As of cPanel 62, self-signed SSL certificates are now created automatically on account creation.
As a cPanel administrator I would like to provide the ability for my clients to determine which domains are self signed or not. As self signed SSLs provide browser warnings, this results in Google no longer indexing my domains.
As such, I would like to request for cPanel to allow a tweak setting to manage this new feature.
I like this idea 
This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)
We currently anticipate version 66 going to the production CURRENT tier in late June or early July.
This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)
We currently anticipate version 66 going to the production CURRENT tier in late June or early July.
After reading through the thread on WHT, if the system can be made to generate self-signed certificates, I suppose this could work.
I think the best solution would be to make this an option, worded something like:
For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:
- A self-signed certificate
- A free AutoSSL (cPanel Comodo or Let's Encrypt)
- No certificate
In my own personal opinion AutoSSL (which probably isn't a great name for this feature) should only be done explicitly. For a DCV certificate to work, the domain name has to be pointing to the server. I just don't understand how doing that "automatically" is a good idea. You're going to have domains that never point to the server constantly trying to get a DCV certificate. But, to each their own. As long as it is an option that I can deselect, I'm fine with offering it this way.
My own personal setup, I've been doing free Let's Encrypt certificates for a long time. I wrote my own system for handling this. I prefer this system. If a client wants a free Let's Encrypt certificate, they can write in and I'll generate and install one for them. I can check to make sure that the domain name is resolving to the server correctly before attempting to generate one. That's why I like this system better. But I am a hands-on host. The helpdesk for our company is monitored by me or my staff 24 hours a day.
A self-signed certificate per VirtualHost doesn't require DCV. So that option can work. But I think this needs to be set explicitly. The question then becomes how long should the validation period be? If you set it low, say a year or less, then you'll have to have another script set to check for expiring self-signed certificate and auto regenerate them.
I get and understand that the world wants to see the web become more secure and default more to https. But I don't think they understand the logistics involved in doing this. It's just not going to be that easy. If the public had not vilified self-signed certificates so many years ago, then self-signed certificates would be applicable almost as much as Let's Encrypt and DCV certificates, without the DCV step.
After reading through the thread on WHT, if the system can be made to generate self-signed certificates, I suppose this could work.
I think the best solution would be to make this an option, worded something like:
For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:
- A self-signed certificate
- A free AutoSSL (cPanel Comodo or Let's Encrypt)
- No certificate
In my own personal opinion AutoSSL (which probably isn't a great name for this feature) should only be done explicitly. For a DCV certificate to work, the domain name has to be pointing to the server. I just don't understand how doing that "automatically" is a good idea. You're going to have domains that never point to the server constantly trying to get a DCV certificate. But, to each their own. As long as it is an option that I can deselect, I'm fine with offering it this way.
My own personal setup, I've been doing free Let's Encrypt certificates for a long time. I wrote my own system for handling this. I prefer this system. If a client wants a free Let's Encrypt certificate, they can write in and I'll generate and install one for them. I can check to make sure that the domain name is resolving to the server correctly before attempting to generate one. That's why I like this system better. But I am a hands-on host. The helpdesk for our company is monitored by me or my staff 24 hours a day.
A self-signed certificate per VirtualHost doesn't require DCV. So that option can work. But I think this needs to be set explicitly. The question then becomes how long should the validation period be? If you set it low, say a year or less, then you'll have to have another script set to check for expiring self-signed certificate and auto regenerate them.
I get and understand that the world wants to see the web become more secure and default more to https. But I don't think they understand the logistics involved in doing this. It's just not going to be that easy. If the public had not vilified self-signed certificates so many years ago, then self-signed certificates would be applicable almost as much as Let's Encrypt and DCV certificates, without the DCV step.
I agree -- the generation of a self-signed cert needs to be an option. Like sparek-3, I too developed a script to handle the generation and installation of a Let's Encrypt certificate for my customers. A self-signed cert automatically installed will generate a confusing error for customers who try to access the site over https:// before installing a legitimate certificate.
I'm a big fan of not forcing anything new on my customers without an option to disable it -- that is, to leave their configuration exactly as they are used to it. There is absolutely no harm in giving customers the *option* to enable automatic installation of self-signed certificates. Since most of my customers wouldn't trust any certificate that generates a browser error, I do see a downside to automatically installing these certs. An option to enable/disable this feature would not be too difficult to add. Apparently, the idea of making automatic installation of self-signed certs optional is a somewhat popular idea:
https://forums.cpanel.net/threads/problem-with-automatically-generated-self-signed-ssl-certificates.592415/
I agree -- the generation of a self-signed cert needs to be an option. Like sparek-3, I too developed a script to handle the generation and installation of a Let's Encrypt certificate for my customers. A self-signed cert automatically installed will generate a confusing error for customers who try to access the site over https:// before installing a legitimate certificate.
I'm a big fan of not forcing anything new on my customers without an option to disable it -- that is, to leave their configuration exactly as they are used to it. There is absolutely no harm in giving customers the *option* to enable automatic installation of self-signed certificates. Since most of my customers wouldn't trust any certificate that generates a browser error, I do see a downside to automatically installing these certs. An option to enable/disable this feature would not be too difficult to add. Apparently, the idea of making automatic installation of self-signed certs optional is a somewhat popular idea:
https://forums.cpanel.net/threads/problem-with-automatically-generated-self-signed-ssl-certificates.592415/
This is being worked on in case CPANEL-11589 for v64. If can reduce the risk and size of of the change, we will attempt to backport the change to v62.
This is being worked on in case CPANEL-11589 for v64. If can reduce the risk and size of of the change, we will attempt to backport the change to v62.
Thanks cpanelnick,
Can you clarify a bit as to the proposed implementation? Will it become an option such that we can disable automatic generation of self-signed certs?
Thanks cpanelnick,
Can you clarify a bit as to the proposed implementation? Will it become an option such that we can disable automatic generation of self-signed certs?
Quick Update: We have completed most of the initial work for this option, however we do not have a test case that was not solved by enabling AutoSSL. If this functionality is important to you, please open a ticket at https://tickets.cpanel.net/submit/ with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589.
Thank you
Quick Update: We have completed most of the initial work for this option, however we do not have a test case that was not solved by enabling AutoSSL. If this functionality is important to you, please open a ticket at https://tickets.cpanel.net/submit/ with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589.
Thank you
THIS SHOULD BE!!!!
"I think the best solution would be to make this an option, worded something like:
For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:
- A self-signed certificate
- A free AutoSSL (cPanel Comodo or Let's Encrypt)
- No certificate"
THIS SHOULD BE!!!!
"I think the best solution would be to make this an option, worded something like:
For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:
- A self-signed certificate
- A free AutoSSL (cPanel Comodo or Let's Encrypt)
- No certificate"
I'm updated to v64.0 (build 14) but I don't see this option. Can you tell me which version/build this new option is expected to release in, and where the new option would be found?
Thanks!
I'm updated to v64.0 (build 14) but I don't see this option. Can you tell me which version/build this new option is expected to release in, and where the new option would be found?
Thanks!
This feature has now been merged in to version 66, and you will be able to disable the self-signed SSLs. Once there is a public version on the EDGE tier, I will update this thread again. Let me know if you have any questions in the meantime!
This feature has now been merged in to version 66, and you will be able to disable the self-signed SSLs. Once there is a public version on the EDGE tier, I will update this thread again. Let me know if you have any questions in the meantime!
This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)
We currently anticipate version 66 going to the production CURRENT tier in late June or early July.
This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)
We currently anticipate version 66 going to the production CURRENT tier in late June or early July.
Version 66 is now in CURRENT, and the option to disable self-signed SSLs is now in tweak settings!
Thanks for all you input here!
Version 66 is now in CURRENT, and the option to disable self-signed SSLs is now in tweak settings!
Thanks for all you input here!
Replies have been locked on this page!