All signed purchased SSL certificates replaced with self-signed versions

techguide

• August 10, 2017 20:08

cpanel Support Request ID 8778891 opened. Did a server migration from 62.x to 64.0.36. One-time after migration, ALL signed purchased SSL certificates were replaced with self-signed versions, and many more "default" subdomains were added to existing accounts which weren't there previously, and there are a lot of self-signed certificates that showed up. Once a day now for three days, other functions like an upgrade from mysql-> mariadb10.1, and a system update, which have nothing to do with SSL certs, causes a subset of the signed certificates to regress back to the self-signed version, and I have to go through and select the signed certificate on each domain. Upon further investigation when re-applying the signed certificates, only certificates that are under "Apache" which is most of our certs, are the ones that are reverting. The few accounts we have with the certificate under the cpanel user account are not reverting. More important than just visiting websites and seeing the warning, users with email using SSL on the newest IOS and Android will stop connecting all together when a self-signed cert shows up; they can't get their email on the phone at all anymore (lots of support calls to verify this). Once we put the signed cert back on the domain/subdomain, the phones connect again with no problems. Some older phones still connect but the user gets the error about a certificate but they can accept and continue on. This is PITA to have to deal with this each day, hoping for a good resolution soon!

• 

  cPanelMichael

  • August 11, 2017 15:40

  Hello, I see we are currently assisting you with this issue as part of ticket number 8778891. I'll monitor this support ticket and update this thread with the outcome once it's complete. Thank you.

  0
• 

  cPanelMichael

  • August 22, 2017 13:42

  Hello, To update, cPanel version 66 adds the following option to "WHM >> Tweak Settings": Generate a self signed SSL certificate if a CA signed certificate is not available when setting up new domains. Per it's description: When you create a new domain, cPanel will apply the best available certificate (CA signed); otherwise cPanel will apply a self-signed SSL certificate and request a new certificate via AutoSSL if it is enabled. Warning: If you disable this option, and a CA signed certificate is not available, when a user attempts to visit the newly created domain over https, the user will see the first SSL certificate installed on that IP address. Warning: If you enable this option and do not have a CA signed certificate or AutoSSL enabled, Google search results may point to the SSL version of the site with a self-signed certificate, which will generate warnings in the users" browser.?To avoid both of these concerns, we strongly recommend that you enable AutoSSL. This option would prevent the self-signed certificate installations referenced in the original post. Thank you.

  0

Please sign in to leave a comment.