cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Notify sysadmin when customer SSL Certificate near expiration, and again after expiration

Scott Neader shared this idea 4 years ago
Open Discussion

As a server administrator I would like to be able to configure cPanel to notify me before on a given number of days before and after a user's SSL certificate expires, with or without AutoSSL enabled, so that I can react appropriately for my user.


====================

With the push for all sites to use SSL (AutoSSL), and the importance of having SSL working for customers, I would like to see cPanel notify the server administrator when an SSL certificate is very close to expiration (3 days?) and again notify when an SSL certificate is expired. Sometimes there are issues that prevent an SSL certificate from being renewed or replaced, and this type of notification would increase customer satisfaction and reduce support tickets for the hosting provider.


Currently cPanel does notify about expiring SSLs... but ONLY for the server's hostname SSL certificate. This is done via the Contact Manager functions "SSL Certificate Expires Soon" and "SSL Certificate Expiration"


cPanel knows all about SSL expiration dates for every certificate on the server. You can manually look under "Manage SSL Hosts" and see a list of every installed SSL certificate... you can sort this list by Expiration Date. So, I believe cPanel has all the information it needs, to be able to create notifications.


I would very much appreciate the ability to configure the number of days prior to expiration that the alerts are sent. Personally, I would set this to 3 days, but it would be preferred for this to be configurable. The Expired notification can be sent as soon as the server sees the certificate as expired.


NOTE: This is not an AutoSSL request... this feature should be implemented regardless if the server is using AutoSSL or not. Sysadmins should be notified of any SSL certificate that is installed (even manually installed certificates) that are expiring or expired.


Thank you for listening.


- Scott

Replies (4)

photo
1

Just thinking out loud...


If I have AutoSSL enabled with cPanel or Let's Encrypt certificates, I think they will be autorenewed automatically, isn't it?


I think this feature should work when a certificate is installed by hand. No cPanel cert. No LE cert.

But it should notify the designated account email about the oncoming expiration, because if it's a manually installed cert, it's commonly under the responsability of the customer.


In my case, as we don't host EV certs, I setup AutoSSL to replace expiring certificates with new ones by Let's Encrypt. No harm nor complaints with this by now.


I bet there could be a lot of other different scenarios on every provider.


Best regards

photo
2

"If I have AutoSSL enabled with cPanel or Let's Encrypt certificates, I think they will be autorenewed automatically, isn't it?"


No, that is the problem! In my case, there was a Let's Encrypt rate-limit being enforced, and the SSL Certificate did NOT get renewed automatically, and I didn't know, which caused the customer big problems. cPanel gave me absolutely no notification that there was any problem.


There are MANY other scenarios that will cause an SSL certificate not to be automatically renewed with AutoSSL. cPanel has tried to address some of them (.htaccess redirects, for example) but the point is... as the server owner, don't you want to KNOW when there is a problem with any customer SSL certificates?


I want to know when a customer SSL certificate is expiring, and/or expired. cPanel has the data, there just needs to be a notification.


- Scott

photo
2

I wonder if it might be better to notify (or maybe we should *also* notify) when DCV fails during an AutoSSL run?

photo
1

Recently had AutoSSL fail due to iThemes Security having blocked comodo as a user agent (this has since been fixed in version 6.0 of iThemes Security), my logs weren't reporting that the system couldn't get to the DCV.txt file, just that the certificate renewal order was placed but the certificate wasn't available and the orders were left pending. Only reason this was brought to my attention was because the certs had expired.


Michael

photo
2

@msullivan, that is exactly why I opened this feature request. There are many situations that might cause an SSL certificate to not get renewed automatically... or even if you are not using AutoSSL, you might just have forgotten to renew the certificate. This feature, if implemented, would notify the server own a few days before a certificate is going to expire, so that the situation can be looked into. Thanks for your real-world story and how it affected you.

photo
Leave a Comment
 
Attach a file