Multiple SSL Certificate issues and possible solution
I have been having some ongoing SSL issues with one of my accounts on cPanel which I think I may have solved, but wanted to get clarification before moving forward. This account has over 70 parked domains with one main domain.
Here are my issues within the cPanel dashboard:
1) cPanel Tools > Security > SSL/TLS Status
-My choices here are NOT being honored for the domains. The blue wording is correct (Exclude or Include), but the status doesn't change (green circle/padlock vs red cross) when I run AutoSSL. Always stays the same no matter what I do, so I have some domains that have the red padlock even though I have them included and some with the green padlock that should be excluded.
2) cPanel Tools > Domains > Domains
-Force HTTPS Redirect for my Main Domain is Off and greyed out with a triangle that says "You cannot activate HTTPS Redirect because AutoSSL is not currently active for this domain or the SSL certificate is not valid."
-The thing is my main domain has a valid and active SSL certificate, two in fact which takes us to the next issue...
3) cPanel Tools > Security > SSL/TLS > Certificates (CRT) > Generate, view, upload, or delete SSL certificates.
-I have two SSL certificates in this window, cPanel, Inc. and Let's Encrypt. This could be the root of the issues as I think I only need one and the Let's Encrypt certificate specifically.
-The cPanel, Inc. certificate expires in less than 30 days and shows my domains in this format:
domain1.com
mail.domain1.com
www.domain1.com
www.mail.domain1.com
-The Let's Encrypt certificate expires in about 90 days and shows my domains in this format:
*.domain1.com
domain1.com
4) cPanel Tools > Security > SSL/TLS > Certificates (CRT) > Generate, view, upload, or delete SSL certificates. >
-cPanel, Inc.
Edit > Decoded Certificate: > Certificate: > Data: > Subject: CN = domain1.com
(This certificate has the correct CN which is my main domain)
-Let's Encrypt
Edit > Decoded Certificate: > Certificate: > Data: > Subject: CN = domain2.com
(This certificate has the incorrect CN as it's one of my parked domains and it's the same one I see when running a test on ssllabs)
So knowing the above, can I safely delete the cPanel, Inc SSL certificate and matching Private Key or is it needed for something the Let's Encrypt certificate doesn't cover? My thought is that they are conflicting with each other and causing my issues.
I would also like to delete the Let's Encrypt certificate and regenerate it after the cPanel one is deleted in the hopes that it will use the correct CN of my main domain and correct the ssllabs test results among other things.
-
I decided to go ahead and delete all the cPanel, Inc. certificates and matching keys and rerun AutoSSL, but unfortunately most of the issues listed above still persist. Specifically choices to the include/exclude still aren't updating after running AutoSSL, Force HTTPS Redirect for my Main Domain is still Off and greyed out and the Common Name for the certificate is still wrong.
@cPRex Any ideas on how to go about fixing this? It looks to be same issue as this post . Could be a problem with the custom Apache templates. Is there a guide on how to do this fix myself?
0 -
Hey there! I'll go through and answer these in order:
1 - This sounds normal to me. Unless an SSL is being renewed, checking the boxes there isn't going to change anything in the current certificate. This will just change what happens the next time it is renewed.
2 - That one is odd for sure...but seems related to 3...
3 - Deleting the certificates and starting fresh was the best plan for sure, and I would have expected that to resolve all the issues you mentioned. Do you have root access to the server or only access to your one cPanel account?
0 -
Hi @cPRex. Thanks for the reply.
1) If I understand you correctly, I will need to delete the current Let's Encrypt certificate and regenerate it with AutoSSL for the changes to take effect? Does this happen fairly quickly? Just want to minimize the SSL error/downtime as it will have no certificate until new one is generated.
2) In progress. Will re-evaluate after new certificate is generated.
3) I have full root access to this server.
4) Subject: CN This one is annoying. Maybe will change with the new certificate as well. Thinking I may need to reach out to Let's Encrypt support to get this corrected.
Just to verify, I only deleted the cPanel, Inc. certificates and left the Let's Encrypt intact, but your recommendation is to delete it as well so fresh ones are created. That sounds like a good plan. Look forward to your reply.
0 -
1 - Yes, if all goes well it should happen within a few seconds after you execute the AutoSSL run for the user. I'd just delete all the certificates on the account.
4 - Ultimately, does the common name line cause an issue? If so, I'd like to hear about it. I don't think Let's Encrypt is going to change anything on their end, but if this is causing some type of usability issue I'd like to know.
0 -
1) New certificate generated and it honored my changes for the include exclude. Resolved.
2) No change. Still can't activate Force HTTPS Redirect for my Main Domain.
3) Resolved.
4) I now have a new Common Name, but it seems like a totally random choice. It is again one of my parked domains instead of the Main Domain. This is only cosmetic, but gives a bad look when clicking on the padlock in a browser and the domains don't match as well as ssllabs showing the parked domain for Subject and Common name. I would really like to know why this happens and how to fix it.0 -
For #2, could you submit a ticket? That's one of those "it should just work" items once the SSL is in place.
As for the common name, it's always been random and I don't have a way to fix that one.
0 -
Thanks, I'll submit a ticket.
As for the common name, I will be reaching out to the Let's Encrypt support forum to see if there are any tricks to selecting it manually. If I do find out anything I will post it here.
@cPRex Really appreciate the help and guidance.
0 -
Sure thing - always happy to help!
0
Please sign in to leave a comment.
Comments
8 comments