AutoSSL reduced SSL coverage etc...
Hi,
We just received a number of these messages for multiple different domains that we host. Any ideas what took place? What does this mean? Anything steps I need to take to resolve anything?
Domain Name: AutoSSL reduced SSL coverage
AutoSSL has successfully renewed the Domain Validated (DV) SSL certificate for “DomainName.com”. The new certificate lacks the following domains that the previous certificate secured:
⛔ mail.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “mail.domainname.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔ cpanel.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “cpanel.DomainName.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔ webmail.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “webmail.DomainName.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔ webdisk.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “webdisk.DomainName.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔ cpcontacts.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “cpcontacts.DomainName.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔ cpcalendars.DomainName.com (checked on Feb 2, 2024 at 12:06:34 AM UTC)
There is no recorded error on the system for “cpcalendars.DomainName.com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
If these domains do not need valid SSL, then you do not need to take any further action. However, if you want AutoSSL to secure these domains, you must resolve the above problems.
The certificate is now active on the website for the following domain names:
*****
Thank you
-
Hey there! This just indicates that the old certificate covered those subdomains but the new certificate does not. If you don't use those subdomains, or they have recently been removed, there is nothing you need to adjust on your end.
0 -
So these subdomains were all auto-created by the system from what I've been told. Is there a way to disable SSL for them to avoid these messages in the future?
0 -
Sure - you can do that from cPanel using the details here - https://support.cpanel.net/hc/en-us/articles/360050034234-Exclude-a-domain-from-AutoSSL
0 -
Cool. Thank you very much!
0 -
You're welcome!
0 -
Hi,
One more question about this topic. How often does cPanel run a AutoSSL check/scan? We are thinking of just ignoring these messages for subdomains as they were auto created and not really needed, but at the same time I don't want our Help Desk being inundated with warning notifications from the server. TY
0 -
The AutoSSL check happens daily as part of the nightly maintenance.
0 -
Hi,
Is there a way to prevent the system from auto creating these subdomains that don't get used which trigger these "AutoSSL reduced SSL coverage" notifications? Our Help Desk gets hammered when this AutoSSL scan happens. Not sure if the notification is a one time deal and you only get notified when there's a new domain that it hasn't scanned yet?
We could turn the notifications off I suppose but then we wouldn't get notified when one of the parent domains has an issue.
The bigger issue is how the notification system is set up on cPanel. You can only have ONE email address which you can set to receive HIGH or HIGH/MEDIUM notifications etc.... It would be nice if you could have a second email address where you could receive Medium or Low notifications. Problem solved. Then we could set these AutoSSL notifications to Medium and have them go to a separate email address for the Help Desk to review rather than having everything go to their pager/main notification route which should be for critical system notifications only. It would be nice to have more flexibility in how the notification system is set up in cPanel. I did submit a feature request. But I'm sure we will either never see anything happen or it will take a long time before the feature is added. In the mean time, we are having to turn off multiple notification so our Help Desk doesn't get inundated with non critical notifications. Yet, some of these we would still like to keep an eye on but....
0 -
Sure - you can disable the service domains in WHM >> Tweak Settings so those won't get created.
For a change like that to the notification area we'd need a feature request, which can be submitted at features.cpanel.net
0 -
Hi. I see how you can disable the service domains in WHM as you described above, I haven't done this yet, but if I turn Service Subdomains off, does this disable all the service subdomains that have already been created, or does this just prevent the system from creating service subdomains for newly created Accounts? Also, if this feature is disabled, can users still create their own service subdomains? In other words, Is there away to prevent the system from auto creating service subdomains but still allow customers to create them if needed? Because, when you click "Off" under Service Subdomains, "Service subdomain override" which is "On" by default is grayed out.
0 -
It doesn't retroactively remove domains that already exist, and there's nothing stopping users from creating their own if necessary.
0 -
Hi. So, I disabled Service Subdomains, and then went into cPanel, Security, SSL/TLS Status for the domains throwing AutoSSL notifications, and some of the service subdomains were no longer listed such as:
cpanel.domain.com
webmail.domain.com
webdisk.domain.com
cpcontacts.domain.com
cpcalendars.domain.comAlthough domain.com, www.domain.com, and mail.domain.com were still listed.
0 -
Also, when you set Service Subdomains to "Off", and save it, then go back in, you will notice that "Service subdomain override" is set to "Off" which is not the default. When you click "On' for Service Subdomains, Service subdomain override is still set to "Off".
0 -
Well, clearly I just lied. I tested this on my end and it does update the DNS records *and* restricts users from creating those subdomains. Sorry about that confusion!
0 -
No problem.
So, from what it looks like, if we click "No" to Service Subdomains, the following service domains disappear from each account:
cpanel.domain.com
webmail.domain.com
webdisk.domain.com
cpcontacts.domain.com
cpcalendars.domain.combut domain.com, www.domain.com, and mail.domain.com stick around.
And clicking "No" appears to restrict users from creating their own service subdomains.
So, what I'm still looking for is the ability to disable automatically generated service subdomains but still have the ability for customers to create one if needed. This doesn't appear to be an option? The problem we are having is that the AutoSSL check is generating notifications each month to our Help Desk which we want to avoid. We can go in to each account and exclude each service domain from AutoSSL, but we will have to do this every time we create a new account/domain for a customer.
So, to confirm, if we disable (click No) to Service Subdomains, this will prevent auto generated service subdomains, but users will not be able to create their own. Is that correct? Thank you.
0 -
As far as I can tell after my current testing, that isn't an option we have available. We'd likely need a feature request to separate out the grayed-out options into their own areas to give users the ability to create those.
0
Please sign in to leave a comment.
Comments
16 comments