Disable Automatic self-signed SSL

benny@cpanel.net shared this idea 4 months ago
Pre-Release

As a hosting provider I would like the option to disable the Automatically generated self-signed SSL certificate.

Best Answer
photo

This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)

We currently anticipate version 66 going to the production CURRENT tier in late June or early July.

Comments (15)

photo
2

After reading through the thread on WHT, if the system can be made to generate self-signed certificates, I suppose this could work.

I think the best solution would be to make this an option, worded something like:

For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:

- A self-signed certificate

- A free AutoSSL (cPanel Comodo or Let's Encrypt)

- No certificate

In my own personal opinion AutoSSL (which probably isn't a great name for this feature) should only be done explicitly. For a DCV certificate to work, the domain name has to be pointing to the server. I just don't understand how doing that "automatically" is a good idea. You're going to have domains that never point to the server constantly trying to get a DCV certificate. But, to each their own. As long as it is an option that I can deselect, I'm fine with offering it this way.

My own personal setup, I've been doing free Let's Encrypt certificates for a long time. I wrote my own system for handling this. I prefer this system. If a client wants a free Let's Encrypt certificate, they can write in and I'll generate and install one for them. I can check to make sure that the domain name is resolving to the server correctly before attempting to generate one. That's why I like this system better. But I am a hands-on host. The helpdesk for our company is monitored by me or my staff 24 hours a day.

A self-signed certificate per VirtualHost doesn't require DCV. So that option can work. But I think this needs to be set explicitly. The question then becomes how long should the validation period be? If you set it low, say a year or less, then you'll have to have another script set to check for expiring self-signed certificate and auto regenerate them.

I get and understand that the world wants to see the web become more secure and default more to https. But I don't think they understand the logistics involved in doing this. It's just not going to be that easy. If the public had not vilified self-signed certificates so many years ago, then self-signed certificates would be applicable almost as much as Let's Encrypt and DCV certificates, without the DCV step.

photo
1

I agree -- the generation of a self-signed cert needs to be an option. Like sparek-3, I too developed a script to handle the generation and installation of a Let's Encrypt certificate for my customers. A self-signed cert automatically installed will generate a confusing error for customers who try to access the site over https:// before installing a legitimate certificate.

I'm a big fan of not forcing anything new on my customers without an option to disable it -- that is, to leave their configuration exactly as they are used to it. There is absolutely no harm in giving customers the *option* to enable automatic installation of self-signed certificates. Since most of my customers wouldn't trust any certificate that generates a browser error, I do see a downside to automatically installing these certs. An option to enable/disable this feature would not be too difficult to add. Apparently, the idea of making automatic installation of self-signed certs optional is a somewhat popular idea:

https://forums.cpanel.net/threads/problem-with-automatically-generated-self-signed-ssl-certificates.592415/

photo
1

This is being worked on in case CPANEL-11589 for v64. If can reduce the risk and size of of the change, we will attempt to backport the change to v62.

ed060c78b6b34ee0b9469f7f03ae3009

photo
1

Thanks cpanelnick,

Can you clarify a bit as to the proposed implementation? Will it become an option such that we can disable automatic generation of self-signed certs?

photo
1

I have attached an image of the tweak setting to my the original post.

photo
1

Great, thanks! I'm handling the case where a user visits a non-SSL site over https: and would see another site (which ever is the "default" site on that IP) by setting up a dummy subdomain (default.[mydomain]com) and setting it as the default site on the shared IP. I have an index page on this site that lets the user know they are seeing that message because they most likely attempted to view a non-SSL site over SSL.

With that in mind, the ability to disable the AutoSSL feature that generates self-signed certs will be a great help!

photo
2

Quick Update: We have completed most of the initial work for this option, however we do not have a test case that was not solved by enabling AutoSSL. If this functionality is important to you, please open a ticket at https://tickets.cpanel.net/submit/ with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589.

Thank you

photo
2

THIS SHOULD BE!!!!

"I think the best solution would be to make this an option, worded something like:

For every new VirtualHost (new account, subdomain, addon domain, parked domain) create:

- A self-signed certificate

- A free AutoSSL (cPanel Comodo or Let's Encrypt)

- No certificate"

photo
1

I'm updated to v64.0 (build 14) but I don't see this option. Can you tell me which version/build this new option is expected to release in, and where the new option would be found?

Thanks!

photo
1

As Nick said above, this feature was developed but has not been accepted into a public version of cPanel. At this time if you would like this feature to be included, please open a ticket at https://tickets.cpanel.net/submit/ with information about how this request affects you. Please be sure to ask for it to be linked to CPANEL-11589.

photo
1

Thanks . I saw his comment "This is being worked on in case CPANEL-11589 for v64." and thought it was being released in v64.

photo
3

I have to say I'm a bit disappointed in this as well. I intentionally skipped over cPanel 62 because of this automatic SSL installation "feature". I read this comment as "we have completed most of the initial work for this option" and I guess I assumed that it would be included in cPanel 64. I took the "if this functionality is important to you" comment to mean that Nick would look into adding this to cPanel 62 if the functionality garnered enough attention.

You can definitely argue that I assumed too much.

But, I'm still disappointed that this wasn't included in cPanel 64. Now I'm going to have to figure out if I want to skip over cPanel 64 as well.

photo
2

I totally agree with you. I skipped v62 because of this and waiting for v64 to be stable, now found that this fix is not in v64. Today, I was migrating hundreds accounts from an old server to v62 server, cpanel immediately install self-signed ssl for every single domain, can they wait? The "Manage SSL Hosts" and "SSL Storage Manager" just list all domain and ssl in one single page, why do this?

photo
1

This feature has now been merged in to version 66, and you will be able to disable the self-signed SSLs. Once there is a public version on the EDGE tier, I will update this thread again. Let me know if you have any questions in the meantime!

photo
1

This feature is now in a development build of cPanel & WHM version 66: 65.9999.136 (66 devel build)

We currently anticipate version 66 going to the production CURRENT tier in late June or early July.

Comments have been locked on this page!