cPanel & WHM Version 82 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
 

Let's Encrypt Wildcard Certificates

B. Kp shared this idea 2 years ago
Open Discussion

As a web hosting provider I would like cPanel to add support for Let's Encrypt's Wildcard SSL certificates to AutoSSL when it becomes available (currently slated for January of 2018), to make it easier for me to manage my client's SSL certificates, and to negate the need to issue multiple SSLs to cover all of my subdomains.

Best Answer
photo

Hey all! Just a quick update: this isn't likely to get much attention until at least early 2019, but keep adding votes! As soon as there's any forward motion we'll be back to let you know.

Comments (13)

photo
4

This is a great idea!

I have a few WordPress multi sites and it would be GREAT if all sub domains automatically have a SSL certificate of Lets Encrypt installed!

photo
2

ACME V2 is now supported for free. It is great impovement to enable this option.

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

photo
1

This has now been released and we are getting customer feedback asking for it. We would love to see an ETA on this! Thanks.

If others agree please chime in and let's get this voted up!

photo
1

Hey all! Just a quick update: this isn't likely to get much attention until at least early 2019, but keep adding votes! As soon as there's any forward motion we'll be back to let you know.

photo
1

I would love to see this too, for the same reason as @Mau4. This would be super helpful for us users who have Wordpress Multisite!

photo
1

I would be extremely happy to see this feature implemented. With multiple websites to manage and redirects in place it would make my life a whole lot easier!

photo
1

Mike, can you please elaborate on how Let’s Encrypt wildcard certificates would better suit your needs than the current AutoSSL feature?

Wildcard support notwithstanding, the ACME v2 protocol itself appears to offer no benefit to cPanel servers over the draft protocol but requires more HTTP overhead. More problematic is Let’s Encrypt’s rate limit of 300 certificates per hour, which they only apply to their v2 endpoint. A large server that enables Let’s Encrypt via the current v1 AutoSSL provider can reasonably expect optimal coverage from a single AutoSSL run, but using Let’s Encrypt’s ACME v2 endpoint that same server would take many hours—even days—to provision all of those certificates.

photo
1

Wildcard SSL is required for projects where subdomains need to be created automatically. It could be a WordPress multi site install or any other tool that needs to be able to add new subdomains.

We have a custom built project that needs to be avle to create subdomains automatically, we found that cPanel uapi can’t do this so we will buy a wildcard cert from Comodo to do this.

If let’s Encrypt depreciates acme v1 we would need the v2 as we have customers who have specifically told us they want Let’s Encrypt and not Comodo.

We originally moved from Comodo to Let’s Encrypt because Comodo certs weren’t compatible with alder MacOS mail on Mac OS before El Capitaine.

300 certs per hour would require cpanel’s autossl feature planning for this limit and leaving headroom for new accounts.

On a sever that needs 3000 new certs that could be done in 10 hours if autossl detects the limit and waits for the next hour and not the next day.

The issue here is that let’s Encrypt provides wildcard certs so if we offer let’s encrypt customers expect to have it too and even if cPanel was to provide Comodo wildcard certs customers would still be requesting Let’s Encrypt.

photo
1

I think the main point here is customers are looking for wildcard support, whether it's AutoSSL or LE. We have customers contacting us asking for it and we can't say yes to it.

I think as you can imagine, if you decide to support AutoSSL & LE (which it seems you have already committed to), when they release new features, your customers will likely want them.

Here is how your competitor is handling it. Disabled by default. Given your argument above, I suppose that does make sense but at least it's available if somebody decides they want to enable it and it does make sense in their situation. Yay! Everyone wins.

https://support.plesk.com/hc/en-us/articles/115000490174-Is-it-possible-to-use-Let-s-Encrypt-for-wildcard-certificates-

photo
1

@cPanelFelipe My main application is I develop lot's of sites using WordPress Multisite, and I develop using a wildcard subdomain, then will map a primary domain later down the line. The backend will often be accessed by the subdomain. So for my workflow, I have to create a subdomain entry (which I wouldn't have to do with wildcard) to trigger AutoSSL to create a certificate for the subdomain, then that certificate takes up space in my allowable certificates, especially if I use LE with their 100 site limitation. So my workflow with wildcard SSL would eliminate the need to artificially create a subdomain (that serves no other purpose than to trigger AutoSSL) and would reduce the number of certificates I need by half-1. So if I had 100 sites now I have to have 200 SSL certificates from Comodo, with wildcard subdomains I would have just 101 certificates. That is my perspective. Also part of my future business model is offering sites with a subdomain on my network and then upselling to a TLD, this would make it much, much easier to automate.

photo
1

Just a clarification: cPanel is not opposed at all to supporting free wildcard certificates. My description of the challenges that the new API version poses was meant merely to give a bit more context as to why it’s not as simple as we’d like it to be for us to have AutoSSL’s LE provider request wildcard certificates.


Jeremy: Web hosting via wildcard domains (e.g., WP Multisite) does seem to be the principal area where AutoSSL can’t (currently) provide coverage. cP management is aware of the desire to support this use case. I’ve been trying to research what other use cases wildcard AutoSSL support would fulfill that AutoSSL (either the default provider or LE) currently can’t do.

What do you mean by “allowable certificates” and “100-site limitation”? LE limits individual certificates to 100 domain names, but AutoSSL’s LE module will just request as many certificates as are needed to secure all needed domains.

photo
2

Hello,


One of my main purpouses for wanting wildcard domains is to support wildcard https redirects.

At the moment I can setup a redirect for all http traffic at any random sub domain to go back to my home page, however if I try that same thing using a https request it will fail.


Also, it would be very handy to create a wildcard cert in CPanel and then have the ability to export it to use elsewear on self hosted servers or such.


Thanks,

Mike

photo
1

It might be my misunderstanding of LE's limitations, but I understood that LE could only provide certificates for 100 sites. I have seen this in practice that AutoSSL will stop issuing new certificates after 100 domains (using LE as the provider), that is why I switched to using default Comodo with AutoSSL.

In my case a wildcard subdomain SSL would cover any subdomain of the main site which is how WordPress Multisite is designed to work, thereby eliminating a large number of un-needed certificates. That was the point I was trying to make, so I get that you guys have that under consideration (thanks for that) I just thought that AutoSSL through LE was limited to 100 domains and that it treated subdomains as individual domains.

photo
2

I'm developing a marketplace with dynamic subdomains per seller. It's quite similar to the WP multisite feature mentioned above. I would REALLY like to see this implemented.

Thanks!

photo
1

For me this would be really useful as I build saas sites that are in the format of team.domain.com being able to do that dynamically and with https would be really useful.

photo
1

It is now early 2019, is there any update on this in the roadmap?

I would like to piggy-back on what Mike said from above about https redirects.

We use a wildcard for staging development websites. When they launch the domains are changed, but it is possible for them to be indexed on search engines, even if basic auth was used, IF robots was not set to dissallow indexing.

Since we use all https, these https urls get saved by search engines. After the domains no longer exist on the server, as http URL's they would redirect to the default hosting 404 page, and search engines know this domain is not valid. However with https, the request is blocked by the invalid SSL warning and the SEO becomes frozen with lots of old dev URLs.

The only solution to this that I can find, is to create a new placeholder page that is alphabetially superior, like 000.somedomain.com, so that THIS domain trumps the typical https redirect to first 443 vhost on server, allowing us to make a landing page similar to the Hosting 404 page. THEN, we add a *.somedomain.com wildcard SSL so that the redirect is not blocked.

Currently there is no feature available (that I have been able to find) that addresses this issue whereby https redirects are blocked and the heavy potential SEO implications. As most of the web is becoming https, I think this is an important concern to be addressed in software like WHM.

Thanks for anything that can be added about the current plans! I'd greatly prefer a built-in solution than something manual. But I also understand the complications likely related to DNS01 validation with different DNS providers. Thanks for your hard work!

photo
1

Thanks for that context. That's certainly an interesting use case. Unfortunately, adding WildCard support for Let's Encrypt isn't on the plan for 2019 yet. If that changes, we'll be back to let everyone know!

photo
1

This would be so helpful for when I build saas platforms with Wordpress Multisite - It would save me sooooo much time if this was implemented

photo
1

Hi. Quite a lot of time has passed and we're at 2019.

Is there any chance this issue will be addressed?

Thanks!

photo
3

Let’s Encrypt recently announced EOL for their 1st-generation API endpoint, in light of which there will likely be a development in cPanel’s Let’s Encrypt support later this year. Wildcard support will definitely be a part of those discussions.

I’m sorry I can’t offer more details at this time, but be assured that we are aware of this feature request and, all things held equal, very much want to act on it.

photo
2

Hi. Any news on this? This feature is really important.

photo
2

I have to absolutely concur that wildcare filters would be immensely useful and not impossible to implement.