cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

AutoSSL: Enable separately for mail or website.

dkTronicsCL shared this idea 4 years ago
Already Exists

I think it would be nice to be able to enable AutoSSL separately for mail or website.

For example, I do not want the client http://www.domainexample.com to use SSL, but I do want when that client sets up their mail with the name mail.domainexample.com, the client can do it using SSL to facilitate the configuration of their mail, (Especially on mobile devices where by default they use SSL).

Best Answer
photo

You should be able to accomplish this with the current system by


1. Creating a mail.domain.tld subdomain (or for any other name you want to separately control the AutoSSL status for)

c3f751c517adb4c9eca5d61732915416


2. Turn off AutoSSL in SSL Status for the domains you do not want AutoSSL to run on.


ebf8729c2bcd0d71be8c0bd240db749b

Comments (9)

photo
1

Thanks so much for your submission! It sounds like you are asking for AutoSSL to only apply the free SSL to mail.domainexample.com for email purposes. Is that true? Or are you asking for the ability to apply different SSLs to the domain and the email services?

photo
1

Hello Benny,

I want apply free SSL only in mail.domainexample.com for email purposes.

photo
1

Sure! Can you please elaborate a bit on why you might want that? Our goal is to add security to websites, and adding the SSL to email settings just made sense to add as well.

photo
1

I understand that the use of SSL delivers more security to websites. But you also have to keep in mind that not all websites need to be secure, since not all sites generate "private" content (content that has been generated for a specific user and not to be seen by anyone else). On the other hand the use of SSL generates more consumption of resources in both parts (server and client), by encrypting and decrypting the content.

Possibly for some this increase in consumption of resources may seem marginal, but when you have sites with high demand this can be a very important factor (even more when we are tied to Apache ... maybe when we go to Niginx the story is different :)

photo
2

To be honest, SSL isn't as much of a strain on systems as it once was. It would be even more amazing when HTTP/2 is supported by cPanel!

photo
4

I'm confused. Just because you have generated a certificate does not mean you need to enforce https:// on the site/app/domain end. But if you do in the future, consider more than load: People think the green lock is the norm, Chrome shows a nasty "not secure" warning in red if no SSL, Google ranks secure sites higher, and data profiling, MiTM, or other forms of activity monitoring/hijacking are actually things regardless of whether or not private data is flowing. Also, the overhead and handshakes from certs is not that huge now. HTTP2 is tiny load compared to ye olde days of the past. You can further offset it by using a caching CDN like Cloudflare. It won't do an origin pull every time, and in those cases will handle the front end SSL mitigations instead of your server.

photo
1

When I was reading your reasoning for not wanting to use SSL, I was thinking exactly what dhaupin said. Even if your site doesn't have data that you think should be encrypted, with SSL, you can setup HSTS to prevent man-in-the-middle attacks so when someone is going to your website, they're certain they're actually at your website, and not someone elses.


I think the whole idea behind Let's Encrypt was to make the entire web use SSL so we could do away with things like man-in-the-middle attacks.


I have a feeling that eventually (probably more sooner than later), because we can obtain free SSL certificates, the browsers might require users to go to the secure version of sites. I know they already have a pre-load list, which says the users can only go to a secure version of a website, never the unsecure version.

photo
photo
2

Sure, that makes sense to me. For me, though, the more important reason to use SSL everywhere is to help negate common malware tactics, whether or not the information on the website could (or should) be considered "private".


We'll leave this request here to see what other feedback and votes we get! Thanks for the submission. :)

photo
1

We need the ability to at least disable mail.domain certs. We only host websites on our cPanel servers. Email is handled externally. Every day cPanel attempts to generate a cert for mail.domain for each website. Some websites have file modification checks built in and as a result some people are getting emails every day saying that their .htaccess file has been modified.


May be the AutoSSL check could check the plan for the site and skip mail.domain if there are no email features or accounts enabled.

photo
3

It sounds like what you're looking for is more like Prevent Specific Domains From Being Issued SSLs, rather than this one, but I can see how they go together.

photo
1

Hi Benny! Please don't close this topic.

I want to echo Neil Spierling's request regarding mail.domain certs - as we too handle mail externally. We are currently working through development of scripts to prune the mail.domain.tld apache aliases which are automatically created by cPanel - partially because of the headaches they cause for AutoSSL. This is admittedly 'hacky' and we would love to see a proper, supported solution.

The 'Prevent Specific Domains From Being Issued SSLs' request mentioned prior is definitely a nice feature, but it's a UX proposed for unique domains and one-off url blacklisting via cPanel account UI. What we need is a facility in WHM to administratively address an issue that happens at scale.

I do think this would probably be more cleanly resolved if we just had a supported way to disable mail features globally (or by Feature Package). Given the market growth cloud productivity/communication offerings (GSuite, Microsoft 365, etc.) - it should definitely be on the radar.

photo
photo
1

Please close or delete this topic ;)

after two years (with another point of view) I see that it really is not necessary. Also, . I already have all the sites with AutoSSL and they work perfect.

photo
1

I think it would be good to split up the certs between the main domain and the cPanel generated sub-domains (autodiscover/cpanel/mail/webdisk/webmail, etc)

We have some customers who prefer to use a paid for SSL cert for their sites which then means if we point them to the cPanel generated sub-domains (webmail.domain.com) they then end up with SSL cert error as the cert they paid for only covers domain.com and http://www.domain.com.

photo
1

Same issue as David here.

We have customers who will pay for a relatively expensive cert for their ecommerce website that end up losing SSL on their mail.domain.com sub-domains as it only covers www and the main domain. It would be useful to still keep AutoSSL for their other domains and sub domains.

Also slightly awkward explaining to them that their free LetsEncrypt SSL covers more than the one they've just paid out for, ignoring the other reputation benefits or warranty of course.

photo
1

I have this same issue. I need an EV rated certificate on my public facing e-commerce site, and an autogenerated certificate on cpanel, webmail and mail.

photo
photo
1

You should be able to accomplish this with the current system by


1. Creating a mail.domain.tld subdomain (or for any other name you want to separately control the AutoSSL status for)

c3f751c517adb4c9eca5d61732915416


2. Turn off AutoSSL in SSL Status for the domains you do not want AutoSSL to run on.


ebf8729c2bcd0d71be8c0bd240db749b

photo
1

Unless I'm getting the sequencing wrong, that doesn't work and it would appear to be far from user friendly.

ie. I have AutoSSL running on everything including domain.tld, http://www.domain.tld, mail.domain.tld, cpanel.domain.tld etc.

Then a customer buys a cert for domain.tld & http://www.domain.tld and installs it. mail.domain.tld stops having SSL.

If I remove the bought SSL and go back to AutoSSL, everything works again. Then I disable domain.tld & http://www.domain.tld and run AutoSSL. It generates a new cert without those.

Now install the bought SSL for domain.tld and www. mail.domain.tld etc stop working again.

photo
1

@aegis . When you create the mail.domain.tld subdomain the system will install the existing AutoSSL cert that was previously being used for domain.tld when mail.domain.tld was associated with it on it so it will be covered. This assumes the install best available certificate functionality has not been disabled.

You can then install the purchased cert for domain.tld and http://www.domain.tld over the AutoSSL one without losing coverage.

photo
1

Re: Already Exists; But there is no way to manage this at scale administratively within WHM. This is a big need for those of us who do not use cPanel's mail server, but instead route all client mail through Exchange, GSuite, etc.

Ill echo a previous comment I made on this thread (still in unposted moderation after months?) that this would probably be more cleanly resolved if we just had a supported way to disable ALL mail features globally (or per-account by Feature Package). Given the market growth cloud productivity/communication offerings (GSuite, Microsoft 365, etc.) - it should definitely be on the radar.

photo
2

The workaround does work but then it has an adverse effect on the the proxy domains(cpanel.domain.tld and webmail.domain.tld) that are meant to be there to workaround accessing the cpanel and webmail dashboards from behind firewalls.

So it's clear that this is not an ideal solution!!

photo
Leave a Comment
 
Attach a file