As system administrator, I would like to select, which parts of each domain get autoSSL certificate.
For example by default I would like to let my users obtain autoSSL for mail.domain.com, cpanel.domain.com and webmail.domain.com, as these are most used technical subdomains.
At the same time I would like to be able to install separate SSL certificate for main domain without removing SSL for technical subdomains (as it is now - it is not possible)
I like this idea 
Hey folks! This feature mophed into something slightly different, and what we ended up adding instead was a featre that allows cPanel users to exclude domains from AutoSSL, which you can read about here:
https://documentation.cpanel.net/display/66Docs/66+Release+Notes#id-66ReleaseNotes-Domain-specificAutoSSLexclusion
For now I'm going to set this back to 'Open Discussion', but if we pick this specific request up again I'll be back to let you know.
Hey folks! This feature mophed into something slightly different, and what we ended up adding instead was a featre that allows cPanel users to exclude domains from AutoSSL, which you can read about here:
https://documentation.cpanel.net/display/66Docs/66+Release+Notes#id-66ReleaseNotes-Domain-specificAutoSSLexclusion
For now I'm going to set this back to 'Open Discussion', but if we pick this specific request up again I'll be back to let you know.
What are some use cases for this—i.e., given that the certs are free and require no manual effort to set up, what is gained from blacklisting a domain from AutoSSL?
What are some use cases for this—i.e., given that the certs are free and require no manual effort to set up, what is gained from blacklisting a domain from AutoSSL?
Where cPanel creates a subdomain such as sub.primarydomain.com when adding an addon domain the final required ssl domain could be http://www.somethingelse.com so there would be no need to create an A record (to pass the check) for sub.primarydomain.com which will never be used to access the site but will still be checked and failed daily by AutoSSL for a possible cert.
As an example my ssl log files are filled with variations of this...
2:26:01 AM
WARN
The domain “ot.***.net” has failed domain control validation
(“ot.***.net” does not resolve to any IPv4 addresses on the
internet.). at bin/autossl_check.pl line 434.
2:26:01 AM
WARN
The domain “www.ot.***.net” has failed domain control
validation (“www.ot.***.net” does not resolve to any IPv4 addresses
on the internet.). at bin/autossl_check.pl line 434.
Neither require or will ever require an ssl cert as the main domain already has a cert but are still checked daily.
Where cPanel creates a subdomain such as sub.primarydomain.com when adding an addon domain the final required ssl domain could be http://www.somethingelse.com so there would be no need to create an A record (to pass the check) for sub.primarydomain.com which will never be used to access the site but will still be checked and failed daily by AutoSSL for a possible cert.
As an example my ssl log files are filled with variations of this...
2:26:01 AM
WARN
The domain “ot.***.net” has failed domain control validation
(“ot.***.net” does not resolve to any IPv4 addresses on the
internet.). at bin/autossl_check.pl line 434.
2:26:01 AM
WARN
The domain “www.ot.***.net” has failed domain control
validation (“www.ot.***.net” does not resolve to any IPv4 addresses
on the internet.). at bin/autossl_check.pl line 434.
Neither require or will ever require an ssl cert as the main domain already has a cert but are still checked daily.
I have several subomains like sub.domain.com pointed to a cpanel server's IP and for each of them there is cpanel account created. Subdomain is main domain of cpanel account. DNS for the domain 'domain.com' is kept at 3rd party nameservers.
In AutoSSL, for each of the subdomains I get 'http://www.sub.domain.com does not resolve to any IPv4 addresses on the internet.
Well, to get rid of the errors/warnings and get clean AutoSSL output I am forced to create 'www.sub' DNS record for each of the subdomain on 3rd party nameservers.
I would prefer to add "http://www.sub.domain.com" to /etc/autossl_skip and forget about the problem/get clean Autossl report.
I have several subomains like sub.domain.com pointed to a cpanel server's IP and for each of them there is cpanel account created. Subdomain is main domain of cpanel account. DNS for the domain 'domain.com' is kept at 3rd party nameservers.
In AutoSSL, for each of the subdomains I get 'http://www.sub.domain.com does not resolve to any IPv4 addresses on the internet.
Well, to get rid of the errors/warnings and get clean AutoSSL output I am forced to create 'www.sub' DNS record for each of the subdomain on 3rd party nameservers.
I would prefer to add "http://www.sub.domain.com" to /etc/autossl_skip and forget about the problem/get clean Autossl report.
I also have several mail. sub-domains that point to off-network IP addresses, for instance, in cases where the client has their own Exchange server or similar. AutoSSL just keeps trying to verify these domains that it will never be able to.
I also have several mail. sub-domains that point to off-network IP addresses, for instance, in cases where the client has their own Exchange server or similar. AutoSSL just keeps trying to verify these domains that it will never be able to.
Excluding domains is needed, I mean exclude "technical subdomains" - it is now unable to use Auto-SSL:
when user has technical domain: customer234.mydomain.com
and he has addon domain hisdomain.com and theotherdomain.com
then auto-SSL in cPanel generates one cert for:
customer234.mydomain.com + hisdomain.com + theotherdomain.com
but subdomains line customerXXX.mydomain.com I have many ... and Let's encrypt aloows generates only 20 per week ...
We need option: generating certs WITHOUT "technical domain (subdomain) of the provider"
Excluding domains is needed, I mean exclude "technical subdomains" - it is now unable to use Auto-SSL:
when user has technical domain: customer234.mydomain.com
and he has addon domain hisdomain.com and theotherdomain.com
then auto-SSL in cPanel generates one cert for:
customer234.mydomain.com + hisdomain.com + theotherdomain.com
but subdomains line customerXXX.mydomain.com I have many ... and Let's encrypt aloows generates only 20 per week ...
We need option: generating certs WITHOUT "technical domain (subdomain) of the provider"
I also have a subdomain that i do not want a SSL on. This i can block using AutoSSL settings and the Package/Feature list in WHM. But if a person does not have access to WHM, they can not control the automatic issuing/blocking of an AutoSSL cert. Instead they have to ask the Host/Person that has the root access to the WHM and/or server.
As a suggestion why not place a button in each cPanel that a user can click, such as the ModSecurity button feture, to enable or disable AutoSSL for the particular domain or subdomain?
As a side note: If a person installs a subdomain in the parents domain cPanel versus another cPanel they would need controls to disable/enable parent and subdomains individually.
Thanks for considering,
danielpmc
I also have a subdomain that i do not want a SSL on. This i can block using AutoSSL settings and the Package/Feature list in WHM. But if a person does not have access to WHM, they can not control the automatic issuing/blocking of an AutoSSL cert. Instead they have to ask the Host/Person that has the root access to the WHM and/or server.
As a suggestion why not place a button in each cPanel that a user can click, such as the ModSecurity button feture, to enable or disable AutoSSL for the particular domain or subdomain?
As a side note: If a person installs a subdomain in the parents domain cPanel versus another cPanel they would need controls to disable/enable parent and subdomains individually.
Thanks for considering,
danielpmc
@danielpmc - how do you disable subdomain Auto SSL issue with Package/Feature list in WHM? I can't find a way to disable subdomains and keep main domains (www) enabled.
@danielpmc - how do you disable subdomain Auto SSL issue with Package/Feature list in WHM? I can't find a way to disable subdomains and keep main domains (www) enabled.
I'm having rate limiting issues and being able to exclude certain subdomains from being issued certificates would be a big help.
I'm having rate limiting issues and being able to exclude certain subdomains from being issued certificates would be a big help.
I have a customer that has about 65 subdomains, parked domains and add-on domains. Some of those subdomains do not need SSL... they only exist because cPanel creates them automatically when creating an add-on domain. But, since we have a total of 65, I thought I could still use Let's Encrypt Auto SSL for this customer. However, it was a complete fail. The plugin attempts to ALSO add SSL for "mail" for every domain/subdomain/addon domain, even though we do not provide email service for this customer at all, and it ALSO attempts to add SSL for "www" for every add-on/parked/subdomain. www is understandable for the add-on and parked domains, but is definitely not needed for the subdomains.
I think this really underscores the need to have the ability to not only enable/disable AutoSSL for each account, but also to be able to somehow provide a list of FQDNs that the plug-in should never attempt to secure with SSL.
Thanks for listening!
I have a customer that has about 65 subdomains, parked domains and add-on domains. Some of those subdomains do not need SSL... they only exist because cPanel creates them automatically when creating an add-on domain. But, since we have a total of 65, I thought I could still use Let's Encrypt Auto SSL for this customer. However, it was a complete fail. The plugin attempts to ALSO add SSL for "mail" for every domain/subdomain/addon domain, even though we do not provide email service for this customer at all, and it ALSO attempts to add SSL for "www" for every add-on/parked/subdomain. www is understandable for the add-on and parked domains, but is definitely not needed for the subdomains.
I think this really underscores the need to have the ability to not only enable/disable AutoSSL for each account, but also to be able to somehow provide a list of FQDNs that the plug-in should never attempt to secure with SSL.
Thanks for listening!
I've got some accounts where http://www.domain.com and domain.com point to a different server and they have their own certificates on that server, so I don't want certificates for those. But I want certificates for some subdomains such as sub.domain.com via AutoSSL.
I've got some accounts where http://www.domain.com and domain.com point to a different server and they have their own certificates on that server, so I don't want certificates for those. But I want certificates for some subdomains such as sub.domain.com via AutoSSL.
We need better options to control enabling/disabling of this feature. Plus the current schema makes it easier for Resellers to charge for this feature than the provider. When hosts enable AutoSSL in any feature list a reseller can then create their own feature list including AutoSSL effectively circumventing hosts option to charge for the feature. I have Resellers up selling this SSL feature to their client. However hosts can't enforce the same model efficiently or practically. Then I also have resellers with dozens of domains and sub domains that don't want SSL. Requiring a tedious and manual task of disabling dozens of domains sprinkled amongst hundreds of accounts that I can't even sort by owner.
We need better options to control enabling/disabling of this feature. Plus the current schema makes it easier for Resellers to charge for this feature than the provider. When hosts enable AutoSSL in any feature list a reseller can then create their own feature list including AutoSSL effectively circumventing hosts option to charge for the feature. I have Resellers up selling this SSL feature to their client. However hosts can't enforce the same model efficiently or practically. Then I also have resellers with dozens of domains and sub domains that don't want SSL. Requiring a tedious and manual task of disabling dozens of domains sprinkled amongst hundreds of accounts that I can't even sort by owner.
This increasingly becomes a problem where an account has multiple addon/parked domains, and there is a limit on SANs per certificate (100 limit on Let's Encrypt).
By the time you've added in mail., ftp. and all the proxy subdomains, you very quickly reach the 100 limit.
Being able to control which domains and also which subdomains get included, per account, would be ideal.
This increasingly becomes a problem where an account has multiple addon/parked domains, and there is a limit on SANs per certificate (100 limit on Let's Encrypt).
By the time you've added in mail., ftp. and all the proxy subdomains, you very quickly reach the 100 limit.
Being able to control which domains and also which subdomains get included, per account, would be ideal.
We are currently investigating what it will take to implement this feature request. The work is being track as case COBRA-4247
We are currently investigating what it will take to implement this feature request. The work is being track as case COBRA-4247
Another thought, if you run a domain with mail on 1 server and web/etc on another server, AutoSSL hits mail server error log with full page sources from 404 pages. It does this when encountering an 404 because the temporary file in .well-known doesn't exist on other server. In our case, the platform 404 page adds 1250 lines of logs for each domain that fails in this circumstance. Perhaps the response that is logged could be truncated down to however many lines are expected in the .well-known temporary file.
Also agree that the amount of auto checks is a bit excessive. Do people actually use http://www.subdomain.domain.com style iterations in the wild?
Another thought, if you run a domain with mail on 1 server and web/etc on another server, AutoSSL hits mail server error log with full page sources from 404 pages. It does this when encountering an 404 because the temporary file in .well-known doesn't exist on other server. In our case, the platform 404 page adds 1250 lines of logs for each domain that fails in this circumstance. Perhaps the response that is logged could be truncated down to however many lines are expected in the .well-known temporary file.
Also agree that the amount of auto checks is a bit excessive. Do people actually use http://www.subdomain.domain.com style iterations in the wild?
IMHO the better solution should be to use the SSL wizard to create the Let's Encrypt certs as we do with the Comodo system. And after that the AutoSSL should auto-update that certificates.
With this fine grain solution we can get this blacklist feature and the solution for the 200 max domains limitation, and the solution for other people who don't want to show on the cert you're hosting all that domains with the current domain.
Mod Note: Since this would be a pretty big deviation from what we've done thus far, this has been submitted as its own request here:
https://features.cpanel.net/topic/add-lets-encrypt-as-ca-to-the-ssl-wizard-market-providers-and-renew-they-with-autossl
IMHO the better solution should be to use the SSL wizard to create the Let's Encrypt certs as we do with the Comodo system. And after that the AutoSSL should auto-update that certificates.
With this fine grain solution we can get this blacklist feature and the solution for the 200 max domains limitation, and the solution for other people who don't want to show on the cert you're hosting all that domains with the current domain.
Mod Note: Since this would be a pretty big deviation from what we've done thus far, this has been submitted as its own request here:
https://features.cpanel.net/topic/add-lets-encrypt-as-ca-to-the-ssl-wizard-market-providers-and-renew-they-with-autossl
Will this feature allow us to add a wildcard domain to disallow subdomains for a specific domain too ?
We often create addon or parked domains for customers using one of our own domains (to give them a test URL like client3241.ourdomain.com), however we often hit Let's Encrypts maximum certs per domain limit for ourdomain.com.
When this happen's cPanel's AUTOSSL fails to create an SSL for theirdomain.com because ourdomain.com has hit it's maximum number of certs.
We would like to be able to exclude *.ourdomain.com from Autossl so we can continue using subdomains client1234.ourdomain.com as temporary addon domain's for our customers without affecting the SSL generation for thier main domain.
Will this feature allow us to add a wildcard domain to disallow subdomains for a specific domain too ?
We often create addon or parked domains for customers using one of our own domains (to give them a test URL like client3241.ourdomain.com), however we often hit Let's Encrypts maximum certs per domain limit for ourdomain.com.
When this happen's cPanel's AUTOSSL fails to create an SSL for theirdomain.com because ourdomain.com has hit it's maximum number of certs.
We would like to be able to exclude *.ourdomain.com from Autossl so we can continue using subdomains client1234.ourdomain.com as temporary addon domain's for our customers without affecting the SSL generation for thier main domain.
I would add that I've seen subdomains added to validate accounts:
http://www.google3aa34564676326.domain.tld
google3aa34564676326.domain.tld
I am not sure how to exclude these with a wildcard, maybe (google*), but indeed in some cases there are extra domains that get secured that are not needed.
also I am not sure if subdomains like autodiscover.domain.tld need SSL.
www. on subdomains is rarely needed, but I would imagine a user interface would be best where the cpanel user can control which domains he wants secured, excluded domains/subdomains would not get a cert however the user should be able to enable them still to make sure we handle the exceptions
I would add that I've seen subdomains added to validate accounts:
http://www.google3aa34564676326.domain.tld
google3aa34564676326.domain.tld
I am not sure how to exclude these with a wildcard, maybe (google*), but indeed in some cases there are extra domains that get secured that are not needed.
also I am not sure if subdomains like autodiscover.domain.tld need SSL.
www. on subdomains is rarely needed, but I would imagine a user interface would be best where the cpanel user can control which domains he wants secured, excluded domains/subdomains would not get a cert however the user should be able to enable them still to make sure we handle the exceptions
Hey folks! This feature mophed into something slightly different, and what we ended up adding instead was a featre that allows cPanel users to exclude domains from AutoSSL, which you can read about here:
https://documentation.cpanel.net/display/66Docs/66+Release+Notes#id-66ReleaseNotes-Domain-specificAutoSSLexclusion
For now I'm going to set this back to 'Open Discussion', but if we pick this specific request up again I'll be back to let you know.
Hey folks! This feature mophed into something slightly different, and what we ended up adding instead was a featre that allows cPanel users to exclude domains from AutoSSL, which you can read about here:
https://documentation.cpanel.net/display/66Docs/66+Release+Notes#id-66ReleaseNotes-Domain-specificAutoSSLexclusion
For now I'm going to set this back to 'Open Discussion', but if we pick this specific request up again I'll be back to let you know.
Replies have been locked on this page!