cPanel & WHM Version 108 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Change Default SSL Certificate to Invalid Certificate

John McCarthy shared this idea 6 years ago

When you try and access a site that does not have SSL installed over HTTPS, it gives you the certificate from the first account with SSL enabled on the server.

This is an issue because a client's SSL certificate should only be used for their site. Any other use could be considered unethical. Additionally, it lets everyone know "Hey, this domain is being hosted on this server."

I think that if a domain does not have SSL enabled, then cPanel should serve a self-signed generic certificate. I contacted the cPanel support team, and they said there was no way to just not respond to an HTTPS request on a non-https enabled domain.

Replies (29)


There is a viable work around which is to generate a free self signed certificate and install it to the shared IP. This is because users can only use the shared IP it if it's not already in use by another SSL cert.

We are conferring with our documentation department to get this work around added into our documentation as well.



I don't think that works. I can see 2 users installed ssl certs on our shared Ip address ( server ip )


Don't you have to copy the http default virtualhost and put it in the pre virtualhost include enabeling SSL on it ?

It should defenetly be done by default and we shouldn't have to do this…


Your work around doesn't work. Multiple ssl cert can be installed on a shared IP. Please give us a solution soon.


I should add that this could possibly be optional in the cPanel Tweak settings - perhaps for those that work hard to keep their httpd.conf as short as possible.

Additionally it would be ideal not to have this applied to any site on a dedicated IP - or to make applying it to dedicated IPs optional as well.


Wow MikeDVB what a great idea, we do get this question from clients quite often. (Usually in a panic about their site being 'hacked'.


cPanel has a default vhost for http but not for https. The solution support gave us was to create a https virtualhost in the include editor.

It's not just an issue with the wrong website showing but also with the wrong ssl showing.

I find it quite difficult to believe that cPanel didn't think of this when implementing sni support, I created a feature request for this some time ago but it didn't gain any traction, maybe this one will !


This is much needed because we currently have to manually edit httpd.conf to make cPanel/Apache work the way it really should work automatically.


I'm also aware of this issue, thanks for bringing it up Mike.


It's so stupid to allowing SSL on shared IP!

Users can install self-signed SSL on IP and make a problems such as redirects to the site with SSL.

We ask, we require to dissable SSL on shared IP with one click.



the problem is for SNI, we need the chance to disable SNI or that "Is Primary Website on IP Address?" work.. cause now (with cloudlinux) if cusotmer installal SSL with SNI, the the resto of the sites with https go on site of last customer installed SSL with SNI...


Just stumbled across this same problem today. Left me scratching my head as to what was "broken" with my config until I found this thread and it suddenly made the sense.

This sounds like a great solution to a (somewhat) vexing issue. Hope to see it in a future release!


Hello! You may set your primary SSL VirtualHost either through WHM or via WHM API 1. The page in WHM where this is located is 'Manage SSL Hosts'. On that page there is a 'Make Primary' button that will make the selected domain name the primary VirtualHost for that IP & port combination in Apache.

There is also a WHM API 1 function to do the same thing via the API. Please see the following documentation for more information:

The functionality is also available in cPanel for users that are on a dedicated IP address if they have the Install SSL feature available to them. The options for setting the primary host is under SSL/TLS Manager >> Manage SSL sites.

Is that what you're looking for?



Unless I'm mistaken but last time I did that it stopped users from accesssing https://webmail.theirdomain.tld and https://cpanel.theirdomain.tld if they didn't have a SSL cert configured.

I was told by cPanel support (a few years ago) that I had to choose between to providing shared SSL or having these URL's working.

Havn't tested since to see if it's repaired…


This method suggested by cPanelJason appears to be working just fine, allowing you to select the certificate that you’d like to show up as being mismatched. It currently also works on servers that have proxy subdomains enabled.


This really does need resolving.

Is there really not a way to resolve this completely with SNI, rather than the "always show the server cert" idea posted above?

Would making no domain "primary" for the IP and dealing with all SSL domains via SNI be a possible solution? I imagine the virtualhost for the proxy cpanel. whm. etc addresses would also then be relevant in some way?


Our own experience is that we can temporarily patch the problem by moving the server's shared SSL certificate to be read first in the httpd.conf file, however this frequently breaks when a client installs a new self-signed certificate and it goes to the top of the httpd.conf to be read first.

It would definitely be a temporary solution if we could prevent clients from installing SSL on the server's shared SSL certificate, but the real fix here is for the cPanel developers to implement a fix so the server's shared SSL certificate takes priority and it must always be read first in the httpd.conf file before any other certificates on the server's main IP address. This will solve it for clients who want to install an SNI certificate and for normal clients who probably never use SSL and simply want their HTTPS website to display neutral content (i.e. not another client's website!)

I was told cPanel had a development case 163469 open for this but I've received an update that it has been closed "as essentially the Shared SSL Certificate function should have reached obsolescence as SNI became implemented across more servers". This is frustrating that no progress is being made and clients are complaining!


This issue is very important and i dont understand why cpanel dont work to solve... The once solution is disbaled SSL from the faeture and enable just if cusotmer by dedicated IP, but then they cannot use/see the shared SSL of the server.

In the "Manage SSL Hosts" dont have sense set "Make primary domain", if custmerA install an SSL on the IP and all https://site-with-nossl show the ssl of the custmerA


This is a very critical issue. I have a WHM setup with 26 websites and only one has SSL installed. I cannot access any of the 25 sites via https:// because it redirects to the one site that has SSL installed. Please fix the issue.


I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).


It can be solution as well:


I think it would probably be best just to have an option in WHM to enable SSL on all hosts by default (aka if no SSL is installed they still access said site but with a security warning).



I got the same issue on my server. I didn't see this request, so i sent a ticket to cpanel thinking it was a bug.


Plesk uses a self-signed certificate and then shows the client's website with it. I always liked this since the clients could access their WordPress install through SSL even though they didn't have a certificate. Not really fully secure, but at least encrypted.

Coming to cPanel we had to deal with this quirk. I have included some code here which we put into "Pre VirtualHost Include".

We actually have some more settings somewhere else since we run nginx as reverse proxy, but the below should give a starting point on a regular system. We run cpanel/whm/webmail on a different IP address than the regular sites, so I don't know if some additional rewrite conditions need to check that it doesn't catch the correct domain for the forwards...or if you need a separate IP.

We forward all webmail.... requests for example to on which we run our SSL certificate.

I hope this helps as a starting point until cPanel fixes this.

In the first part we just add the path to our own SSL certificate.

<VirtualHost ###.###.###.###:443>


ServerAdmin ###@####.###

UseCanonicalName Off

SSLEngine on

SSLCertificateFile /var/cpanel/ssl/installed/certs/#####################.crt

SSLCertificateKeyFile /var/cpanel/ssl/installed/keys/#####################.key

SSLCACertificateFile /var/cpanel/ssl/installed/cabundles/#####################.cabundle

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


<VirtualHost ###.###.###.###:80 ###.###.###.###:80 ###.###.###.###:443 ###.###.###.###:443>

ServerName randomsubname.#####.##

ServerAlias cpanel.* whm.* webmail.*

ServerAdmin ###@####.###

RewriteEngine On

RewriteCond %{HTTP_HOST} ^webmail\.

RewriteRule (.*) https://webmail.####.### [R,L]

RewriteCond %{HTTP_HOST} ^cpanel\.

RewriteRule (.*) https://cpanel.####.### [R,L]

RewriteCond %{HTTP_HOST} ^whm\.

RewriteRule (.*) https://whm.####.### [R,L]



This need to be fixed. We had a lot of clients complaining about this issue, also resellers with dedicated IP that hosts their clients on that IP address.


The temporary work around that we came up with was to create a custom theme for the customers that are on the shared IP so when they click on the SSL/TLS Manager in cPanel it takes them to a page that asks them to call us to get setup with a dedicated IP. This prevents accounts on the shared IP from installing SSL's.

We then tracked down all the accounts with SSL's on the shared IP and set them up on dedicated IP's. This left the servers SSL as the only one on the shared IP and redirected sites to our default page.

The only catch is to remember to change the theme when an account gets a dedicated IP for an SSL.

This is not intended to be a permanent fix, just a temporary one until cPanel can fix the SNI. I hope it helps others.


For those interested, we added this to the pre vhost include section in cPanel :

  1. <VirtualHost MAIN_IP:443>
  2. ServerName
  3. DocumentRoot /usr/local/apache/htdocs
  4. ServerAdmin YOUR_COMPANY_MAIL
  5. SSLEngine on
  6. SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
  7. SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.pem
  8. SSLCACertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
  9. SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
  10. </VirtualHost>

Just replace MAIN_IP and YOUR_COMPANY_MAIL by your details.

cPanel seem's to be looking into doing something more complex than this instead of just fixing this bug though.


Hey folks! A fix for this specific problem isn't on our roadmap yet, but we are working on a plugin to satisfy this Let's Encrypt request. Once that plugin is public I'll be able to take a closer look at the ways it will or will not help, but I believe that it will act as an acceptable workaround for this request. I'll update everyone again once I have more information!


We now just create a default virtual host for port 443, based on the port 80 one cPanel already creates and include it in the apache include editor in WHM. It completly solves the problem of showing another site's website.

I still don't see why cPanel does this for port 80 by default but refuses to also do it by default for port 443.


I wouldn't say that "refuses" is fair. Other things have taken a higher priority, sure, but no one is refuting that it's a good idea. :)


Well, this is such a basic thing that it should have been done years ago.

I think that not displaying a different website than the URL shows and people went to should have been implemented a long time ago. Certainly before Paper Lantern was introduced for example.

It's really more like a bug than a feature request that an unrelated website is shown - and I do like the idea at for dealing with bugs vs feature requests.


Calm down guys — you can already do this. Simply create a hosting account on the SNI IP using whatever domain or subdomain you wish to show up as the SSL default, install an SSL certificate on that domain, then under 'Manage SSL Hosts' in WHM, click the 'Make Primary' link next to that.


Sorry for employing the term 'refuses', however the reason why I employed it is that cPanel's postion was, according to your support staff, that adding a default vhost was not a solution as this was a bug with Apache.

In my oppinion showing another customer's website should be concidered a high priority bug and not a feature request. Just imagine the problems this could cause if you where to host for example two competing brands, or two religious websites with different religions… It could see webhosts being taken to court for this.

What I'm saying here is that all you have to do to prevent the above issue is to edit the default template to include a port 443 vhost on the shared IP. That should take about 5 minutes, and it's not against any Apache documentation or rules to have a default vhost.

The default vhost for port 443 has currently two reasons to exist :

1) So sites that don't have a SSL vhost don't show another site

2) So when you access a domain that isn't created on the server but points to the server IP via https it doesn't how another website.

Should we maybe create another feature request to create a default vhost for port 443 for reason two as cPanel seems to be blocked on treating this as a bug with Apache ?


Yeah this is not a feature request , it is a total mess up. Google blacklisted one of my clients from search because it was going to another penalized website on HTTPS. We fixed this years ago by setting a 404 on that clients HTTPS site. But apparently when you install new SSL on shared IPs they become the new default, we just have to make sure we set the right one as primary always.


Surely cPanel should simply move the block (shown below from v58) within the /var/cpanel/templates/apache2_4/main.default to somewhere in front of the rest of the vhosts.

This problem has been around for like forever and it's a no brainer to fix - come on cPanel!

  1. [% ips_in_use.push("") %]
  2. [% SET copy_of_ips_in_use = ips_in_use.slice(0) %]
  3. [% WHILE (ip_block = copy_of_ips_in_use.splice(0, 50)) AND ip_block.size %]
  4. [% IF proxysubdomains && supported.mod_proxy && supported.mod_rewrite %]
  5. [% IF autodiscover_proxy_subdomains %]
  7. [% ELSE %]
  9. [% END %]
  10. <VirtualHost[% FOREACH server_ip IN ip_block %] [% "${server_ip}:${configured.main_port}" %][% END %]>
  11. ServerName [% wildcard_safe(servername) %]
  12. [% IF autodiscover_proxy_subdomains %]
  13. ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.* autodiscover.* autoconfig.*
  14. [% ELSE %]
  15. ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.*
  16. [% END %]
  17. DocumentRoot [% paths.dir_docroot %]
  18. ServerAdmin [% serveradmin %]
  19. [%- IF supported.mod_suphp %]
  20. <IfModule mod_suphp.c>
  21. suPHP_UserGroup nobody nobody
  22. </IfModule>
  23. [%- END %]
  24. [%- IF supported.mod_security2 %]
  25. <Proxy "*">
  26. <IfModule mod_security2.c>
  27. SecRuleEngine Off
  28. </IfModule>
  29. </Proxy>
  30. [%- END %]
  31. [%- IF supported.mod_userdir && userdirprotect_enabled && defaultvhost.userdirprotect != '-1' %]
  32. UserDir disabled
  33. [%- IF defaultvhost.userdirprotect != '' && !supported.mpm_itk && !supported.mod_ruid2 %]
  34. UserDir enabled [% defaultvhost.userdirprotect %]
  35. [%- END -%]
  36. [%- END %]
  37. RewriteEngine On
  38. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  39. RewriteCond %{HTTP_HOST} ^cpanel.
  40. RewriteRule ^/(.*)$1 [P]
  41. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  42. RewriteCond %{HTTP_HOST} ^webmail.
  43. RewriteRule ^/(.*)$1 [P]
  44. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  45. RewriteCond %{HTTP_HOST} ^whm.
  46. RewriteRule ^/(.*)$1 [P]
  47. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  48. RewriteCond %{HTTP_HOST} ^webdisk.
  49. RewriteRule ^/(.*)$1 [P]
  50. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  51. RewriteCond %{HTTP_HOST} ^cpcalendars.
  52. RewriteRule ^/(.*)$1 [P]
  53. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  54. RewriteCond %{HTTP_HOST} ^cpcontacts.
  55. RewriteRule ^/(.*)$1 [P]
  56. [% IF autodiscover_proxy_subdomains %]
  57. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  58. RewriteCond %{HTTP_HOST} ^autodiscover.
  59. RewriteRule ^[^?]*(\?.*)? [P]
  60. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  61. RewriteCond %{HTTP_HOST} ^autoconfig.
  62. RewriteRule ^[^?]*(\?.*)? [P]
  63. [% END %]
  64. UseCanonicalName Off
  65. </VirtualHost>
  66. [% END %]
  67. [% END %]
  68. [% WHILE (ip_block = ips_in_use.splice(0, 50)) AND ip_block.size %]
  69. [% IF proxysubdomains && supported.mod_proxy && supported.mod_rewrite %]
  70. [% IF autodiscover_proxy_subdomains %]
  72. [% ELSE %]
  74. [% END %]
  75. <VirtualHost[% FOREACH server_ip IN ip_block %] [% "${server_ip}:${configured.main_port_ssl}" %][% END %]>
  76. ServerName [% wildcard_safe(servername) %]
  77. [% IF autodiscover_proxy_subdomains %]
  78. ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.* autodiscover.* autoconfig.*
  79. [% ELSE %]
  80. ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.*
  81. [% END %]
  82. DocumentRoot [% paths.dir_docroot %]
  83. ServerAdmin [% serveradmin %]
  84. [%- IF supported.mod_suphp %]
  85. <IfModule mod_suphp.c>
  86. suPHP_UserGroup nobody nobody
  87. </IfModule>
  88. [%- END %]
  89. [%- IF supported.mod_security2 %]
  90. <Proxy "*">
  91. <IfModule mod_security2.c>
  92. SecRuleEngine Off
  93. </IfModule>
  94. </Proxy>
  95. [%- END %]
  96. [%- IF supported.mod_userdir && userdirprotect_enabled && defaultvhost.userdirprotect != '-1' %]
  97. UserDir disabled
  98. [%- IF defaultvhost.userdirprotect != '' && !supported.mpm_itk && !supported.mod_ruid2 %]
  99. UserDir enabled [% defaultvhost.userdirprotect %]
  100. [%- END -%]
  101. [%- END %]
  102. RewriteEngine On
  103. <IfModule mod_ssl.c>
  104. SSLEngine on
  105. SSLProxyEngine On
  106. SSLProxyVerify none
  107. # Setting to Off for backwards-compatibility
  108. # Read for more info:
  109. SSLProxyCheckPeerCN Off
  110. [%- IF options_support.split_version.2 >= 5 %]
  111. SSLProxyCheckPeerName Off
  112. [%- END %]
  113. SSLProxyCheckPeerExpire Off
  114. [% IF file_test('f', '/var/cpanel/ssl/cpanel/mycpanel.pem') -%]
  115. SSLCertificateFile /var/cpanel/ssl/cpanel/mycpanel.pem
  116. SSLCertificateKeyFile /var/cpanel/ssl/cpanel/mycpanel.pem
  117. SSLCertificateChainFile /var/cpanel/ssl/cpanel/mycpanel.pem
  118. [%- IF supported.stapling && !has_ocsp('/var/cpanel/ssl/cpanel/mycpanel.pem') %]
  119. SSLUseStapling Off
  120. [%- END %]
  121. [% ELSIF file_test('f', '/var/cpanel/ssl/cpanel/cpanel.pem') -%]
  122. SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
  123. SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.pem
  124. SSLCertificateChainFile /var/cpanel/ssl/cpanel/cpanel.pem
  125. [%- IF supported.stapling && !has_ocsp('/var/cpanel/ssl/cpanel/cpanel.pem') %]
  126. SSLUseStapling Off
  127. [%- END %]
  128. [% ELSIF file_test('f', '/var/cpanel/ssl/cpanel/cpanel.crt') && file_test('f', '/var/cpanel/ssl/cpanel/cpanel.key') %]
  129. SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.crt
  130. SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.key
  131. [% IF file_test('f', '/var/cpanel/ssl/cpanel/') %]
  132. SSLCertificateChainFile /var/cpanel/ssl/cpanel/
  133. [% END %]
  134. [%- IF supported.stapling && !has_ocsp('/var/cpanel/ssl/cpanel/cpanel.crt') %]
  135. SSLUseStapling Off
  136. [%- END %]
  137. [% ELSE %]
  138. # No service SSL installed for cPanel
  139. [% END %]
  140. </IfModule>
  141. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  142. RewriteCond %{HTTP_HOST} ^cpanel.
  143. RewriteCond %{HTTPS} on
  144. RewriteRule ^/(.*)$1 [P]
  145. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  146. RewriteCond %{HTTP_HOST} ^webmail.
  147. RewriteCond %{HTTPS} on
  148. RewriteRule ^/(.*)$1 [P]
  149. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  150. RewriteCond %{HTTP_HOST} ^whm.
  151. RewriteCond %{HTTPS} on
  152. RewriteRule ^/(.*)$1 [P]
  153. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  154. RewriteCond %{HTTP_HOST} ^webdisk.
  155. RewriteCond %{HTTPS} on
  156. RewriteRule ^/(.*)$1 [P]
  157. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  158. RewriteCond %{HTTP_HOST} ^cpcalendars.
  159. RewriteCond %{HTTPS} on
  160. RewriteRule ^/(.*)$1 [P]
  161. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  162. RewriteCond %{HTTP_HOST} ^cpcontacts.
  163. RewriteCond %{HTTPS} on
  164. RewriteRule ^/(.*)$1 [P]
  165. [% IF autodiscover_proxy_subdomains %]
  166. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  167. RewriteCond %{HTTP_HOST} ^autodiscover.
  168. RewriteCond %{HTTPS} on
  169. RewriteRule ^[^?]*(\?.*)? [P]
  170. RewriteCond %{HTTP_HOST} !^[% wildcard_safe(servername) %]$
  171. RewriteCond %{HTTP_HOST} ^autoconfig.
  172. RewriteCond %{HTTPS} on
  173. RewriteRule ^[^?]*(\?.*)? [P]
  174. [% END %]
  175. UseCanonicalName Off
  176. </VirtualHost>
  177. [% END %]
  178. [% END %]


Hey all! While the Let's Encrypt plugin isn't yet public, and this specific problem has not yet been addressed, v58 now has a public feature called AutoSSL that will help with this problem specifically. After AutoSSL is enabled, cPanel & WHM will automatically attempt to issue certificates for the domains on your server. You can read more about AutoSSL in our release notes, and Documentation site. Let me know if you have any questions!


Somehow I missed updating you all here, but this feature has been added as of version 62. From the release notes:

  1. Automatically install best available certificate for new addon domain, parked domain, or subdomain
  2. When you create an addon domain, parked domain, or subdomain, the system will attempt to automatically secure that domain with an existing certificate. If no certificate exists within the domain’s virtual host, but another certificate matches the domain, the system will secure the domain with that certificate.If no certificate matches the domain, the system will install a self-signed certificate for the domain.
  3. All websites receive an SSL certificate
  4. Any website created in cPanel & WHM now receives an SSL certificate. A self-signed certificate is added if no other SSL certificates are available.

As always, feel free to let me know if you have questions!

Replies have been locked on this page!