cPanel's AutoSSL seems to have limitations


#1

Hello all,

I am using acme.sh to obtain and deploy certificates for the domains hosted on my cPanel/WHM server. My current process to issue is based on a manual support ticket creation from the customer side after they changed their Nameserver pointed to my server IP.

I chose acme.sh because cPanel’s AutoSSL seems to have limitations.

As per https://documentation.cpanel.net/display/68Docs/Manage+AutoSSL, Certificates that Let’s Encrypt provides can secure a maximum of 100 domains per certificate.

Did anyone get any work around here to overcome this limit? Or is there any other tools which will be run automatically like AutoSSL?


#2

The 100 hostnames per certificate is a Let’s Encrypt limit, not a AutoSSL limit.

For more information about limits see https://letsencrypt.org/docs/rate-limits/


#3

Hi @pmjcreations

I have an analogous setting (but Windows). A customer changes his name server entries, a subdomain points to my server.

But: Isn’t it possible to change your settings:

Creating one certificate per customer, www.example.com + example.com or subdomain.example.com?

Then this 100 - domains per certificate limit is completely unrelevant.

And: The customers are “hidden”. Some customers wouldn’t be happy if they know that their domain is used in a certificate of other customers.


#4

Thanks for the reply, @Osiris and @JuergenAuer.

I read the docs carefully once again, and I guess that I missed understanding the difference between Virtual Host and Domains.

Let me list them all.

Virtual Host 1
Virtual Host 1 is the home of the domain name example1.com
example1.com has total five domains
example1.com
www.example1.com
subdomain1.example1.com
subdomain2.example1.com
subdomain3.example1.com

Virtual Host 2
Virtual Host 2 is the home of the domain name example2.com
example2.com has a total of 105 domains
example2.com
www.example2.com
subdomain1.example2.com
subdomain2.example2.com
subdomain3.example2.com



subdomain103.example2.com

Virtual Host 3
Virtual Host 3 is the home of the domain name example3.com
example1.com has a total of two domains
example3.com
www.example3.com



Virtual Host 500
Virtual Host 500 is the home of the domain name example500.com
example500.com has a total of two domains
example500.com
www.example500.com

In this set-up, the Virtual Host 1 is within the 100 Names per Certificate limit. However, Virtual Host 2 exceeds that limit. From Virtual Host 3 to Virtual Host 500, there are just two domains each, and thus there is no any limit issues.

However, the total number of accounts (Virtual Host) hosted on the same dedicated server exceeded 100 and reached 500. But I don’t need to worry about the number of Virtual Hosts; I only need to look into the number of domains in a Virtual Host.

Is this the right thought?


#5

There you can create a wildcard-certificate with two names *.example.com + example.com

Then you need only one certificate.

So if your virtual host has 2 - 5 domains, create one certificate with all domain names.

But: A wildcard-certificate requires dns-01 - validation, so you must create a special dns-entry.

If this is a domain of your customer, it’s not really possible. You would need username + password of your customer.

If you manage the dns-entries of your customers, it should be possible.


#6

Yes, I am optimistic that typically my customers will not have such a long list of domains within their accounts.

Could you please comment on the number of Virtual Host part, where I am actually stuck?

I mean, can I have an unlimited number of Virtual Hosts use Let’s Encrypt SSL via Auto SSL without worrying about the limitations (per Virtual Hosts will have only less than 100 domains), as the limit applies to the number of domains of a Virtual Host and not the number of Virtual Hosts hosted on the same server. So all of my Virtual Hosts will have Let’s Encrypt issued Certificates via Auto SSL?


#7

I don’t actually know how AutoSSL is combined with VirtualHosts, but from a technically standpoint VirtualHosts don’t have anything to do with Let’s Encrypt rate limits. You can combine any combination within Let’s Encrypt certificates: multiple domains (in your specific case, multiple VirtualHosts) can be combined in one single certificate. The only limit is the 100 FQDNs per certificate max.

Also, obviously, other rate limits apply. See the link in my first reply. But if every VirtualHost has its “own” domain name, and as most rate limits apply to domain names, you’ll be safe.


#8

@Osiris, here is the link How cPanel Server Handles Domains and Virtual Hosts
https://documentation.cpanel.net/display/CKB/How+Your+Server+Handles+Domains+and+Virtual+Hosts

I got this info from this doc.


#9

So you’ll have to “split” the 100+ domain VirtualHost into two VirtualHosts I’d guess.


#10

I don’t know if there is a limit domains per virtual host. But this is not the Letsencrypt-limit.

As I know, you can only have one certificate per vHost ( https://documentation.cpanel.net/display/CKB/How+Your+Server+Handles+Domains+and+Virtual+Hosts - part about SSL) . So if your vHost has more then 100 domains, you should split it (if a wildcard certificate isn’t possible).

You may also create one vHost per Domain/Subdomain, then you have only certificates with two (www.example.com + example.com) or one subdomain name.

There is another limit: You can only create 50 certificates per domain per week. So you can’t create 100 subdomain-certificates in one week. In two weeks - it is possible.


#11

Unless a specific domain needs 5000 subdomains certified without the possibility of a wildcard certificate, this won’t be an issue :wink:


#12

Hello @Osiris and @JuergenAuer, I got a reply from the support team. The limit is for each virtual host as opposed to each IP address, which means, based on my customer data, the limits which I was worried is not valid.

I thought that, with Auto SSL, I could only secure 100/200 accounts on my Dedi.

It all went due to a misread of cPanel’s docs. I am now switching to Auto SSL and going to save much time.


#13

Another thing is that in principle you could use more than one virtual host per customer (even though this might be unconventional for a particular work flow and require a bit more record-keeping).


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.