Question about autoSSL

hinhthoi

• October 13, 2017 10:25

Hi, I have a question about AutoSSL feature: Let's say I enable that feature by default, A new user signup with his primary domain while the primary domain is still not pointing to the server. Due to that reason, a valid SSL cert is not created for that primary domain. When the user starts changing the DNS to point his domain to the server, the AutoSSL feature should automatically add a valid SSL cert to the domain, is it correct? If yes, when does it happens (How long from the time it is propagated to the time that the AutoSSL takes action, I mean the waiting time). I also have another question. If a domain is already having valid SSL, then the user point DNS away from our server, when it is going to expire, will autoSSL still keep requesting for SSL renewal? (I'm worry it it does, because the request will fail, and Letsencrypt has limit on failure rate). I just worry if I enable autoSSL for all users, too many failures may results in problems. Thank you for any clarification!

• 

  cPanelMichael

  • October 13, 2017 15:40

  Hello,

  When the user starts changing the DNS to point his domain to the server, the AutoSSL feature should automatically add a valid SSL cert to the domain, is it correct? If yes, when does it happens (How long from the time it is propagated to the time that the AutoSSL takes action, I mean the waiting time).

  
  Yes, the AutoSSL check runs once daily as part of the following cron job:
  # cat /etc/cron.d/cpanel_autossl 32 3 * * * root /usr/local/cpanel/bin/autossl_check --all
  It can then take a few hours after that for the domain validation process to complete.

  I also have another question. If a domain is already having valid SSL, then the user point DNS away from our server, when it is going to expire, will autoSSL still keep requesting for SSL renewal? (I'm worry it it does, because the request will fail, and Letsencrypt has limit on failure rate).

  
  Yes, assuming the existing certificate was generated through the AutoSSL feature, then the automatic attempts to renew the certificate before it expires would fail if the domain name does not resolve to the server. You should disable AutoSSL for the individual account in these cases. Thank you.

  0
• 

  hinhthoi

  • October 13, 2017 16:10

  Hi, I just want to be clear more about this problem. When the user change DNS of one of his domain away from our server, does AutoSSL still attempt to renew (and fail) or does it first check the DNS and only make an attempt if DNS if pointing to our server? Thank you very much.

  0
• 

  cPanelMichael

  • October 13, 2017 16:14

  Hello, It will attempt to validate the domain name if the AutoSSL feature is enabled on the account, and the domain validation attempt will fail when it detects the domain name does not resolve to the cPanel server. Thank you.

  0
• 

  hinhthoi

  • October 13, 2017 16:20

  Hi Micheal, Thank you very much for your clarification. I think it is a disaster to enable autoSSL for all users because if this reason. When Letsencrypt detects high rate of renewal failures it will block our IP, and renewal requests for working domains will not work.

  0

Please sign in to leave a comment.