to delete the SSL host after each new account or subdomain is created. Is there an option to turn this off?
    0
  • Gavpeds
    I have now given up with this its just messing with my users sites. I have now disabled autossl on the feature list which all accounts used. To my surprise new accounts being added still get damn certificates. Please someone tell me how to stop this ridiculous system doing what it likes. When something starts harming my customers experience and essentially my business i feel cpanel has gone a step to far. All i want to do now is stop self signed or cpanel certificates being generated. I have two sites where i have paid for and setup the ssl which is fine but for all others i dont want any ssl. If this has been disabled in manage ssl and in the feature list why is it still generating certificates for newly added domains???
    0
  • cPanelMichael
    Hello, It's by design that that self-signed SSL certificates are installed if no other SSL certificates are available. It's not possible to disable this functionality. Could you elaborate on what in-particular about the certificate is resulting in problems? Here's the section from the All websites receive an SSL certificate Any website created in cPanel & WHM now receives an SSL certificate. A self-signed certificate is added if no other SSL certificates are available.
    Thank you.
    0
  • Gavpeds
    This is an utter nightmare. Self signed makes google warn visitors to the site with self signed possibly turning away visitors. The cpanel certificates are just u reliable. I have had issues with it not assigning certs to domains created via whmcs and was told it was our server that had turned this feature off. They have not. Cpanel you need to rethink this there are people everywhere having issues with this. I have already submitted a ticket and was told it's my host it's not they have been I contact as well and there are just so many problems with all this forcing us to use ssl I get why it's a good idea. Google and others are pushing for it but the implementation is a nightmare.
    0
  • Gavpeds
    Ok so our server host has been in touch as well now and seems there is not way to turn it off at all even of you turn autossl off you just get forced to use a self signed certificate. Great so now site visitors are going to get privacy warning from Google turning them away! I don't particularly care if I use ssl or I dont I just want it to work either way. I am stuck. I can't turn it off but I also can't fully take advantage of it as it fails in several sites mainly ones created via whmcs but all I get told is its my server host who has disabled this feature. I am beyond frustrated as are all the site owners I have on my server. Cpanel forces me to use it our host forces me to not yet cpanel then forces self signed which is terrible. So i am stuck in the middle and my users sites are suffering as a result. All i can think of doing is putting this in every sites .htaccess file.
    Options +FollowSymlinks RewriteEngine on RewriteBase / RewriteCond %{SERVER_PORT} ^443$ [OR] RewriteCond %{HTTPS} =on RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]
    0
  • sparek-3
    Yea, I have to agree with the negative argument on this. I'm all in favor of free certificates. But I'm not really in such a favor of all of this forcing certificates on us. In a lot of ways, I think this goes beyond cPanel. I understand Google and the whole world wanting to make web browsing more secure, but if that's the case, why not just make the whole HTTP protocol secure? You won't be able to do that from a trust standpoint, but you can do that from an encryption standpoint. SSH and SFTP does this, why can't HTTP? Again, that's not really an issue for cPanel to tackle, it's an industry issue. DCV certificates have never really given any trust. "Congrats! You own the domain name you are securing. We have no idea if that domain name is tied to an actual business or the business it pretends to be. But the information you send between you and the server is secure!" I'm not sure how passing out millions of DCV secure certificates is the answer here. Forcing SSL on accounts was setting up to be a nightmare. You have too many accounts that get set up, never point themselves to the server and AutoSSL for those accounts just sit in limbo (they can't verify because domain control validation never passes). A better approach, probably would have been to offer free certificates but only explicitly. If someone wants a free certificate they have to request one. If you want to try and make this easier by placing something in their cPanel (I'm not sure if that is necessary) then you can do so. You can then test for DCV passing prior to attempting to issue a certificate. Auto-renew? I'm not sure if that's necessary either. Email the user to tell them their certificate is about to expire. If they can't find the time to log into their cPanel and reissue an updated certificate, then I'm sorry, I don't have a lot of sympathy for them. Automatically issuing DCV certificates and then automatically renewing those certificates for every single domain in existence, that just cries out for my main point ... why isn't HTTP secure by default?
    0
  • raven_kg
    [sarcasm]Wow... Great solution![/sarcasm]
    0
  • swbrains
    On my server, I just noticed this happening for new accounts. It screwed up my script that I use to let customers install SSL certificates since the script looks to see if a cert is installed already and doesn't allow installation of our "real" certificate if one is already installed. I was able to work around this by checking if the installed cert is self-signed via the API call to get the cert info and act as if there is no installed cert if it finds only self-signed certs installed on that account. The odd thing is that I have already installed on the server a wildcard domain that is a valid SSL certificate from a trusted authority (AlphaSSL) that I let customers use when they want to activate SSL for their subdomain. Yet cPanel still automatically installed a self-signed wildcard cert upon creation of the new subdomain account, ignoring the valid wildcard AlphaSSL cert. Perhaps the problem in my case relates to the fact that the already-installed "real" cert is a wildcard cert? Could this be why cPanel doesn't see it and goes ahead and installs it's own self-signed cert upon creation of the subdomain account?
    0
  • bear
    Ok, I'd already posted this on a different thread, but in reality this one is where it should have been done. Sorry. I don't want auto-anything (including SSL) installed on things I set up on my servers. It's not up to cPanel, or Google for that matter to foist that on folks, it's up to the site owner, and ultimately, the server admin. In this case, that's me. How to disable the autogenerated SSL on new domains/accounts/etc, please?
    0
  • rahnev
    So is there a way to disable this automatic SSL generation when new account or domain is created? We want to manually generate them as on versions before 62?
    0
  • cPanelMichael
    Hello, It's not possible to disable the automatic self-signed SSL certificate that's automatically generated for domain names that don't already take advantage of the AutoSSL feature. However, please open a support ticket using the link in my signature if this new functionality is installing self-signed SSL certificates in cases where a signed SSL certificate is available for installation. The decision to implement this change in cPanel version 62 is part of the direction towards TLS-Only in the product. The functionality of other parts of the product will assume a SSL Virtual Host exists, and thus it would break functionality if a SSL certificate isn't installed on a domain. I encourage the use of our Feature Request website to submit requests for changes to this behavior. This allows the community to vote on changes, and send their feedback to the Development team to consider. Thank you.
    0
  • ethical
    wow I have to say this is a really silly feature. If you were going to force anything (which is bad to start with) force the use of LE certs at least they are real certs! self signed certs will only crate issues for everybody especially if they are forced on you and you don't even know it! sigh, off to fully enable autossl then and now wait to hear from people when they complain that their site is giving ssl warnings from users that use https everywhere... sigh...
    0
  • cPanelMichael
    sigh, off to fully enable autossl then and now wait to hear from people when they complain that their site is giving ssl warnings from users that use https everywhere... sigh...

    The certificates generated through the AutoSSL feature should not result in browser warnings about the SSL certificate. Could you open a new thread expanding upon that specific issue so we can take a closer look? Thank you.
    0
  • dortgendizayn
    Do you provide any script to remove all of self signed certificates at the same time? At least we can run this script after addon domain and delete all self signed certificates. And please find a way to disable this Auto(nightmare)SSL option. I'm so regret to activate this plugin.
    0
  • cPanelMichael
    Do you provide any script to remove all of self signed certificates at the same time? At least we can run this script after addon domain and delete all self signed certificates. And please find a way to disable this Auto(nightmare)SSL option. I'm so regret to activate this plugin.

    Hello @dortgendizayn, Could you provide some more information about how the SSL certificates (and the AutoSSL feature) are resulting in problems on your system? The direction of the product is heading towards TLS-only, so it's a good idea to work towards addressing the issues you are facing rather than deleting the certificates. Thank you.
    0
  • sparek-3
    I understand the web is wanting to move to more secure protocols, meaning that groups want everything to be https:// instead of http:// and the current way to do that is to provide a secure certificate (whether that be self-signed, free DCV, paid DCV, or expensive EV). The question I have with this, what happens when an account is set up on a server and that domain name never points to the server? How is AutoSSL (which provides free DCV certificates) going to deal with this? Maybe this isn't a problem for most hosting companies, but we have resellers that appear to set up domain names that never point to the server. DCV certificates are never going to work for accounts that never resolve back to the server. When a domain name moves to a different server, do they take this certificate with them or do they generate a new certificate? If a new certificate, what happens to the old certificate? What if the new server they move to isn't cPanel or doesn't support AutSSL or cPanel signed certificates, what happens then? I get the desire to move to a more secure platform. I get that content providers, search engine giants, and others want to see the web more secure. But if that's the case, why doesn't the industry push to make HTTP (not HTTPS) a secure protocol? Why not look to provide encryption directly into the HTTP protocol? Don't confuse encryption with authenticity. Encryption just means data is encrypted as it pass back and forth on the connection. Authenticity has to do with verifying the party on end A is who they say they are. DCV certificates don't provide any (or very little if any) authenticity - but they don't provide encryption. Self-signed certificates provide encryption without authenticity but self-signed certificates were banished to hell several years ago because the industry wanted to. Making HTTP a secure, encrypted protocol isn't a cPanel issue. It's above cPanel's pay grade. Perhaps there's a technical reason as to why this can't be done. But was it even ever considered? Perhaps a new protocol needs to be written. I don't know. It just seems like there wasn't a lot of thought, a lot of foresight put into this push to make the whole web secure, they just settled on "Let's make every domain name get a secure certificate." And I'm not sure if that's really the best approach.
    0
  • cPanelNick
    Perhaps the problem in my case relates to the fact that the already-installed "real" cert is a wildcard cert? Could this be why cPanel doesn't see it and goes ahead and installs it's own self-signed cert upon creation of the subdomain account?

    Hi swbrains, The system will only pickup the wildcard certificate if it is in the user's ssl storage. I'm assuming the subdomains are on newly created account and not created inside of an existing account. The system does not have access to other users accounts when finding the best available certificate as this would require us to share the key files between accounts which would not be an acceptable security practice.
    0
  • cPanelNick
    Ok, I'd already posted this on a different thread, but in reality this one is where it should have been done. Sorry. I don't want auto-anything (including SSL) installed on things I set up on my servers. It's not up to cPanel, or Google for that matter to foist that on folks, it's up to the site owner, and ultimately, the server admin. In this case, that's me. How to disable the autogenerated SSL on new domains/accounts/etc, please?

    Hi bear, One of the goals of this feature was to ensure that the user did not get someone else's site when accessing their domain on Change Default SSL Certificate to Invalid Certificate Generate and install a self signed ssl cert for each virtualhost that doesn't have one. Its very important that we understand why you want to disable this functionality in order to ensure we build the right solution. We need to know more about what problems this is causing for you so we can explore a solution that does not regress the above feature requests. Thank you.
    0
  • sparek-3
    Its very important that we understand why you want to disable this functionality in order to ensure we build the right solution. We need to know more about what problems this is causing for you so we can explore a solution that does not regress the above feature requests.

    I can't really speak for bear on this, but I'm going to add my 2 cents here. I think I would be fine with forcing each new VirtualHost (new account, new subdomain, new addon domain, new parked domain) to generate and install a self-signed certificate. There's no DCV step required for these. I do think that this (or any auto certificate installing) will result in a lot more clutter, as it's just another thing that has to be kept up with (either by server administrators or by the server itself or both). But I would really prefer for this to be a configuration option instead of just being pushed on us. Something like I detailed on the feature request: Disable Automatic self-signed SSL I don't like the implicit "install best available certificate" Perhaps I'm just extra paranoid, but I'm not all that confident that the system is always going to be able to pick the "best available certificate". If I could explicitly tell the system to always install a self-signed certificate for every new VirtualHost, I think I would like that better. Then if a VirtualHost needs a certificate installed, I can deal with that as I see fit.
    0
  • cPanelNick
    One of the other approaches we considered to solve this problem was a default SSL Vhost per ip (at the top of httpd.conf). Unfortunately, there were downsides that were deemed unacceptable to proceed with this plan: Uses additional memory per IP address Will break existing set primary ssl domain functionality. non-SNI users will now get the default vhost instead of the primary Adding default ssl vhost per ip would disproportionally affect existing users. SNI adoption has not yet reached a level were we feel comfortable accepting the downsides. The always create an SSL host approach was adopted because we felt it carried the least risk to existing customers and solved the problem.
    0
  • cPanelMichael
    Hello, To update, an option to disable the automatic self-signed certificate generation is planned for cPanel version 64. It's not yet determined if the feature will backport to cPanel 62, however feel free to subscribe to the request to receive updates to it's status: Disable Automatic self-signed SSL Thank you. Update from the feature request: Quick Update: We have completed most of the initial work for this option, however we do not have a test case that was not solved by enabling AutoSSL. If this functionality is important to you, please open a ticket at cPanel Customer Portal with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589. Thank you.
    0
  • sparek-3
    I'm posting this question here because it's not really related to the Feature Request. It's probably not really related to any of this discussion, but in the text of the proposed Setting on the Feature Request I just have some questions. Is Google (and/or any other search engine) going to start crawling HTTPS sites automatically? I mean, if I have a website - example.tld - and I only reference that website every where as [plain]http://example.tld[/plain] - is Google going to automatically start trying to access and index [plainhttps://example.tld[/plain]? I know that Google wants to start weighing secure sites more than non-secure sites. And I get that. But is all of this push to have every single website have their own secure certificate predicated on Google and other search engines just completely ignoring non secure links? If so, that's just dumb on Google's part. As far as wanting my site to show without warnings when I go to [plainhttps://example.tld[/plain] I really need to ask myself, have I installed a secure certificate for example.tld? If that answer is no... then... to expect [plainhttps://example.tld[/plain] to work, that's ... not smart. Perhaps I need to educate myself on how to get a secure certificate for my example.tld site. I've had clients ask before "When I go to [plainhttps://example.tld[/plain] I don't see my website." When I ask them if they have purchased a secure certificate, and they reply no, I tell them that is what the problem is. They can either purchase a secure certificate or don't try to go to [plainhttps://example.tld[/plain] - it's pretty simple. With free DCV certificates and AutoSSL, the response can be just as simple as "Have you applied for a secure certificate in your cPanel?" When they reply no, then that's what they then need to do. I'm a bit more in favor of educating users, rather than just perpetuating stupidity. Explaining why a client needs to do something, rather than just having it done for them. I'm sorry, but all of this massive move to https just seems like it has all been hurried and lacks a lot of foresight. I'm not necessarily talking about just cPanel, but I'm also talking about Google and all of these other industry giants. They want everything secure, but they haven't thought about how to do it.
    0
  • vacancy
    I agree. As a google search engine, is monopoly and trying to manage the whole ecosystem as it wants. The technical issues behind this work are not in google's mind. It is also a big lie that sites using ssl are advantage compared to sites not using ssl. A site using ssl can not be 100% safe. There is no sense in using ssl in a blog or news site. When you activate ssl on a phishing site, will google up this site from the front row? So funny.
    0
  • sparek-3
    Well, I agree that the web should be more secure. I don't question that. I'm not sure that "every website should have its own secure certificate" is the best way to approach this. As far as Google goes - I don't have a problem with them wanting to rank secure sites higher than their non-secure counterparts. But that should be viewed as an incentive for website owners to take the step and be proactive in obtaining a secure certificate and keeping that secure certificate valid. If a website owner is not willing to invest the time needed to do that, then how much are they really investing in their website? And how much weight should Google (or any search engine) put into ranking that website? What I have an issue with is if Google believes that every website should just be accessible at [plainhttps://example.tld[/plain] and they just start trying to index https versions of every domain. That's just dumb. I don't believe Google can be that dumb. If Google wants to weigh example.tld lower because it doesn't have a secure certificate, that's fine by me. But don't go around thinking they can "fix" it by just assuming [plain]http://example.tld[/plain] and [plainhttps://example.tld[/plain] are the same. The point about phishing sites is also valid. Although it was just as valid with any purchased DCV certificate before free DCV and Let's Encrypt came along. Pretty much anybody could get a DCV certificate for about $10. But this is where the industry is lacking foresight. If every website on the Internet has a secure certificate, then all non-EV certificates are equal in terms of authenticity. The encryption is still there, but authenticity is gone (but to be honest, it was never there for any DCV certificate). But if the end-goal is to focus on the encryption aspect... why not focus on something like STARTTLS for HTTP? Again, that's not in the realm for cPanel. But if the industry wants all web traffic to be encrypted, then is "every website should have its own secure certificate" the best approach? Was this thought out by the industry?
    0
  • feanorknd
    As someone said at feature request: I think the best solution would be to make this an option, worded something like: For every new VirtualHost (new account, subdomain, addon domain, parked domain) create: - A self-signed certificate - A free AutoSSL (cPanel Comodo or Let's Encrypt) - No certificate
    This is a must! I do not want any kind of certificate on my shared IP, for any domain there. [LIST]
  • Do not want all domains to have SSL enabled (reason could be paid services, as well as duplicated content for many domains)
  • If only one of the domains have SSL enabled at shared IP, its certificate may apply to all of the rest when trying https... I want Apache to not negociate HTTPS on my shared IP at all.
  • 0
  • cPanelMichael
    Hello Everyone! Here's the most recent update from the feature request: Quick Update: We have completed most of the initial work for this option, however we do not have a test case that was not solved by enabling AutoSSL. If this functionality is important to you, please open a ticket at cPanel Customer Portal with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589.
    If you have a scenario that isn't solved with the use of the AutoSSL feature (free cPanel-signed SSL certificates), then please open a support ticket with the URL above and reference case CPANEL-11589.
    If only one of the domains have SSL enabled at shared IP, its certificate may apply to all of the rest when trying https... I want Apache to not negociate HTTPS on my shared IP at all.

    This would be solved by ensuring every domain name had it's own free cPanel-signed certificate through the AutoSSL feature. Thank you.
    0
  • hinhthoi
    A majority of customers from a company that I know are SEO users. These users have concern about http and https of the same content. I encounter one customer very frustrated about the https version on his site and he keep questioning about that. So, please do not force people to use ssl. It is best to make it a configurable option for use to choose. On the other site, right now Letsencrypt is free. If so many sites are using Letsencrypt, suddenly the company stop their free service, then how? There will be a massive problem for webmasters.
    0
  • rahnev
    Is there some news when the option will be pushed to public?
    0
  • cPanelMichael
    Is there some news when the option will be pushed to public?

    This feature is not currently planned for inclusion with the product. You can find the most recent discussion of this on the corresponding feature request: Disable Automatic self-signed SSL If you have a scenario that isn't solved with the use of the AutoSSL feature (free cPanel-signed SSL certificates), then please open a support ticket using the link in my signature and reference case CPANEL-11589 so we can determine how to best address the specific issue you are facing. Thank you.
    0
  • sparek-3
    This feature is not currently planned for inclusion with the product.

    I really think this is a mistake. I really don't think cPanel has thought this all the way through. I can probably make this work if self-signed certificates are generated by default. But as I understand it (and I may be wrong) if you enable AutoSSL, then all new VirtualHosts are going to get a cPanel or Let's Encrypt signed certificate. I don't understand why you insist on making AutoSSL automatic for everyone. Why not make AutoSSL something that the end-user has to explicitly enable? Why not give server administrators control over who can and cannot have access to AutoSSL? If you insist on every VirtualHost having a secure certificate (which I don't agree with) then they should default to self-signed certificates (which I can bargain with you on this). THEN if that new account or new subdomain or new addon domain wants to get a cPanel or Let's Encrypt certificate AND if the server administrator has enabled it for that user, then that user can log into their cPanel and process a cPanel or Let's Encrypt certificate. There's obviously pushback from several people regarding this current AutoSSL setup. So you either didn't think this all the way through, didn't get enough feedback before pushing it out, or didn't get enough feedback from different types of hosting companies. All of these complaints, aren't centered so much around AutoSSL but just the fact that it's being forced onto us. As it stands now, the only way I see for me to use this is to disable AutoSSL. This will still generate a self-signed certificate for each new VirtualHost. but I can probably work around this. We developed our own system for issuing Let's Encrypt certificates, and automatically renewing them, long before cPanel's AutoSSL came to be. I prefer our system, mainly because I can control who can generate certificates with this system. This works for me. It may not work for everyone. But the lack of control with AutoSSL (it's either on or it's off) is what's most disturbing for me as a server administrator and cPanel's insistence on pushing this out is another disturbing factor.
    0

Please sign in to leave a comment.