AutoSSL: Prevent specific domains from being issued free SSL certificates

benny@cpanel.net shared this idea 9 months ago
In Progress

As a system Administrator I would like to be able to create and manage a blacklist for domains that would be issued an SSL by the AutoSSL feature, beyond just limiting by feature list or account package.

Best Answer
photo

We are currently investigating what it will take to implement this feature request. The work is being track as case COBRA-4247

Comments (24)

photo
1

What are some use cases for this—i.e., given that the certs are free and require no manual effort to set up, what is gained from blacklisting a domain from AutoSSL?

photo
1

Where cPanel creates a subdomain such as sub.primarydomain.com when adding an addon domain the final required ssl domain could be http://www.somethingelse.com so there would be no need to create an A record (to pass the check) for sub.primarydomain.com which will never be used to access the site but will still be checked and failed daily by AutoSSL for a possible cert.

As an example my ssl log files are filled with variations of this...

2:26:01 AM

WARN

The domain “ot.***.net” has failed domain control validation

(“ot.***.net” does not resolve to any IPv4 addresses on the

internet.). at bin/autossl_check.pl line 434.

2:26:01 AM

WARN

The domain “www.ot.***.net” has failed domain control

validation (“www.ot.***.net” does not resolve to any IPv4 addresses

on the internet.). at bin/autossl_check.pl line 434.

Neither require or will ever require an ssl cert as the main domain already has a cert but are still checked daily.

photo
1

I have several subomains like sub.domain.com pointed to a cpanel server's IP and for each of them there is cpanel account created. Subdomain is main domain of cpanel account. DNS for the domain 'domain.com' is kept at 3rd party nameservers.

In AutoSSL, for each of the subdomains I get 'http://www.sub.domain.com does not resolve to any IPv4 addresses on the internet.

Well, to get rid of the errors/warnings and get clean AutoSSL output I am forced to create 'www.sub' DNS record for each of the subdomain on 3rd party nameservers.

I would prefer to add "http://www.sub.domain.com"; to /etc/autossl_skip and forget about the problem/get clean Autossl report.

photo
2

I also have several mail. sub-domains that point to off-network IP addresses, for instance, in cases where the client has their own Exchange server or similar. AutoSSL just keeps trying to verify these domains that it will never be able to.

photo
1

Excluding domains is needed, I mean exclude "technical subdomains" - it is now unable to use Auto-SSL:

when user has technical domain: customer234.mydomain.com

and he has addon domain hisdomain.com and theotherdomain.com

then auto-SSL in cPanel generates one cert for:

customer234.mydomain.com + hisdomain.com + theotherdomain.com

but subdomains line customerXXX.mydomain.com I have many ... and Let's encrypt aloows generates only 20 per week ...

We need option: generating certs WITHOUT "technical domain (subdomain) of the provider"

photo
1

I also have a subdomain that i do not want a SSL on. This i can block using AutoSSL settings and the Package/Feature list in WHM. But if a person does not have access to WHM, they can not control the automatic issuing/blocking of an AutoSSL cert. Instead they have to ask the Host/Person that has the root access to the WHM and/or server.

As a suggestion why not place a button in each cPanel that a user can click, such as the ModSecurity button feture, to enable or disable AutoSSL for the particular domain or subdomain?

As a side note: If a person installs a subdomain in the parents domain cPanel versus another cPanel they would need controls to disable/enable parent and subdomains individually.

Thanks for considering,

danielpmc

photo
1

@danielpmc - how do you disable subdomain Auto SSL issue with Package/Feature list in WHM? I can't find a way to disable subdomains and keep main domains (www) enabled.

photo
1

That's currently not a feature in AutoSSL. The only way to accomplish what he's mentioning is to have separate accounts for the subdomains.

photo
1

Hello Mark,

This is what is my current AutoSSL settings look like. The first entry is a subdomain and the second one is a fulldomain. As benny said you have to have them as seperate accounts (cPanel) in order to enable/disable AutoSSL.

photo
1

Ah...that explains it. Too bad. I had hoped I was missing something since I really only want to give one free SSL per account.

photo
photo
2

I'm having rate limiting issues and being able to exclude certain subdomains from being issued certificates would be a big help.

photo
1

+1

I'm also having rate limiting issues. My use case :

We provide a free subdomain for our customers (let's call it domain.com here, but it's something else) in the form of <login>.<server>.domain.com. We also already have a valid wildcard certificate for *.domain.com so this domain does not need to have free certificates issued for it at all.

However, each customer which uses this free subdomain is getting a free certificate and this is couting against the limit. Due to this, the limit of certificates for this domain is being reached and now that customers need to have free certificates issued for their own domains, it will not work due to the fact that certificates for all the domains (including the domain.com ones) are trying to be issued.

Having a way to say to AutoSSL not to generate certificates for our domain.com domain (in this example) would completely fix this issue for us.

photo
1

Agreed, I have a client with 35 subdomains which only really needs 1 SSL so having the ability to turn off SSL for specific subdomains would be a great help

Thanks

photo
photo
1

I have a customer that has about 65 subdomains, parked domains and add-on domains. Some of those subdomains do not need SSL... they only exist because cPanel creates them automatically when creating an add-on domain. But, since we have a total of 65, I thought I could still use Let's Encrypt Auto SSL for this customer. However, it was a complete fail. The plugin attempts to ALSO add SSL for "mail" for every domain/subdomain/addon domain, even though we do not provide email service for this customer at all, and it ALSO attempts to add SSL for "www" for every add-on/parked/subdomain. www is understandable for the add-on and parked domains, but is definitely not needed for the subdomains.

I think this really underscores the need to have the ability to not only enable/disable AutoSSL for each account, but also to be able to somehow provide a list of FQDNs that the plug-in should never attempt to secure with SSL.

Thanks for listening!

photo
1

I've got some accounts where http://www.domain.com and domain.com point to a different server and they have their own certificates on that server, so I don't want certificates for those. But I want certificates for some subdomains such as sub.domain.com via AutoSSL.

photo
1

Daniel, you can just enable AutoSSL for that user. It will NOT install SSL for any domains that do not resolve to your server, so it will skip them. No problem here at all.

photo
2

Thanks Scott. That worked great.

photo
photo
2

We need better options to control enabling/disabling of this feature. Plus the current schema makes it easier for Resellers to charge for this feature than the provider. When hosts enable AutoSSL in any feature list a reseller can then create their own feature list including AutoSSL effectively circumventing hosts option to charge for the feature. I have Resellers up selling this SSL feature to their client. However hosts can't enforce the same model efficiently or practically. Then I also have resellers with dozens of domains and sub domains that don't want SSL. Requiring a tedious and manual task of disabling dozens of domains sprinkled amongst hundreds of accounts that I can't even sort by owner.

photo
3

This increasingly becomes a problem where an account has multiple addon/parked domains, and there is a limit on SANs per certificate (100 limit on Let's Encrypt).

By the time you've added in mail., ftp. and all the proxy subdomains, you very quickly reach the 100 limit.

Being able to control which domains and also which subdomains get included, per account, would be ideal.

photo
1

@andyf Note that the default cPanel AutoSSL provider has a higher limit (200 FQDNs per cert). It doesn’t completely solve the issue, but it at least makes it less troublesome.

photo
photo
2

We are currently investigating what it will take to implement this feature request. The work is being track as case COBRA-4247

photo
1

Another thought, if you run a domain with mail on 1 server and web/etc on another server, AutoSSL hits mail server error log with full page sources from 404 pages. It does this when encountering an 404 because the temporary file in .well-known doesn't exist on other server. In our case, the platform 404 page adds 1250 lines of logs for each domain that fails in this circumstance. Perhaps the response that is logged could be truncated down to however many lines are expected in the .well-known temporary file.

Also agree that the amount of auto checks is a bit excessive. Do people actually use http://www.subdomain.domain.com style iterations in the wild?

photo
1

We definitely shouldn't be adding that kind of error to the logs, from what I know of the system. Would you mind submitting a ticket so we can take a look at how that might be prevented?

photo
1

>> Do people actually use https://www.subdomain.domain.com style iterations in the wild?

I've been thinking the same thing, myself. No, I do not remember a customer ever using the www version of a subdomain. That would be a nice checkbox... "Should cPanel attempt to acquire an SSL certificate for the www versions of a subdomain?". I love the AutoSSL feature -- thanks cPanel for making this happen!!

photo