Can someone explain the current state of cPanel integration options?


#1

After just dealing with a couple of cPanel users with somewhat different situations, I’m kind of embarrassed to realize how many specifics related to supporting cPanel users I don’t know. In particular I noticed that I’m kind of confused about

  • Which plugins now exist? Who develops them? Which challenges do they use? What are there autorenewal policies?

  • What’s the deal with the (I think at least) 3 different CAs that could be used by cPanel-based clients to issue certs? What determines whether a cPanel-issued cert is going to be issued by a particular cert provider as opposed to another provider?

  • What’s an easy and reliable way for shared hosting users to know whether their particular host has intentionally prevented them from getting certificates?

Getting this all clear should help me better help cPanel users on the forum in the future.


#2

I’ll answer what I know. (It might be little outdated since I haven’t use cPanel & WHM for one year, please correct me if I’m wrong.)

I know there is autossl, which is controlled by CPanel and accessed in WHM panel.

That’s the options in WHM autossl plugin.
You can choose to enable autossl and set provider(provider include LE , cPanel(comodo) ,custom provider)
Each provider has different issue time, and they will auto renew.
Seems mostly they use http auth files as they will place a auth file under “required directory”.

All cert issued by cPanel include all domains under the clients account. (One cert per each account) which provider they use is chooses by WHM admin.

If the host has autossl enabled, they will normally get the cert in one day (prior to hosting account creation). If they don’t, then autossl is not enabled. (They can always contact hosting’s customer support for help)

Source:
1.https://confluence1.cpanel.net/plugins/servlet/mobile?contentId=2450296#content/view/2450296
2.cPanel & WHM experience.


#3

AutoSSL is the canonical solution for cPanel, which is enabled by default in cPanel for some time now.

It is by default configured to use the Comodo SSL provider (which is actually a cPanel sub-ordinate CA).

There is the option to use the Let’s Encrypt SSL provider, which is installed separately, but still adheres to the AutoSSL framework.

AutoSSL uses the HTTP DCV challenge over IPv4 only. AutoSSL providers can nominate their own DCV paths (e.g. /.well-known/pki-validation for the Comodo provider, acme-challenge for the Let’s Encrypt one).

AutoSSL drives these providers asynchronously in the background and issues certificates opportunistically for all domains it can reasonable detect to succeed. It generally cannot be controlled by anybody except the administrator of the WHM/cPanel server.

cPanel also includes functionality that enables users to buy certificate directly from within their cPanel user interface from commercial providers that wish to integrate with cPanel.

Finally, there are non-AutoSSL WHM/cPanel plugins (third party ones) that exist for a variety of reasons, such as they existed before AutoSSL existed.

It’s not clear to me whether there is a straightforward way to detect this, apart from visiting the SSL/TLS interface in cPanel and seeing whether any certificates are already installed.

If your account hasn’t automatically received an AutoSSL certificate within a day or two of the account being created/domain being added, then almost certainly AutoSSL is disabled.

If you want, I can give you an account on the development server we use for our third-party plugin to see what all the interfaces look like.

Server admin can choose, Comodo/cPanel sub-ordinate CA is enabled by default on new cPanel installations.


#4

OK, it looks like there may be a way to manually invoke AutoSSL from the end-user cPanel interface, under the “SSL/TLS” interface:

However, the button will not be there if the functionality is not enabled or if the user does not have the “autossl” feature on their package.

I think that if the button is missing, then the user’s account will definitely not be eligible for AutoSSL.


#5

Thanks, @_az and @stevenzhu! That’s very helpful.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.