Skip to main content

AutoSSL reduced SSL coverage etc...

Comments

16 comments

  • cPRex Jurassic Moderator

    Hey there!  This just indicates that the old certificate covered those subdomains but the new certificate does not.  If you don't use those subdomains, or they have recently been removed, there is nothing you need to adjust on your end.

    0
  • Amiga500

    So these subdomains were all auto-created by the system from what I've been told.  Is there a way to disable SSL for them to avoid these messages in the future?

    0
  • cPRex Jurassic Moderator

    Sure - you can do that from cPanel using the details here - https://support.cpanel.net/hc/en-us/articles/360050034234-Exclude-a-domain-from-AutoSSL

    0
  • Amiga500

    Cool. Thank you very much!

    0
  • cPRex Jurassic Moderator

    You're welcome!

    0
  • Amiga500

    Hi,

    One more question about this topic. How often does cPanel run a AutoSSL check/scan?  We are thinking of just ignoring these messages for subdomains as they were auto created and not really needed, but at the same time I don't want our Help Desk being inundated with warning notifications from the server.  TY

    0
  • cPRex Jurassic Moderator

    The AutoSSL check happens daily as part of the nightly maintenance.

    0
  • Amiga500

    Hi,

    Is there a way to prevent the system from auto creating these subdomains that don't get used which trigger these "AutoSSL reduced SSL coverage" notifications?  Our Help Desk gets hammered when this  AutoSSL scan happens. Not sure if the notification is a one time deal and you only get notified when there's a new domain that it hasn't scanned yet?

    We could turn the notifications off I suppose but then we wouldn't get notified when one of the parent domains has an issue.

    The bigger issue is how the notification system is set up on cPanel.  You can only have ONE email address which you can set to receive HIGH or HIGH/MEDIUM notifications etc....  It would be nice if you could have a second email address where you could receive Medium or Low notifications.  Problem solved.  Then we could set these AutoSSL notifications to Medium and have them go to a separate email address for the Help Desk to review rather than having everything go to their pager/main notification route which should be for critical system notifications only.  It would be nice to have more flexibility in how the notification system is set up in cPanel. I did submit a feature request.  But I'm sure we will either never see anything happen or it will take a long time before the feature is added.  In the mean time, we are having to turn off multiple notification so our Help Desk doesn't get inundated with non critical notifications.  Yet, some of these we would still like to keep an eye on but....

    0
  • cPRex Jurassic Moderator

    Sure - you can disable the service domains in WHM >> Tweak Settings so those won't get created.

    For a change like that to the notification area we'd need a feature request, which can be submitted at features.cpanel.net

    0
  • Amiga500

    Hi. I see how you can disable the service domains in WHM as you described above, I haven't done this yet, but if I turn Service Subdomains off, does this disable all the service subdomains that have already been created, or does this just prevent the system from creating service subdomains for newly created Accounts?  Also, if this feature is disabled, can users still create their own service subdomains? In other words, Is there away to prevent the system from auto creating service subdomains but still allow customers to create them if needed? Because, when you click "Off" under Service Subdomains, "Service subdomain override" which is "On" by default is grayed out.

    0
  • cPRex Jurassic Moderator

    It doesn't retroactively remove domains that already exist, and there's nothing stopping users from creating their own if necessary.

    0
  • Amiga500

    Hi.  So, I disabled Service Subdomains, and then went into cPanel, Security, SSL/TLS Status for the domains throwing AutoSSL notifications, and some of the service subdomains were no longer listed such as:

    cpanel.domain.com
    webmail.domain.com
    webdisk.domain.com
    cpcontacts.domain.com
    cpcalendars.domain.com

    Although domain.com, www.domain.com, and mail.domain.com were still listed.

    0
  • Amiga500

    Also, when you set Service Subdomains to "Off", and save it, then go back in, you will notice that "Service subdomain override" is set to "Off" which is not the default. When you click "On' for Service Subdomains, Service subdomain override is still set to "Off". 

    0
  • cPRex Jurassic Moderator

    Well, clearly I just lied.  I tested this on my end and it does update the DNS records *and* restricts users from creating those subdomains.  Sorry about that confusion! 

    0
  • Amiga500

    No problem. 

    So, from what it looks like, if we click "No" to Service Subdomains, the following service domains disappear from each account:

    cpanel.domain.com
    webmail.domain.com
    webdisk.domain.com
    cpcontacts.domain.com
    cpcalendars.domain.com

    but domain.com, www.domain.com, and mail.domain.com stick around.

    And clicking "No" appears to restrict users from creating their own service subdomains.

    So, what I'm still looking for is the ability to disable automatically generated service subdomains but still have the ability for customers to create one if needed.  This doesn't appear to be an option?  The problem we are having is that the AutoSSL check is generating notifications each month to our Help Desk which we want to avoid.  We can go in to each account and exclude each service domain from AutoSSL, but we will have to do this every time we create a new account/domain for a customer. 

    So, to confirm, if we disable (click No) to Service Subdomains, this will prevent auto generated service subdomains, but users will not be able to create their own. Is that correct?  Thank you.

    0
  • cPRex Jurassic Moderator

    As far as I can tell after my current testing, that isn't an option we have available.  We'd likely need a feature request to separate out the grayed-out options into their own areas to give users the ability to create those.

    0

Please sign in to leave a comment.